In ColdFusion 10, how to force session to end when browser is closed

Anyone know how to force the session to end when the browser is closed when using CF 10? In the CF Administrator, go to "Server Settings" -->"Memory Variables" & scroll down to Session Cookie Settings. The Cookie Timeout setting seems to have complete control over the expires attribute for cfid, cftoken. You used to be able to force the session to end (when the browser was closed) by putting this in OnSessionStart: <cfset Cookie.cfid = SESSION.CFID> <cfset Cookie.cftoken = SESSION.CFToken>, which set the Expires attribute to: "When I close my browser". Does not seem to be the case anymore.

if you do not set any expiry on a cookie it becomes a session cookie and will die when the browser is closed thus ending the users session. however this will not kill the session on the server as that requires something to be sent back to the server to tell it to kill the session, such as the user logging out, so the session variables will simply expire as normal, the user simply wont be able to reconnect to that session again. On Thu, Jul 5, 2012 at 1:26 PM, Byte Me <byteme001@verizon.net> wrote: ----- Excess quoted text cut - see Original Post for more -----

Take a look at CFCOOKIE. http://cfquickdocs.com/cf9/?getDoc=cfcookie#cfcookie On 7/5/12 5:26 AM, Byte Me wrote: > Anyone know how to force the session to end when the browser is closed when using CF 10? In the CF Administrator, go to "Server Settings" -->"Memory Variables" & scroll down to Session Cookie Settings. The Cookie Timeout setting seems to have complete control over the expires attribute for cfid, cftoken. You used to be able to force the session to end (when the browser was closed) by putting this in OnSessionStart: <cfset Cookie.cfid = SESSION.CFID> <cfset Cookie.cftoken = SESSION.CFToken>, which set the Expires attribute to: "When I close my browser". Does not seem to be the case anymore.

In CF 10 Administrator, go to "Server Settings" -->"Memory Variables" & scroll down to "Session Cookie Settings". The "Session Cookie Settings" have complete control over the expires attribute for cookie.CFID & cookie.CFToken. When you set them like this: <cfset Cookie.cfid = SESSION.CFID> <cfset Cookie.cftoken = SESSION.CFToken> in OnSessionStart, the expires date gets set to the value set in "Session Cookie Settings" (minimum setting is 2 minutes) & this setting cannot be turned off. I tried using 0 and -1 to see if that would disable it from setting the expires attribute (for Cookie.cftoken & cookie.CFToken), it did not. In previous versions of CF, if you did not set the expires attribute when you set cookie.CFID  and cookie.CFToken, these cookies would expire when you closed the browser, this is no longer the case for cookie.CFID  and cookie.CFToken.

----- Excess quoted text cut - see Original Post for more ----- You can still do this, but you have to tell CF not to set the cookies itself in the first place. That said, you'd be better off following Jochem's suggestion to use J2EE sessions instead. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite.

Can't use j2ee session management, Hostek doesn't enable on my shared server. <<You can still do this, but you have to tell CF not to set the cookies itself in the first place>> I assume you mean to set setClientCookies to no, which I'm already doing as it is part of the procedure for what I have been doing on CF7, then CF8 for the last 7 years. This procedure no longer works.

On Thu, Jul 5, 2012 at 2:26 PM, Byte Me wrote: > Anyone know how to force the session to end when the browser is closed when using CF 10? Strictly speaking that is impossible. The session will end a time X after the last request. What you can do is make sure the browser discards the cookie that is used to associate requests to the session. The session on the server does not disappear, the browser is just no longer associated with it. The session will only disappear after the session timeout. To do so, the easiest way is to enable J2EE session variables in your Administrator. Jochem -- Jochem van Dieten http://jochem.vandieten.net/

<<What you can do is make sure the browser discards the cookie that is used to associate requests to the session>> Are you saying that you have a different way to do this than the way I've described above? Yes, the session remains on the server until it times out, but CF 10 does not allow you to do what you have proposed. I did it in CF7 & 8 (never used 9) for the last 7 years. The procedure I have used for the last 7 years is a valid way to do this, I got it from the Web Application Construction Kit written by Ben Forta & others. If you have been able to set the cfid & cftoken cookies to expire when the browser closes (with CF10), I would greatly appreciate it if you could pass along the procedure you used. I understand that people are trying to help, but has anyone actually used CF10 to verify the symptoms I've reported? thanks

I don't have CF10 installed to confirm, but have you tried re-setting the cookies without an expires? (e.g. session cookies.) <cfcookie name="CFTOKEN" value="#cookie.CFTOKEN#"/> <cfcookie name="CFID" value="#cookie.CFID#"/> On 7/5/12 5:45 PM, Byte Me wrote: ----- Excess quoted text cut - see Original Post for more -----

Just tried your suggestion, but cfid & cftoken gets set with an expires time based on the "Session Cookie Settings" in the CF10 Administrator (minimum setting is 2 minutes) & that setting cannot be disabled & it cannot be overridden. However, that setting can be overridden by other cookies, such as <cfcookie name="myCookie" value="hello world">, which gets set with expires="When I close my browser".

> Just tried your suggestion, but cfid & cftoken gets set with an expires time based on the "Session Cookie Settings" > in the CF10 Administrator (minimum setting is 2 minutes) & that setting cannot be disabled & it cannot be overridden. > However, that setting can be overridden by other cookies, such as <cfcookie name="myCookie" value="hello world">, > which gets set with expires="When I close my browser". There's a checkbox in CF 10 which prevents you from manipulating session cookies if checked. Uncheck it. http://www.shilpikhariwal.com/2012/02/how-to-secure-coldfusion-session.html Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite.

OK, thanks, I will have to read up on this. What a pain it is to upgrade. Heres another link: http://help.adobe.com/en_US/ColdFusion/10.0/Developing/WSe61e35da8d3185183e145c0d1353e31f559-7ffc.html I'm not sure why Adobe is still using Application.cfm in there examples, aren't they aware that this was replaced with Application.cfc in Coldfusion 7?

> I'm not sure why Adobe is still using Application.cfm in there examples, aren't they aware that this was replaced with > Application.cfc in Coldfusion 7? Lots of people still use Application.cfm, for various reasons. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite.

you also need to remember that most people who decide to learn CF do not know OOP, and CFML was never originally intended for that audience, it was supposed to be an easy to learn tag based language. Not everyone wants to use CFC's On Thu, Jul 5, 2012 at 7:00 PM, Dave Watts <dwatts@figleaf.com> wrote: ----- Excess quoted text cut - see Original Post for more -----

OK, finally figured it out through trial and error. Did not find (complete) documentation that explained how to do this. Set this in the Application.cfc (beneath the <cfcomponent> tag) <cfset THIS.sessioncookie.timeout = "-1" > and this will cause the cfid & cftoken cookies "Expires" attribute to be set to "When I close my browser". Note: if you are using a shared server & "Disable updating Coldfusion internal cookie using Coldfusion tags/functions" is checked, you can override it by putting <cfset THIS.sessioncookie.disableupdate=false> in the Application.cfc, which gives control back to you, otherwise cfid & cftoke will expire at whatever interval is set in CF Admin. In OnSessionStart, you can set the cookies like this: <cfcookie name="cfid" value="#SESSION.CFID#"> <cfcookie name="cftoken" value="#SESSION.CFToken#"> or like this: <cfset Cookie.cfid = SESSION.CFID> <cfset Cookie.cftoken = SESSION.CFToken>, just make sure you don’t use the expires attribute when setting them.

----- Excess quoted text cut - see Original Post for more ----- I suppose your right. When I started using Coldfusion (version 7), I used CFC's. I never used/learned Application.cfm. The books I learned it from, Ben Forta's Web Application Construction Kit series, taught CFC's.