Home of the ColdFusion Community
|
Mailing Lists
|
Home /
Groups /
ColdFusion Talk (CF-Talk)
Application Security Confusion
Author: Jeff Chastain
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:32890#165098
Nope .... no matter what I set the timeout to, I never get prompted to log
in after the first time.
Thanks
-- Jeff
_____
Sent: Monday, May 31, 2004 8:23 PM
To: CF-Talk
Subject: Re: Application Security Confusion
Jeff,
What happens if you set the Timeout to 0? Do they timeout then?
-Frank
Okay, Hal's tutorial fixed the browser close issue.
However, I still cannot get the session variables to timeout when the
browser is still open. I even set the seesionTimeout attribute to 15
seconds and I can still navigate the application all day long without
being
required to re-login.
Any thoughts on what might cause this?
Thanks
-- Jeff
_____
Sent: Monday, May 31, 2004 3:52 AM
To: CF-Talk
Subject: RE: Application Security Confusion
Jeff,
They have to die at sessiontimeout, but NOT when you close your browser
(if you are using CF sessions on CFMX or a lower version). If you use
J2EE sessions in CFMX, the session will end if you close all browser
windows.
Without seeing code, I can't imagine why the session would persist after
the specified timeout. You could try and debug by doing a <cfdump
var="#session#"> right after the cfapplication tag. This way you can see
if the session really exists, or if your code recreates it or something
of the kind.
Pascal
> Ok, I must really be missing something obvious, because this
> makes no sense.
>
> I have an application that has security setup and tracked via session
> variables. The cfapplication tag has the setClientCookies
> attribute set to
> true, and the sessionTimeout attribute has a createTimeSpan
> value of 0,0,15,0 which I thought was 15 minutes (I am
> questioning most everything I
> knew now). At the beginning of each secure page, there is
> an isDefined
> check to see if a session structure userAuth exists. If so,
> then further checks are done to check for valid permissions -
> if not, the user is sent to the login screen.
>
> When I first load the application, I get sent to the login screen as
> expected. However, if I leave my browser window open with
> no activity for
> 30 minutes, I find I can still navigate the secure pages
> without having to
> log in again. What is even weirder is that I can close all
> of my browser
> windows, load a new browser window and go directly to a
> secure url in the site without having to log in again.
>
> I am beginning to question everything I knew about session
> variables, but I thought they were supposed to time out and
> die automatically based upon the sessionTimeout attribute of
> the cfapplication tag and they always died immediately upon
> closing the browser.
>
> My session variables won't die!
>
> Thanks for any pointers.
> -- Jeff
>
>
>
>
_____
_____
Author: Frank Mamone
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:32890#165097
Jeff,
What happens if you set the Timeout to 0? Do they timeout then?
-Frank
Okay, Hal's tutorial fixed the browser close issue.
However, I still cannot get the session variables to timeout when the
browser is still open. I even set the seesionTimeout attribute to 15
seconds and I can still navigate the application all day long without being
required to re-login.
Any thoughts on what might cause this?
Thanks
-- Jeff
_____
Sent: Monday, May 31, 2004 3:52 AM
To: CF-Talk
Subject: RE: Application Security Confusion
Jeff,
They have to die at sessiontimeout, but NOT when you close your browser
(if you are using CF sessions on CFMX or a lower version). If you use
J2EE sessions in CFMX, the session will end if you close all browser
windows.
Without seeing code, I can't imagine why the session would persist after
the specified timeout. You could try and debug by doing a <cfdump
var="#session#"> right after the cfapplication tag. This way you can see
if the session really exists, or if your code recreates it or something
of the kind.
Pascal
> Ok, I must really be missing something obvious, because this
> makes no sense.
>
> I have an application that has security setup and tracked via session
> variables. The cfapplication tag has the setClientCookies
> attribute set to
> true, and the sessionTimeout attribute has a createTimeSpan
> value of 0,0,15,0 which I thought was 15 minutes (I am
> questioning most everything I
> knew now). At the beginning of each secure page, there is
> an isDefined
> check to see if a session structure userAuth exists. If so,
> then further checks are done to check for valid permissions -
> if not, the user is sent to the login screen.
>
> When I first load the application, I get sent to the login screen as
> expected. However, if I leave my browser window open with
> no activity for
> 30 minutes, I find I can still navigate the secure pages
> without having to
> log in again. What is even weirder is that I can close all
> of my browser
> windows, load a new browser window and go directly to a
> secure url in the site without having to log in again.
>
> I am beginning to question everything I knew about session
> variables, but I thought they were supposed to time out and
> die automatically based upon the sessionTimeout attribute of
> the cfapplication tag and they always died immediately upon
> closing the browser.
>
> My session variables won't die!
>
> Thanks for any pointers.
> -- Jeff
>
>
>
>
_____
Author: Jeff Chastain
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:32890#165092
And if I said none of the above?
This application has plain old static templates ... no frames, meta tags, or
JavaScript refreshes. Once a page is loaded, that page remains until a
user manually clicks on a link to go to the next page.
This is why this is so weird.
Thanks
-- Jeff
_____
Sent: Monday, May 31, 2004 7:14 PM
To: CF-Talk
Subject: RE: Application Security Confusion
> Suppose for some reason that I wanted to have session
> variables not ever expire. How would I go about attempting
> to do that with code only - no changes to the administrator
> or anything else?
You would need to ensure that the browser always requests another page
before the inactivity timeout kicks in. There are several ways you could do
this - META tags or JavaScript timers placed within frames, separate
windows, or "GIF pipes".
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
phone: 202-797-5496
fax: 202-797-5444
_____
Author: Dave Watts
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:32890#165090
> Suppose for some reason that I wanted to have session
> variables not ever expire. How would I go about attempting
> to do that with code only - no changes to the administrator
> or anything else?
You would need to ensure that the browser always requests another page
before the inactivity timeout kicks in. There are several ways you could do
this - META tags or JavaScript timers placed within frames, separate
windows, or "GIF pipes".
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
phone: 202-797-5496
fax: 202-797-5444
Author: Pascal Peters
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:32890#165078
Sorry, I'm out of ideas
> Nope, no frames at all in this app, and there are no
> automatic page refreshes.
>
> The not possible answer was what I was coming up with, except
> for the fact that it is happening.
Author: Jeff Chastain
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:32890#165077
Nope, no frames at all in this app, and there are no automatic page
refreshes.
The not possible answer was what I was coming up with, except for the fact
that it is happening.
_____
Sent: Monday, May 31, 2004 2:07 PM
To: CF-Talk
Subject: RE: Application Security Confusion
Not really possible, but you could put your app in a frameset with a
hidden frame that posts regularly to the app. This way, session will not
time out as long as the app is loaded in the browser.
----- Excess quoted text cut - see Original Post for more -----
_____
Author: Pascal Peters
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:32890#165076
Not really possible, but you could put your app in a frameset with a
hidden frame that posts regularly to the app. This way, session will not
time out as long as the app is loaded in the browser.
----- Excess quoted text cut - see Original Post for more -----
Author: Jeff Chastain
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:32890#165073
Okay, from more tests, it appears the problem is in the code somewhere. I
have run a separate small test of the session variables on this server and
they expire as expected. So, to take this question from a different
direction.....
Suppose for some reason that I wanted to have session variables not ever
expire. How would I go about attempting to do that with code only - no
changes to the administrator or anything else?
Thanks for any pointers.
-- Jeff
_____
Sent: Monday, May 31, 2004 9:32 AM
To: CF-Talk
Subject: RE: Application Security Confusion
The code is a complete FB4 application, so I am not sure how to post it
here.
I stripped out the cfapplication tags etc from the application.cfm file, put
them in a stand alone app and the variables timeout as expected. There is
only one cfapplication tag in this application, so what could possibly cause
the session to be retained?
There is no code in the application that refreshes the page if that is what
you are asking. All pages are just a simple request.
Thanks
-- Jeff
_____
Sent: Monday, May 31, 2004 9:17 AM
To: CF-Talk
Subject: RE: Application Security Confusion
Your code? Did you try my suggestion and dump the session scope right
after the cfapplication tag?
Do you have any other cfapplication tags with the same name? (change the
name maybe)
Is there some code in there that makes requests without you seeing it?
...
Pascal
----- Excess quoted text cut - see Original Post for more -----
_____
_____
Author: Jeff Chastain
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:32890#165055
The code is a complete FB4 application, so I am not sure how to post it
here.
I stripped out the cfapplication tags etc from the application.cfm file, put
them in a stand alone app and the variables timeout as expected. There is
only one cfapplication tag in this application, so what could possibly cause
the session to be retained?
There is no code in the application that refreshes the page if that is what
you are asking. All pages are just a simple request.
Thanks
-- Jeff
_____
Sent: Monday, May 31, 2004 9:17 AM
To: CF-Talk
Subject: RE: Application Security Confusion
Your code? Did you try my suggestion and dump the session scope right
after the cfapplication tag?
Do you have any other cfapplication tags with the same name? (change the
name maybe)
Is there some code in there that makes requests without you seeing it?
...
Pascal
----- Excess quoted text cut - see Original Post for more -----
_____
Author: Pascal Peters
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:32890#165054
Your code? Did you try my suggestion and dump the session scope right
after the cfapplication tag?
Do you have any other cfapplication tags with the same name? (change the
name maybe)
Is there some code in there that makes requests without you seeing it?
...
Pascal
----- Excess quoted text cut - see Original Post for more -----
Author: Pascal Peters
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:32890#165053
Your code? Did you try my suggestion and dump the session scope right
after the cfapplication tag?
Do you have any other cfapplication tags with the same name? (change the
name maybe)
Is there some code in there that makes requests without you seeing it?
...
Pascal
----- Excess quoted text cut - see Original Post for more -----
Author: Jeff Chastain
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:32890#165051
Okay, Hal's tutorial fixed the browser close issue.
However, I still cannot get the session variables to timeout when the
browser is still open. I even set the seesionTimeout attribute to 15
seconds and I can still navigate the application all day long without being
required to re-login.
Any thoughts on what might cause this?
Thanks
-- Jeff
_____
Sent: Monday, May 31, 2004 3:52 AM
To: CF-Talk
Subject: RE: Application Security Confusion
Jeff,
They have to die at sessiontimeout, but NOT when you close your browser
(if you are using CF sessions on CFMX or a lower version). If you use
J2EE sessions in CFMX, the session will end if you close all browser
windows.
Without seeing code, I can't imagine why the session would persist after
the specified timeout. You could try and debug by doing a <cfdump
var="#session#"> right after the cfapplication tag. This way you can see
if the session really exists, or if your code recreates it or something
of the kind.
Pascal
----- Excess quoted text cut - see Original Post for more -----
_____
Author: Pascal Peters
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:32890#165043
Jeff,
They have to die at sessiontimeout, but NOT when you close your browser
(if you are using CF sessions on CFMX or a lower version). If you use
J2EE sessions in CFMX, the session will end if you close all browser
windows.
Without seeing code, I can't imagine why the session would persist after
the specified timeout. You could try and debug by doing a <cfdump
var="#session#"> right after the cfapplication tag. This way you can see
if the session really exists, or if your code recreates it or something
of the kind.
Pascal
----- Excess quoted text cut - see Original Post for more -----
Author: Jeff Chastain
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:32890#165022
Ok, I must really be missing something obvious, because this makes no sense.
I have an application that has security setup and tracked via session
variables. The cfapplication tag has the setClientCookies attribute set to
true, and the sessionTimeout attribute has a createTimeSpan value of
0,0,15,0 which I thought was 15 minutes (I am questioning most everything I
knew now). At the beginning of each secure page, there is an isDefined
check to see if a session structure userAuth exists. If so, then further
checks are done to check for valid permissions - if not, the user is sent to
the login screen.
When I first load the application, I get sent to the login screen as
expected. However, if I leave my browser window open with no activity for
30 minutes, I find I can still navigate the secure pages without having to
log in again. What is even weirder is that I can close all of my browser
windows, load a new browser window and go directly to a secure url in the
site without having to log in again.
I am beginning to question everything I knew about session variables, but I
thought they were supposed to time out and die automatically based upon the
sessionTimeout attribute of the cfapplication tag and they always died
immediately upon closing the browser.
My session variables won't die!
Thanks for any pointers.
-- Jeff
|
May 24, 2012
|
Latest Fusion Authority Articles
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||
