ColdFusion MX 6 Login Security (Page 5 of 6)

At this point, we've overed all five requirements that we outlined in the beginning of the tutorial. However, there is one point that we haven't touched on. How do you log users out of the application? Sure we have code in place that will "automatically" log them out after a period of inactivity (this was accomplished with the CFAPPLICATION tag in Application.cfm), but any good application will give the user a method for logging themselves out of the application. If you downloaded the source files for the tutorial, you'll notice two templates I haven't talked about, index.cfm and logout.cfm. Both are really simple and self-explanatory, but let's go over them anyhow. The index.cfm template is the main template of our application. For most applications this template will have much more code including HTML, and/or Flash, etc. For our purposes, we only have a few things. First, we display the session variables that were created upon successful login along with a "success" message:

20. 	Index.cfm reached. Login successful!
21. 	<br><br>
22. 	<cfoutput>
23. 	<cflock scope="SESSION" throwontimeout="Yes" timeout="5" type="READONLY">
24. 		Session.User.LoggedIn = ##session.User.LoggedIn##<br>
25. 		Session.User.Username = ##session.User.Username##<br><br>
26. 	</cflock>
27. 	</cfoutput>

Then, we display a simple HTML link that implements the logout functionality:

28. 	<a href="logout.cfm">Click here to log out.</a>

When the user clicks the link - or whatever appropriate button you create - the logout.cfm template is executed. This causes the session structure we created for user management to be deleted. Then, we redirect the user to the index.cfm template, but index.cfm is not actually run. Why? After we delete the session.User structure, and redirect, the Application.cfm template is executed. The last block of code in this template catches our undefined session and instead of loading the index.cfm template, redirects to the login form.

20. <cflock scope="SESSION" throwontimeout="Yes" timeout="5" type="EXCLUSIVE">
21. 	<cfset clearStruct = StructDelete(Session, "User")>
22. </cflock>
23. <cflocation url="index.cfm">