Another logout problem

NateUNI · Nov 14, 2002

I have looked through past topics on this scenario, but have not been able to solve the problem. My problem is that when a person logs out they are still able to click the back button and continue to use the site. I am using session variables, not cookies. These are my files:

Application.cfm
<cfapplication name="PurchaseOrder"
SessionManagement="yes"
SessionTimeOut="#CreateTimespan(0,0,30,0)#"
SetClientCookies="no">


<cfset UserDSN="po">

<CFIF NOT IsDefined("Session.LoggedIn&quot

OR NOT IsDefined("Session.Group_Level&quot

>
<CFSET Session.LoggedIn=False>
<CFSET Session.Group_Level="">
</CFIF>

<CFIF Session.LoggedIn EQ False>
<CFIF NOT (CGI.PATH_INFO EQ "/purchaseorder/login.cfm&quot

>
<CFLOCATION url="login.cfm">
</CFIF>
</CFIF>

<CFIF NOT (CGI.PATH_INFO EQ "/purchaseorder/login.cfm&quot

>
<cfinclude template="LogOutTemp.cfm">
</CFIF>

LogOutTemp.cfm
<a href="LogOut.cfm">Logout</a>

LogOut.cfm
<cfset Structclear(session)>
<CFLOCATION url="login.cfm" addtoken="no">
<meta http-equiv="REFRESH" content="1; url=login.cfm">

Thanks!!!!

webmigit · Nov 14, 2002

I had the same problem, and this worked for me, people can't backtrack through member pages if this is in the header for the page.

Code:

<cfheader NAME=&quot;Expires&quot; VALUE=&quot;Mon, 06 Jan 1990 00:00:01 GMT&quot;>
<cfheader NAME=&quot;Pragma&quot; VALUE=&quot;no-cache&quot;>
<cfheader NAME=&quot;cache-control&quot; VALUE=&quot;no-cache&quot;>

Tony

NateUNI · Nov 14, 2002

Unfortunately that did not do the trick, any other suggestions?? Thanks!

webmigit · Nov 14, 2002

Try changing the corresponding paret of the above to:

Code:

  <CFIF NOT IsDefined(&quot;Session.LoggedIn&quot;) OR NOT IsDefined(&quot;Session.Group_Level&quot;)>
      <CFSET Session.LoggedIn=0>
    <CFSET Session.Group_Level=&quot;&quot;>
  </CFIF>

  <CFIF Session.LoggedIn EQ 0>
          <CFIF CGI.path_info IS NOT &quot;/purchaseorder/login.cfm&quot;>
            <CFLOCATION url=&quot;login.cfm&quot;>
        </CFIF>
  </CFIF>

<CFOUTPUT>#cgi.path_info#</CFOUTPUT> for debugging

NateUNI · Nov 14, 2002

didn't work

webmigit · Nov 14, 2002

Wait Duh, I bet both are CFPARAMMED right? Session.loggedin and Session.Group_Level?

NateUNI · Nov 15, 2002

no they are not CFPARAMMED anywhere, this is my login page if it helps, Thanks

<script language="JavaScript">
function setfocus(){
document.form1.UserName.focus();
}
</script>


<cfparam name="UserName" default="">
<cfparam name="Password" default="">
<cfparam name="ErrorMessage" default="">
<cfparam name="ShowForm" default="yes">


<cfif isdefined("Form.login&quot

>


<cfloop list="#Form.FieldNames#" index="ThisField">
<cfif Form[ThisField] is "">
<cfset ErrorMessage=ListAppend(ErrorMessage,ThisField & " is a required field&quot

>
</cfif>
</cfloop>


<cfif Not Len(ErrorMessage)>


<cfquery datasource='#UserDSN#' name='Login'>
SELECT FirstName,LastName, UserName, Group_Level
FROM PO_User
WHERE UserName='#Form.UserName#'
AND Password='#Form.Password#'
</cfquery>


<cfif Login.RecordCount EQ 1>
<cfoutput>
<cfset Session.Group_Level="#Login.Group_Level#">
<cfset Session.LoggedIn="True">
<cfset Session.FirstName="#Login.FirstName#">
<cfset Session.LastName="#Login.LastName#">
<cfset Session.UserName="#Login.UserName#">
<cfset Session.AutoToken="?CFID=#Session.CFID#&CFTOKEN=#Session.CFTOKEN#">
<cfset Session.XXAutoToken="&CFID=#Session.CFID#&CFTOKEN=#Session.CFTOKEN#">
</cfoutput>


<cfset ShowForm="No">


<cfelse>
<cfset ErrorMessage=ListAppend(ErrorMessage,"Sorry, that UserName/Password was invalid&quot

>
</cfif>

</cfif>
</cfif>


<cfif ShowForm is "Yes">
<link href="css.css" rel="stylesheet" type="text/css">
<html>
<body ONLOAD="setfocus()">


<cfif IsDefined("ErrorMessage&quot

>
<cfloop from=1 to=#ListLen(ErrorMessage)# index=index>
<cfoutput>#ListGetAT(ErrorMessage,index)#<br></cfoutput>
</cfloop>
</cfif>

<cfoutput>

<form action="#getfilefrompath(getcurrenttemplatepath())#" method="post" name="form1">
<table>
<tr>
<td>UserName
</td>
<td><input type="text" name="UserName" value="#UserName#" size=50>
</td>
</tr>
<tr>
<td>Password
</td>
<td><input type="password" name="Password" value="#Password#" size=50>
</td>
</tr>
<tr>
<td colspan=2 align=center><input type="submit" name="login" value="login">
</td>
</tr>
</table>
</form>
</cfoutput>

</body>
</html>

<!---Success (ShowForm="NO&quot

--->
<cfelse>

<cfoutput>
<META HTTP-EQUIV=Refresh CONTENT="0; URL=Menu.cfm#Session.AutoToken#">
</cfoutput>

</cfif>

webmigit · Nov 15, 2002

OK, before:

Code:

  <CFIF NOT IsDefined(&quot;Session.LoggedIn&quot;) OR NOT IsDefined(&quot;Session.Group_Level&quot;)>
      <CFSET Session.LoggedIn=False>
    <CFSET Session.Group_Level=&quot;&quot;>
  </CFIF>

run this:

Code:

<CFOUTPUT>#IsDefined(&quot;Session.LoggedIn&quot;)# #IsDefined(&quot;Session.Group_Level&quot;)#</CFOUTPUT>

. See if you get what you expect, which sould be False False.

webmigit · Nov 15, 2002

Ok, when you log out a user out, use structclear(session); as you do but allso set Session.LoggedIn to like... 0.. And then in application.cfm when checking to see if someone is logged in, check to see if it is 0. If it is so, cflocate them to the login page..

Also you ought to look into CFLOCKING Session Variables and since you haven't yet done that, might as well get the next recommended step done and save a lot, not all of your CFLOCKING. Read my FAQ on it: faq232-1926.

Also, once we get it working, and we will, you'll still want to keep the cfheeader tags, using these, once a user is logged out, they cannot backtrack.. thus maintaining account security on shared computers.

Tony

csteinhilber · Nov 15, 2002

If CFTOKEN and CFIF are in the URL of the page that they're going back to, you might have a problem, too... those parameters on the query string are basically telling ColdFusion the user is "logged in" (or, more appropriately, that it should track the user under the session it's set up for them).

Hope it helps,
-Carl

NateUNI · Nov 15, 2002

when i put this in my application.cfm
<CFOUTPUT>#IsDefined("Session.LoggedIn&quot

# #IsDefined("Session.Group_Level&quot

#</CFOUTPUT>
I get Yes Yes.
I also tried your other suggestions to set Session.LoggedIN to 0 and that did not work.

In response to csteinhilber, is there any way not to use CFTOKEN and CFIF if you would want to maintain sessions??

Thanks for all the help!!

imstillatwork · Nov 18, 2002

In response to csteinhilber, is there any way not to use CFTOKEN and CFIF if you would want to maintain sessions??

Yes, you can use a cookie that contians the Token and ID,
that way you neve have to pass them through forms or urls.

csteinhilber · Nov 18, 2002

imstillatwork is right [wink]

Set "SetClientCookies" to "Yes" in your CFAPPLICATION tag, instead of "No", and the CFTOKEN and CFID are automatically passed to the browser.

I know that you said you're not using cookies, but client cookies are not traditional cookies (for proof, set your browser to prompt you any time it is asked to accept a cookie - in IE5 it's part of the security levels, in IE6 it's in privacy, in Netscape4 it's in "Advanced", in Netscape6 it's in "Privacy & Security -> Cookies" - then hit a page/app that's set to use client cookies and you'll see the browser doesn't think they're cookies at all). There's virtually no way for the user to disable them... which is the main objection most developers have with cookies.

At any rate, the more I played with it, the more I realized that that probably won't fix your problem anyway [sad]

I think it has more to do with the fact that you're using CFLOCATIONs... which don't actually make true requests, and monkey with the browser history and session variables anyway.

Could you maybe use CFINCLUDEs, instead of CFLOCATIONs? I'm thinking something like (simplified and probably pseudo code):

index.cfm

Code:

<HTML>
<HEAD>
    <TITLE>My security system</TITLE>
    <META HTTP-EQUIV=&quot;content-type&quot; CONTENT=&quot;text/html;charset=iso-8859-1&quot;>
    <META HTTP-EQUIV=&quot;Expires&quot; CONTENT=&quot;0&quot;>'
    <META HTTP-EQUIV=&quot;Pragma&quot; CONTENT=&quot;no-cache&quot;>
    <META HTTP-EQUIV=&quot;Cache-Control&quot; CONTENT=&quot;no-cache&quot;>

</HEAD>
<BODY>
<CFIF IsDefined(&quot;URL.page&quot;)>
   <!--- a &quot;page&quot; was passed in the query string --->
   <CFIF isLoggedIn>
      <CFSET okayToViewPage = true>
      <CFINCLUDE template=&quot;#URL.page#&quot;>
                :
   <CFELSE>
      <!--- show form --->
                :
   </CFIF>
</CFIF>
</BODY>
</HTML>

included_page.cfm

Code:

<!--- no HTML, HEAD or BODY tags... just the content --->
<CFPARAM name=&quot;okayToViewPage&quot; default=&quot;false&quot;>
<CFIF okayToViewPage>
     <!--- show page here  --->

<CFELSE>
     <H1>Please login first</H1>

</CFIF>

So the only way you could view a page is through a "gatekeeper" (index.cfm). And, hopefully, using CFINCLUDE will allow the page to expire, and the session variables to maintain their correct values.

Also, as a side benefit... since you'd be including the pages, you might not need session variables at all, because any page that is included from index.cfm would automatically inherit index.cfm's variables.

ie-
index.cfm

Code:

<CFSET myVar1 = &quot;grep&quot;>
<CFSET myVar2 = &quot;fubar&quot;>
<CFINCLUDE template=&quot;myinclude.cfm&quot;>

myinclude.cfm

Code:

<!--- included page can utilize the parent's variables --->
<CFOUTPUT>#myVar1#<BR />#myVar2#<BR /></CFOUTPUT>

<CFOUTPUT>
Hope it helps,
-Carl

Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Another logout problem

NateUNI

MIS

webmigit

Programmer

NateUNI

MIS

webmigit

Programmer

NateUNI

MIS

webmigit

Programmer

NateUNI

MIS

webmigit

Programmer

webmigit

Programmer

csteinhilber

Programmer

NateUNI

MIS

imstillatwork

IS-IT--Management

csteinhilber

Programmer

Similar threads

Part and Inventory Search

Sponsor