ColdFusion MX 7 Login Security (Page 11 of 13)

The logout.cfm Template

34. <cflock name="lck_currentSessions" throwontimeout="Yes" timeout="7" type="EXCLUSIVE">
36.    <cfset sessionPosition = ListFind(ArrayToList(Application.sessionData),
37.    <cfif sessionPosition neq 0>
38.       <cfset ArrayDeleteAt(Application.sessionData, sessionPosition)>
39.       <cfset Application.currentSessions = Application.currentSessions - 1>
40.    </cfif>
41. </cflock>

48. <cflock scope="SESSION" throwontimeout="Yes" timeout="7" type="EXCLUSIVE"> 49. <cfset clearStruct = StructDelete(Session, "User")> 50. </cflock>

52. <cflocation url="index.cfm">

When the user clicks the logout link in the index.cfm template, the code above executes. In order to successfully log a user out of the application there are three things we need to do. First, we must remove the user from the session tracker configured in the Application scope. This is accomplished by getting the Array position corresponding to the correct user and deleting this index of the array. Second, we must decrement the value of the Application.currentSessions variable. And finally, we delete the user's session structure and redirect them to the index.cfm template. However, the index.cfm template is not actually run. Why? When the page request for the redirect runs, the first thing that happens is the execution of the onRequestStart method of the Application.cfc. The last block of this method catches our undefined session and instead of loading index.cfm, it loads the login form.

All of this session tracking code is wrapped in a named CFLOCK. Does this look familiar? It should, the named lock here is the same one used in the onRequestStart method of our Application.cfc method. Having both of these blocks (accessing the same resources) wrapped in the same named lock ensures they are thread-safe. You may still find yourself wondering why an Application scope lock is not used here. The reason is the last piece of this entire puzzle - how session timeouts are handled.