3 Replies Latest reply on Oct 11, 2010 6:19 AM by MisterDai

    Managing sessions in a "secure" application

    rtcpenguin Level 1

      Right now I'm working on securing part of a ColdFusion 9 site with some more robust security. I use the basic cflogin / cflogout system for handling logins that is described in most Adobe tutorials online.


      What I'd like to do is the following:

      • Be able to see what user has an active session (who is logged in)
      • Log out a user remotely (say you want to ban someones account and have that happen immediately)
      • Block accounts from having multiple sessions at once (i.e. no account sharing)


      Are there any guides for this stuff? I read an article from a couple years ago that showed how to see who is logged in, but I think its probably out of date.

        • 1. Re: Managing sessions in a "secure" application
          Joshua Cyr Level 3

          You could start with something basic from Ray's blog post here.



          This will let you track in a db current sessions, and with a bit of work detect they are already logged in and prevent them from doing it again. (store their username, or whatever unique value you have for them, then check if it is already in db).  You might also on sessionEnd() delete the record instead of store the logout time, if you only want to track live sessions.


          You can then add code to check if they should be remotely logged out.  You can do this by adding a column in the table, but that would require you to query that table on every request (for a column called logemout or whatever).  You could also have code that stores sessionID's in an application scope.  A list maybe.  Then on request check if the sessionid is in the application scope list, and if so remove their session structs and remove them from the table.  Lots of different ways to do it, but that should get you started.

          • 2. Re: Managing sessions in a "secure" application
            12Robots Level 4

            How you handle this will depend a bit on whether you are using CF session management or JEE session mananement.


            First, you're going to want to look at CFTracker. It has much of what you want to do implemented already.




            If you want to be able to block users from having multiple sessions, you're going to need to create a way to link a user's sessionID to whatever information they use to authenticate. Perhaps a database table that stores their username and session token, or a structure in memory. but then, when they log in, you'll need to check their username against that datastore and find the currently active session. If you find one, use CFTracker or some other means to end that session manually.


            Note, there will be nothing you can do to prevent a user from having two or more simultaneous anonymous sessions. Because you will not be able to tell one connection from the other. Unless you use IP Address, but that could really bite you if some of your users come from behind the same NAT router.


            Good luck

            • 3. Re: Managing sessions in a "secure" application

              Here is the approach I'd think about taking...


              • See which users have an active session?      
                • I'd use the login process and the application.cfc onSessionEnd to keep track of this.
                • Login routine would store the session ID against the user account record.
                • onSessionEnd would remove the session ID from the user account record.
              • Log out a user remotely.
              • Block accounts from having multiple sessions at once.
              • If someone tries to log in and they have a session ID on their record, they're already logged on.
              • You could then either kick off the old ID and let the new one on, or stop the new login attempt.

              BTW, I'm also the creator of CfTracker.  It does provide an insight into the sessions on your server, it's built more for monitoring than using within another application.