2 Replies Latest reply on Nov 6, 2006 9:24 AM by stpaz

    how to remove a bad session?

    FG
      Hi,

      I have an application that used to use URL vars to carry the session. Some links got out into the wild with the cfid and cftoken in them so now some people end up with the same session. I then converted the app to use cookies instead to eliminate the chances of it recurring, but of course these links still exist and so people can still get that session.

      Now, how can I kill off a session if it has a cfid/cftoken pair that I don't like? I can do a structdelete(session) but I also need to delete the session cookies or the session appears to continue. However, every time I delete the cookies they are still there on the next request!

      i.e., in Application.cfm I have
      <!--- kill known bad cookies --->
      <cfset killCookies = 0>
      <cfif (cookie.cfid is "9876") and (cookie.cftoken is "12345678")>
      <cfset killCookies = 1>
      </cfif>

      then in OnRequestEnd.cfm

      <cfif killCookies>
      <cfif IsDefined("Cookie.CFID") AND IsDefined("Cookie.CFTOKEN")>
      <cfcookie name="CFID" value="0" expires="NOW">
      <cfcookie name="CFTOKEN" value="0" expires="NOW">
      <cflocation url="/" addtoken="No">
      </cfif>
      </cfif>

      This results in an infinite redirect :( Why don't the cookies get deleted? What's the best way to delete a known bad session and how can you force the user into a new session?

      Chandy
        • 1. Re: how to remove a bad session?
          stpaz
          cflocation is a server side relocation, cookies are client side.

          use a javascript relocation to move them , and your cookies will get wiped.
          <cfif killCookies>
          <cfif IsDefined("Cookie.CFID") AND IsDefined("Cookie.CFTOKEN")>
          <cfcookie name="CFID" value="0" expires="NOW">
          <cfcookie name="CFTOKEN" value="0" expires="NOW">
          <script>
          location.replace('/');
          </script>
          </cfif>
          </cfif>
          • 2. Re: how to remove a bad session?
            stpaz Level 1
            cflocation is a server side relocation, cookies are client side.

            use a javascript relocation to move them , and your cookies will get wiped.
            <cfif killCookies>
            <cfif IsDefined("Cookie.CFID") AND IsDefined("Cookie.CFTOKEN")>
            <cfcookie name="CFID" value="0" expires="NOW">
            <cfcookie name="CFTOKEN" value="0" expires="NOW">
            <script>
            location.replace('/');
            </script>
            </cfif>
            </cfif>