LogOut not actually ending the session... 1

[profwannabe]

I have a login-driven site that I need to enable a logout for. I cannot use cookies. SessionManagement and ClientManagement are enabled in <cfapplication>.

In my act_logout.cfm I have the following code:
<cfset SESSION.ACTIVE = false>
<cfset CLEAR = #StructClear(session)#>

The user then returns to index.cfm?fuseaction=dspLogin.

However, if one hits the back button on the browser after logging out, one can still navigate through the site as though the logout had not occurred.

 

[GunJack]

This may be stating the obvious but each page will need to check to see if session.active is false. What does your code look like that checks for this?

If you set session.active to &quot;false&quot; and then reload a page which checks this variable with &quot;<cfif session.active is &quot;false&quot;><cflocation url=&quot;Login.cfm&quot;></cfif>&quot;, then I wouldn't see any way for it to fail. This is assuming everything else is correct such as the cfapplication tag, default value for session.active, etc... Can you post your cfapplication tag, any session variable code that sets a default value, and the code on another page which checks to see if they are logged in? I think the problem will lie in one of these three areas.

GJ

 

[profwannabe]

GJ,

Surely you have something better to do than help me out!

Here is my cfapplication
<CFAPPLICATION NAME=&quot;Quist&quot; SETCLIENTCOOKIES=&quot;No&quot;
CLIENTMANAGEMENT=&quot;Yes&quot;
SESSIONMANAGEMENT=&quot;Yes&quot;
SESSIONTIMEOUT=&quot;#CreateTimeSpan(0,0,10,0)#&quot;>

Each page also includes the template app_secure.cfm:

<cfif NOT IsDefined(&quot;SESSION.ACTIVE&quot>
<cflocation addtoken=&quot;No&quot; url=&quot;index.cfm&quot;>
<cfelseif NOT SESSION.ACTIVE>
<cflocation addtoken=&quot;No&quot; url=&quot;index.cfm&quot;>
</cfif>

That is the extent of the security...

 

[GunJack]

Hehe, yea I'm actually about to go online and play Red Alert 2

I think I see the problem. When you're not using cookies, there is no way for the webserver to maintain sessions/client variables unless you pass the cfid &amp; cftokens via url variables. In your <cflocation> tags, you have &quot;addtoken=no&quot; which keeps these from being sent automatically. I suspect that whatever link you have to a logout page does not pass these and they start a new session on the logout page and that new session is cleared. If you have these url variables embedded on a previous page, clicking the back button would then use the old session that wasn't cleared.

Clear as mud? I'm just speculating so let me know if this isn't the case.

GJ

 

[profwannabe]

I was not appending my #application.addtoken# to the logout url! However, having made that change, I now get a recursive loop when I hit the back button and then try to navigate away from that page!

Any ideas?

 

[GunJack]

Do you mean they go to the logout page, then click back and get re-directed to the logout page?

GJ

 

[profwannabe]

Not quite. The url for the logout is in the footer of each page. I was not appending #application.addtoken#, but made the change as you suggested. I am using the Fusebox architecture, so the default template for index.cfm is dspLogin. With no session active, the user is merely looking at the index.cfm in its default state, which is what I need.

However, if I logout, then back my browser and attempt to click on a link on that page, I get a recursive call, tying up my dev server.

Does that make sense?

 

[GunJack]

I think I see what might be causing it. In the code you posted below,

<cfif NOT IsDefined(&quot;SESSION.ACTIVE&quot>
<cflocation addtoken=&quot;No&quot; url=&quot;index.cfm&quot;>
<cfelseif NOT SESSION.ACTIVE>
<cflocation addtoken=&quot;No&quot; url=&quot;index.cfm&quot;>
</cfif>

you redirect to the index.cfm page if the session.active is not defined or is set to &quot;no&quot;. If the index.cfm page includes this code, if you logout and then view it, it will re-direct to itself, find that active is set to &quot;no&quot;, re-direct to itself, and repeat.

Is this it?
GJ

 

[profwannabe]

Don't let me keep you from RedAlert 2

The index.cfm page is merely a series of <cfinclude template> statements. The includes are activated based on the fuseaction value passed in the URL. The app_locals.cfm template, which is included on each page, is thus:

<cfinclude template=&quot;app_globals.cfm&quot;>
<!--- default setting for the fuseaction --->
<cfparam name=&quot;attributes.fuseaction&quot; default=&quot;dspLogin&quot;>

So when the index.cfm is called without a fuseaction value, the login should display.

That code is:
<table border=&quot;0&quot; cellspacing=&quot;5&quot; align=&quot;left&quot;>
<cfform action=&quot;index.cfm?fuseaction=actLogin&quot; method=&quot;POST&quot; enablecab=&quot;No&quot;>
<tr>
<td colspan=&quot;2&quot;><p><h3>Quist Extranet Login</h3></p></td>
</tr>
<tr>
<td valign=&quot;top&quot;><font size=&quot;-1&quot;>Username:</font> <cfinput type=&quot;Text&quot; name=&quot;username&quot; message=&quot;Enter in your username before proceeding&quot; required=&quot;Yes&quot;></td>
<td valign=&quot;top&quot;>
<cfif IsDefined(&quot;attributes.username&quot OR IsDefined(&quot;attributes.password&quot>
<div align=&quot;center&quot;><font size=&quot;+1&quot; color=&quot;Red&quot;>Login failed, please try again.</font></div>
</cfif>
</td>
</tr>
<tr>
<td colspan=&quot;2&quot;><font size=&quot;-1&quot;>Password:</font> <cfinput type=&quot;password&quot; name=&quot;password&quot; message=&quot;Enter in your password before proceeding&quot; required=&quot;Yes&quot;></td>
</tr>
<tr>
<td colspan=&quot;2&quot;><input type=&quot;submit&quot; value=&quot; Proceed >> &quot;></td>
</tr>
<tr>
<td><a href=&quot;

http://www.QuistFinancial.com&quot;>Click

here for QuistFinancial.com</a></td>
</tr>
</cfform>
</table>

Nothing is required to begin this page in terms of session.values.

Thanks again for your poking around on this.

 

[profwannabe]

GJ,

I am now also getting a recursive call when I timeout! I guess the bug lies somewhere in how the index.cfm?fuseaction=dspLogin is being called, rather than with the logout code itself. Are you familiar with fusebox?

 

[GunJack]

Where is the app_secure.cfm included from? I think that is causing your problem. If it gets included on the index.cfm directly or through an include file, I believe it will cause your re-cursive loop.

I already won 2 games so I'm done for the night

GJ

 

[profwannabe]

Nicely done!

The index.cfm file looks thusly (excluding references to numerous templates).

<cfinclude template=&quot;app_locals.cfm&quot;>
<cfinclude template=&quot;inc_header.cfm&quot;>

<!--- Login --->
<cfswitch expression=&quot;#attributes.fuseaction#&quot;>
<cfcase value=&quot;dspLogin&quot;>
<cfinclude template=&quot;dsp_login.cfm&quot;>
</cfcase>
<cfcase value=&quot;actLogin&quot;>
<cfinclude template=&quot;act_login.cfm&quot;>
</cfcase>

<!--- Quist Admin Lobby --->
<cfcase value=&quot;dspLobby&quot;>
<cfinclude template=&quot;app_secure.cfm&quot;>
<cfinclude template=&quot;dsp_lobby.cfm&quot;>
</cfcase>
<!--- logout --->
<cfcase value=&quot;actLogout&quot;>
<cfinclude template=&quot;act_logout.cfm&quot;>
</cfcase>

</cfswitch>

<cfinclude template=&quot;inc_footer.cfm&quot;>

Perhaps I should be including the app_secure.cfm to the cfcase value=&quot;actLogout&quot; and I will try it, but that does not make much sense to me.

Does that help?

 

[GunJack]

I would suspect that this part of the index.cfm file is executing and causing your loop but it's just a guess at this point.

<!--- Quist Admin Lobby --->
<cfcase value=&quot;dspLobby&quot;>
<cfinclude template=&quot;app_secure.cfm&quot;>
<cfinclude template=&quot;dsp_lobby.cfm&quot;>

Is it possible that the fuseaction is lingering around in the url somewhere and causing this section to run?

I would start by commenting out the entire page and un-commenting a section at a time until you find the particular section that's causing the loop. I think when we know the actual statement or include directive that's causing the loop, the fix will be simple.

GJ

 

[profwannabe]

GJ,

Not sure why this worked, but there are many subfolders on the site, each of which has an index.cfm fusebox in it. For those, I called the template ../app_secure.cfm. If there was an error or logout, the app_secure.cfm would direct to the local index.cfm, not the one in the root. So I made a copy of the template and put it in each subfolder, referring any error or logout to the root folder(../index.cfm). This seems to be working.

What is unclear to me is why there was a problem when I logged out from any template referred to in the root directory index.cfm. Anyway, it is late and this was my day off, so I am through for today.

Thanks for your help today. Also, I have not forgotten your advice for my course website calender/lecture issue. Unfortunately, that website has been on hold a bit in favor of my programming job. I should return to that problem soon.

 

[GunJack]

Glad I could help in some way.

Good Luck,
GJ