Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations bkrike on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

LogOut not actually ending the session... 1

Status
Not open for further replies.
profwannabe

profwannabe

Programmer
Jan 6, 2001
53
US
I have a login-driven site that I need to enable a logout for. I cannot use cookies. SessionManagement and ClientManagement are enabled in <cfapplication>.

In my act_logout.cfm I have the following code:
<cfset SESSION.ACTIVE = false>
<cfset CLEAR = #StructClear(session)#>

The user then returns to index.cfm?fuseaction=dspLogin.

However, if one hits the back button on the browser after logging out, one can still navigate through the site as though the logout had not occurred.
 
Sort by date Sort by votes
This may be stating the obvious but each page will need to check to see if session.active is false. What does your code look like that checks for this?

If you set session.active to &quot;false&quot; and then reload a page which checks this variable with &quot;<cfif session.active is &quot;false&quot;><cflocation url=&quot;Login.cfm&quot;></cfif>&quot;, then I wouldn't see any way for it to fail. This is assuming everything else is correct such as the cfapplication tag, default value for session.active, etc... Can you post your cfapplication tag, any session variable code that sets a default value, and the code on another page which checks to see if they are logged in? I think the problem will lie in one of these three areas.

GJ
 
Upvote 0 Downvote
GJ,

Surely you have something better to do than help me out!

Here is my cfapplication
<CFAPPLICATION NAME=&quot;Quist&quot; SETCLIENTCOOKIES=&quot;No&quot;
CLIENTMANAGEMENT=&quot;Yes&quot;
SESSIONMANAGEMENT=&quot;Yes&quot;
SESSIONTIMEOUT=&quot;#CreateTimeSpan(0,0,10,0)#&quot;>

Each page also includes the template app_secure.cfm:

<cfif NOT IsDefined(&quot;SESSION.ACTIVE&quot;)>
<cflocation addtoken=&quot;No&quot; url=&quot;index.cfm&quot;>
<cfelseif NOT SESSION.ACTIVE>
<cflocation addtoken=&quot;No&quot; url=&quot;index.cfm&quot;>
</cfif>

That is the extent of the security...
 
Upvote 0 Downvote
Hehe, yea I'm actually about to go online and play Red Alert 2 :)

I think I see the problem. When you're not using cookies, there is no way for the webserver to maintain sessions/client variables unless you pass the cfid &amp; cftokens via url variables. In your <cflocation> tags, you have &quot;addtoken=no&quot; which keeps these from being sent automatically. I suspect that whatever link you have to a logout page does not pass these and they start a new session on the logout page and that new session is cleared. If you have these url variables embedded on a previous page, clicking the back button would then use the old session that wasn't cleared.

Clear as mud? I'm just speculating so let me know if this isn't the case.

GJ
 
Upvote 0 Downvote
I was not appending my #application.addtoken# to the logout url! However, having made that change, I now get a recursive loop when I hit the back button and then try to navigate away from that page!

Any ideas?
 
Upvote 0 Downvote
Do you mean they go to the logout page, then click back and get re-directed to the logout page?

GJ
 
Upvote 0 Downvote
Not quite. The url for the logout is in the footer of each page. I was not appending #application.addtoken#, but made the change as you suggested. I am using the Fusebox architecture, so the default template for index.cfm is dspLogin. With no session active, the user is merely looking at the index.cfm in its default state, which is what I need.

However, if I logout, then back my browser and attempt to click on a link on that page, I get a recursive call, tying up my dev server.

Does that make sense?
 
Upvote 0 Downvote
I think I see what might be causing it. In the code you posted below,

<cfif NOT IsDefined(&quot;SESSION.ACTIVE&quot;)>
<cflocation addtoken=&quot;No&quot; url=&quot;index.cfm&quot;>
<cfelseif NOT SESSION.ACTIVE>
<cflocation addtoken=&quot;No&quot; url=&quot;index.cfm&quot;>
</cfif>

you redirect to the index.cfm page if the session.active is not defined or is set to &quot;no&quot;. If the index.cfm page includes this code, if you logout and then view it, it will re-direct to itself, find that active is set to &quot;no&quot;, re-direct to itself, and repeat.

Is this it?
GJ
 
Upvote 0 Downvote
Don't let me keep you from RedAlert 2 :)

The index.cfm page is merely a series of <cfinclude template> statements. The includes are activated based on the fuseaction value passed in the URL. The app_locals.cfm template, which is included on each page, is thus:

<cfinclude template=&quot;app_globals.cfm&quot;>
<!--- default setting for the fuseaction --->
<cfparam name=&quot;attributes.fuseaction&quot; default=&quot;dspLogin&quot;>

So when the index.cfm is called without a fuseaction value, the login should display.

That code is:
<table border=&quot;0&quot; cellspacing=&quot;5&quot; align=&quot;left&quot;>
<cfform action=&quot;index.cfm?fuseaction=actLogin&quot; method=&quot;POST&quot; enablecab=&quot;No&quot;>
<tr>
<td colspan=&quot;2&quot;><p><h3>Quist Extranet Login</h3></p></td>
</tr>
<tr>
<td valign=&quot;top&quot;><font size=&quot;-1&quot;>Username:</font> <cfinput type=&quot;Text&quot; name=&quot;username&quot; message=&quot;Enter in your username before proceeding&quot; required=&quot;Yes&quot;></td>
<td valign=&quot;top&quot;>
<cfif IsDefined(&quot;attributes.username&quot;) OR IsDefined(&quot;attributes.password&quot;)>
<div align=&quot;center&quot;><font size=&quot;+1&quot; color=&quot;Red&quot;>Login failed, please try again.</font></div>
</cfif>
</td>
</tr>
<tr>
<td colspan=&quot;2&quot;><font size=&quot;-1&quot;>Password:</font> <cfinput type=&quot;password&quot; name=&quot;password&quot; message=&quot;Enter in your password before proceeding&quot; required=&quot;Yes&quot;></td>
</tr>
<tr>
<td colspan=&quot;2&quot;><input type=&quot;submit&quot; value=&quot; Proceed >> &quot;></td>
</tr>
<tr>
<td><a href=&quot; here for QuistFinancial.com</a></td>
</tr>
</cfform>
</table>

Nothing is required to begin this page in terms of session.values.

Thanks again for your poking around on this.
 
Upvote 0 Downvote
GJ,

I am now also getting a recursive call when I timeout! I guess the bug lies somewhere in how the index.cfm?fuseaction=dspLogin is being called, rather than with the logout code itself. Are you familiar with fusebox?
 
Upvote 0 Downvote
Where is the app_secure.cfm included from? I think that is causing your problem. If it gets included on the index.cfm directly or through an include file, I believe it will cause your re-cursive loop.

I already won 2 games so I'm done for the night :)

GJ
 
Upvote 0 Downvote
Nicely done!

The index.cfm file looks thusly (excluding references to numerous templates).

<cfinclude template=&quot;app_locals.cfm&quot;>
<cfinclude template=&quot;inc_header.cfm&quot;>

<!--- Login --->
<cfswitch expression=&quot;#attributes.fuseaction#&quot;>
<cfcase value=&quot;dspLogin&quot;>
<cfinclude template=&quot;dsp_login.cfm&quot;>
</cfcase>
<cfcase value=&quot;actLogin&quot;>
<cfinclude template=&quot;act_login.cfm&quot;>
</cfcase>

<!--- Quist Admin Lobby --->
<cfcase value=&quot;dspLobby&quot;>
<cfinclude template=&quot;app_secure.cfm&quot;>
<cfinclude template=&quot;dsp_lobby.cfm&quot;>
</cfcase>
<!--- logout --->
<cfcase value=&quot;actLogout&quot;>
<cfinclude template=&quot;act_logout.cfm&quot;>
</cfcase>

</cfswitch>

<cfinclude template=&quot;inc_footer.cfm&quot;>

Perhaps I should be including the app_secure.cfm to the cfcase value=&quot;actLogout&quot; and I will try it, but that does not make much sense to me.

Does that help?
 
Upvote 0 Downvote
I would suspect that this part of the index.cfm file is executing and causing your loop but it's just a guess at this point.

<!--- Quist Admin Lobby --->
<cfcase value=&quot;dspLobby&quot;>
<cfinclude template=&quot;app_secure.cfm&quot;>
<cfinclude template=&quot;dsp_lobby.cfm&quot;>

Is it possible that the fuseaction is lingering around in the url somewhere and causing this section to run?

I would start by commenting out the entire page and un-commenting a section at a time until you find the particular section that's causing the loop. I think when we know the actual statement or include directive that's causing the loop, the fix will be simple.

GJ
 
Upvote 0 Downvote
GJ,

Not sure why this worked, but there are many subfolders on the site, each of which has an index.cfm fusebox in it. For those, I called the template ../app_secure.cfm. If there was an error or logout, the app_secure.cfm would direct to the local index.cfm, not the one in the root. So I made a copy of the template and put it in each subfolder, referring any error or logout to the root folder(../index.cfm). This seems to be working.

What is unclear to me is why there was a problem when I logged out from any template referred to in the root directory index.cfm. Anyway, it is late and this was my day off, so I am through for today.

Thanks for your help today. Also, I have not forgotten your advice for my course website calender/lecture issue. Unfortunately, that website has been on hold a bit in favor of my programming job. I should return to that problem soon.

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

cohan123
  • Locked
  • Question
Hypertext Jump function not working
Replies
0
Views
582
cohan123
cohan123
HansKok
  • Locked
  • Question
Error after only changing text and not codes
Replies
0
Views
577
HansKok
HansKok
Mike Lewis
  • Locked
  • Question
Using Dreamweaver to maintain a site not created in Dreamweaver
Replies
2
Views
737
Mike Lewis
Mike Lewis
LyndonOHRC
  • Locked
  • Question
Javascript code will not execute if a cfdocument tag is in my document
Replies
1
Views
368
LyndonOHRC
LyndonOHRC
lwfg
  • Locked
  • Question
session variable timeout problem
Replies
2
Views
262
lwfg
lwfg

Part and Inventory Search

Sponsor

Back
Top