Jan
7

I receive questions from time-to-time from folks reading my blog entries or working through my tutorials and typically these don't wind up as blog posts themselves. But they should. And to help with my goal of increasing my blog post count for 2009 I'm going to start blogging these more. Since everyone is doing the "Ask Bob" thing I thought I'd veer from the norm and put these types of posts into a new category called Aaron Answers. To begin the category of posts here's a few questions from Irv concerning my ColdFusion 7 Secure Login tutorial.

I was looking around for a good model to use to secure a CF8 app and I ran across your site. A couple of issues:

First a simple one. The MSSQL script creates a char 35 field for the password instead of 32. Causes hash compare to fail.

It's been quite a while since I've written any code for either CF6 or CF7 so I did some testing to see if I could get length differences using the different CFMX compatibility mode of Hash(). For CFMX 6/6.1 the default algorithm (MD5) produced a 32-byte hash. For CF8, the default is still set to MD5. So, if you provide only one argument to the Hash() function - the string you want to hash - you'll get a 32-byte hexadecimal character representation of the passed string. If you add a second argument string - CFMX_COMPAT - you get the same thing. So, by default, the behavior of CF8's Hash() is the same as 6/6.1's Hash().

<cfset variables.cf6 = Hash("mypassword", "CFMX_COMPAT")]]>
<cfset variables.cf8 = Hash("mypassword")]]>

<cfoutput>
#variables.cf6# -- #Len(variables.cf6)#
#variables.cf8# -- #Len(variables.cf7)#
</cfoutput>

I'm guessing the sql scripts creating a 35 character column was an oversight on my part. Though to be honest, the code published on my site never threw any errors and is actually still in use today on production servers without problems.

What about a user closing a window instead of logging out or walking away from open window? Closing window appears to leave the session running and for some reason does not time out after the 30 second timeout period. Allowing the app to time out clears them but I'm concerned about having orphaned session vars building up.

As a ref I'm using J2EE session vars. My assumption was that these automatically close upon browser window closing. From http://kb.adobe.com/selfservice/viewContent.do?externalId=tn_18232

"J2EE session management uses a new variable, called thejsessionid, to track a user's browser session instead of the CFID/CFTOKEN pair. The jsessionid variable is available to JSPs and Servlets. A newjsessionid is always created at the start of each browser session. Because it is always written as a per-session value which is destroyed when the browser is closed, all session variables are also destroyed when the browser session ends."

This is a very common question, one that I've never really researched. I believe you could rig something up with JavaScript / Ajax to clear a server-side session (whether you use jsessions or not). And while I've never used jsessions in my apps, I do recall (over the years) hearing people describe sessions ending when browser windows are closed. I'm guessing that feature supports only Internet Explorer though. Is that the browser you were using?

I just tried this again before sending this email and now it appears the vars DO close after a timeout period after the window is closed. Not sure how I got the results above but at one point I had 5 users logged in with only one window open and as long as I refreshed that page all 5 users stayed logged in well after the 30 seconds. I'll try to re-create results and figure out what happened but is there a way to kill the user on window closing?

That's really weird behavior for sure. ColdFusion sessions are tied to a specific server (unless you're clustering or using jsessions with multi-instanced CF) and to a specific browsers cookies. When a browser closes the cookies remain which is why you can open the browser again, go to your Web site and still be logged in. This is normal session behavior for any server-side language and is actually quite helpful for testing. You can have one session running in Firefox and one running in IE or Safari. Why you were seeing 5 sessions with only one browser instance opened is beyond me. I'd have to see your session management / creation code in order to provide any additional answers.

Aaron West's Gravatar
About this post:

This entry was posted by Aaron West on January 7, 2009 at 2:00 PM. It was filed in the following categories: ColdFusion, Aaron Answers, Ajax. It has been viewed 6065 times and has 4 comments.

4 Responses to Aaron Answers: Secure login tutorial and jsessions

  1. Using J2EE sessions does cause the session to end when the browser is closed, because it uses a session cookie (that's session in the browser sense, not the CF sense) as opposed to a persistent cookie with an explicit expiration time/date.

    You can also easily add code to handle the cookies differently so the session is terminated when the browser closes even if you don't use J2EE sessions.

  2. @Matt - Thanks for the comment on the inner workings of J2EE sessions. As far as your last sentence goes, can you provide some examples that might help folks reading this entry?

    I've personally never dealt with any server-side code that tried to clear/expire a session when the browser was closed. I believe the persists attribute of CFCOOKIE is designed to control this behavior though.

  3. This does the trick (use in OnRequestStart() in Application.cfc, or in Application.cfm):
    <cfif StructKeyExists(session, "cfid") AND (NOT StructKeyExists(cookie, "cfid") OR NOT StructKeyExists(cookie, "cftoken"))>
    <cfcookie name="cfid" value="#session.cfid#" />
    <cfcookie name="cftoken" value="#session.cftoken#" />
    </cfif>

  4. Very cool, super simple. Makes perfect sense. Thanks Matt.