Application Security Confusion

Ok, I must really be missing something obvious, because this makes no sense. I have an application that has security setup and tracked via session variables.   The cfapplication tag has the setClientCookies attribute set to true, and the sessionTimeout attribute has a createTimeSpan value of 0,0,15,0 which I thought was 15 minutes (I am questioning most everything I knew now).   At the beginning of each secure page, there is an isDefined check to see if a session structure userAuth exists.  If so, then further checks are done to check for valid permissions - if not, the user is sent to the login screen. When I first load the application, I get sent to the login screen as expected.   However, if I leave my browser window open with no activity for 30 minutes, I find I can still navigate the secure pages without having to log in again.   What is even weirder is that I can close all of my browser windows, load a new browser window and go directly to a secure url in the site without having to log in again. I am beginning to question everything I knew about session variables, but I thought they were supposed to time out and die automatically based upon the sessionTimeout attribute of the cfapplication tag and they always died immediately upon closing the browser. My session variables won't die! Thanks for any pointers. -- Jeff

Jeff, They have to die at sessiontimeout, but NOT when you close your browser (if you are using CF sessions on CFMX or a lower version). If you use J2EE sessions in CFMX, the session will end if you close all browser windows. Without seeing code, I can't imagine why the session would persist after the specified timeout. You could try and debug by doing a <cfdump var="#session#"> right after the cfapplication tag. This way you can see if the session really exists, or if your code recreates it or something of the kind. Pascal ----- Excess quoted text cut - see Original Post for more -----

Okay, Hal's tutorial fixed the browser close issue. However, I still cannot get the session variables to timeout when the browser is still open.   I even set the seesionTimeout attribute to 15 seconds and I can still navigate the application all day long without being required to re-login. Any thoughts on what might cause this? Thanks -- Jeff   _____ Sent: Monday, May 31, 2004 3:52 AM To: CF-Talk Subject: RE: Application Security Confusion Jeff, They have to die at sessiontimeout, but NOT when you close your browser (if you are using CF sessions on CFMX or a lower version). If you use J2EE sessions in CFMX, the session will end if you close all browser windows. Without seeing code, I can't imagine why the session would persist after the specified timeout. You could try and debug by doing a <cfdump var="#session#"> right after the cfapplication tag. This way you can see if the session really exists, or if your code recreates it or something of the kind. Pascal ----- Excess quoted text cut - see Original Post for more -----   _____  

Jeff, What happens if you set the Timeout to 0? Do they timeout then? -Frank   Okay, Hal's tutorial fixed the browser close issue.   However, I still cannot get the session variables to timeout when the   browser is still open.   I even set the seesionTimeout attribute to 15   seconds and I can still navigate the application all day long without being   required to re-login.   Any thoughts on what might cause this?   Thanks   -- Jeff     _____   Sent: Monday, May 31, 2004 3:52 AM   To: CF-Talk   Subject: RE: Application Security Confusion   Jeff,   They have to die at sessiontimeout, but NOT when you close your browser   (if you are using CF sessions on CFMX or a lower version). If you use   J2EE sessions in CFMX, the session will end if you close all browser   windows.   Without seeing code, I can't imagine why the session would persist after   the specified timeout. You could try and debug by doing a <cfdump   var="#session#"> right after the cfapplication tag. This way you can see   if the session really exists, or if your code recreates it or something   of the kind.   Pascal   > Ok, I must really be missing something obvious, because this   > makes no sense.   >     > I have an application that has security setup and tracked via session   > variables.   The cfapplication tag has the setClientCookies   > attribute set to   > true, and the sessionTimeout attribute has a createTimeSpan   > value of 0,0,15,0 which I thought was 15 minutes (I am   > questioning most everything I   > knew now).   At the beginning of each secure page, there is   > an isDefined   > check to see if a session structure userAuth exists.  If so,   > then further checks are done to check for valid permissions -   > if not, the user is sent to the login screen.   >     > When I first load the application, I get sent to the login screen as   > expected.   However, if I leave my browser window open with   > no activity for   > 30 minutes, I find I can still navigate the secure pages   > without having to   > log in again.   What is even weirder is that I can close all   > of my browser   > windows, load a new browser window and go directly to a   > secure url in the site without having to log in again.   >     > I am beginning to question everything I knew about session   > variables, but I thought they were supposed to time out and   > die automatically based upon the sessionTimeout attribute of   > the cfapplication tag and they always died immediately upon   > closing the browser.   >     > My session variables won't die!   >     > Thanks for any pointers.   > -- Jeff   >   >   >   >     _____

Nope .... no matter what I set the timeout to, I never get prompted to log in after the first time. Thanks -- Jeff   _____ Sent: Monday, May 31, 2004 8:23 PM To: CF-Talk Subject: Re: Application Security Confusion Jeff, What happens if you set the Timeout to 0? Do they timeout then? -Frank   Okay, Hal's tutorial fixed the browser close issue.   However, I still cannot get the session variables to timeout when the   browser is still open.   I even set the seesionTimeout attribute to 15   seconds and I can still navigate the application all day long without being   required to re-login.   Any thoughts on what might cause this?   Thanks   -- Jeff     _____   Sent: Monday, May 31, 2004 3:52 AM   To: CF-Talk   Subject: RE: Application Security Confusion   Jeff,   They have to die at sessiontimeout, but NOT when you close your browser   (if you are using CF sessions on CFMX or a lower version). If you use   J2EE sessions in CFMX, the session will end if you close all browser   windows.   Without seeing code, I can't imagine why the session would persist after   the specified timeout. You could try and debug by doing a <cfdump   var="#session#"> right after the cfapplication tag. This way you can see   if the session really exists, or if your code recreates it or something   of the kind.   Pascal   > Ok, I must really be missing something obvious, because this   > makes no sense.   >     > I have an application that has security setup and tracked via session   > variables.   The cfapplication tag has the setClientCookies   > attribute set to   > true, and the sessionTimeout attribute has a createTimeSpan   > value of 0,0,15,0 which I thought was 15 minutes (I am   > questioning most everything I   > knew now).   At the beginning of each secure page, there is   > an isDefined   > check to see if a session structure userAuth exists.  If so,   > then further checks are done to check for valid permissions -   > if not, the user is sent to the login screen.   >     > When I first load the application, I get sent to the login screen as   > expected.   However, if I leave my browser window open with   > no activity for   > 30 minutes, I find I can still navigate the secure pages   > without having to   > log in again.   What is even weirder is that I can close all   > of my browser   > windows, load a new browser window and go directly to a   > secure url in the site without having to log in again.   >     > I am beginning to question everything I knew about session   > variables, but I thought they were supposed to time out and   > die automatically based upon the sessionTimeout attribute of   > the cfapplication tag and they always died immediately upon   > closing the browser.   >     > My session variables won't die!   >     > Thanks for any pointers.   > -- Jeff   >   >   >   >     _____   _____  

Your code? Did you try my suggestion and dump the session scope right after the cfapplication tag? Do you have any other cfapplication tags with the same name? (change the name maybe) Is there some code in there that makes requests without you seeing it? ... Pascal ----- Excess quoted text cut - see Original Post for more -----

Your code? Did you try my suggestion and dump the session scope right after the cfapplication tag? Do you have any other cfapplication tags with the same name? (change the name maybe) Is there some code in there that makes requests without you seeing it? ... Pascal ----- Excess quoted text cut - see Original Post for more -----

The code is a complete FB4 application, so I am not sure how to post it here. I stripped out the cfapplication tags etc from the application.cfm file, put them in a stand alone app and the variables timeout as expected.  There is only one cfapplication tag in this application, so what could possibly cause the session to be retained? There is no code in the application that refreshes the page if that is what you are asking.  All pages are just a simple request. Thanks -- Jeff   _____ Sent: Monday, May 31, 2004 9:17 AM To: CF-Talk Subject: RE: Application Security Confusion Your code? Did you try my suggestion and dump the session scope right after the cfapplication tag? Do you have any other cfapplication tags with the same name? (change the name maybe) Is there some code in there that makes requests without you seeing it? ... Pascal ----- Excess quoted text cut - see Original Post for more -----   _____  

Okay, from more tests, it appears the problem is in the code somewhere.  I have run a separate small test of the session variables on this server and they expire as expected.   So, to take this question from a different direction..... Suppose for some reason that I wanted to have session variables not ever expire.   How would I go about attempting to do that with code only - no changes to the administrator or anything else? Thanks for any pointers. -- Jeff   _____ Sent: Monday, May 31, 2004 9:32 AM To: CF-Talk Subject: RE: Application Security Confusion The code is a complete FB4 application, so I am not sure how to post it here. I stripped out the cfapplication tags etc from the application.cfm file, put them in a stand alone app and the variables timeout as expected.  There is only one cfapplication tag in this application, so what could possibly cause the session to be retained? There is no code in the application that refreshes the page if that is what you are asking.  All pages are just a simple request. Thanks -- Jeff   _____ Sent: Monday, May 31, 2004 9:17 AM To: CF-Talk Subject: RE: Application Security Confusion Your code? Did you try my suggestion and dump the session scope right after the cfapplication tag? Do you have any other cfapplication tags with the same name? (change the name maybe) Is there some code in there that makes requests without you seeing it? ... Pascal ----- Excess quoted text cut - see Original Post for more -----   _____   _____  

Not really possible, but you could put your app in a frameset with a hidden frame that posts regularly to the app. This way, session will not time out as long as the app is loaded in the browser. ----- Excess quoted text cut - see Original Post for more -----

Nope, no frames at all in this app, and there are no automatic page refreshes. The not possible answer was what I was coming up with, except for the fact that it is happening.   _____ Sent: Monday, May 31, 2004 2:07 PM To: CF-Talk Subject: RE: Application Security Confusion Not really possible, but you could put your app in a frameset with a hidden frame that posts regularly to the app. This way, session will not time out as long as the app is loaded in the browser. ----- Excess quoted text cut - see Original Post for more -----   _____  

Sorry, I'm out of ideas > Nope, no frames at all in this app, and there are no > automatic page refreshes. >   > The not possible answer was what I was coming up with, except > for the fact that it is happening.

> Suppose for some reason that I wanted to have session > variables not ever expire. How would I go about attempting > to do that with code only - no changes to the administrator > or anything else? You would need to ensure that the browser always requests another page before the inactivity timeout kicks in. There are several ways you could do this - META tags or JavaScript timers placed within frames, separate windows, or "GIF pipes". Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ phone: 202-797-5496 fax: 202-797-5444

And if I said none of the above? This application has plain old static templates ... no frames, meta tags, or JavaScript refreshes.   Once a page is loaded, that page remains until a user manually clicks on a link to go to the next page. This is why this is so weird. Thanks -- Jeff   _____ Sent: Monday, May 31, 2004 7:14 PM To: CF-Talk Subject: RE: Application Security Confusion > Suppose for some reason that I wanted to have session > variables not ever expire. How would I go about attempting > to do that with code only - no changes to the administrator > or anything else? You would need to ensure that the browser always requests another page before the inactivity timeout kicks in. There are several ways you could do this - META tags or JavaScript timers placed within frames, separate windows, or "GIF pipes". Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ phone: 202-797-5496 fax: 202-797-5444   _____