Ending a SESSION on Browser Close

Best Practices , ColdFusion Add comments

This is something that has come up a few times recently so I thought I'd write this up. Im not saying that this is how we should do this but merely offering these as options to consider. If anyone else has had experience of this then please feel free to comment.

NOTE: I have also consulted with Ray Camden and Ben Nadel on this so some of the text I have borrowed from their responses.


WHAT WE'RE TRYING TO DO?

What we are trying to do is create a "Session-Cookie". This is a cookie that exists for the duration of the browser, but expires the moment that the browser is closed. This will allow the session to "End" when the user closes the browser.

Be CAREFUL on what this means!!

This does not actually mean that the SESSION ends; it does NOT actually mean that the OnSessionEnd() method gets called. This simply means that the next time the user opens the browser, their existing session will not be picked up (if it has not yet timed out). Session-only cookies ONLY disable the browser's ability to handshake with the old SESSION, nothing more.

If you are concerned about the SESSION ending on the server and the calling of OnSessionEnd(), you can't really force that. The COOKIE expiration takes place on the client; the SESSION expiration takes place on the server.So how do we overcome this?


USING J2EE SESSION MANAGEMENT

Firstly, the simplest solution is to Enable J2EE Sessions in the CF Admin. They should force you to get a new session when you close the browser and re-open it.

The only problem with this is that on the Adobe Livedocs it mentions the following:
"The J2EE session automatically ends when the user closes all browser windows."
Meaning that a new SESSION is spawned - but the existing SESSION still lives until timeout???

If the browser is closed, the JSESSIONID changes on every return to the page but on inspection of the "coldfusion.runtime.SessionTracker" the previous SESSION still exists.

Something similar to setting the cookies CFIF and CFTOKEN to expire on browser close, as below. This was logged as a bug back in 2005 - so not sure what the status of this currently is.


USING COLDFUSION SESSION MANAGEMENT

In order to set the SESSION Cookies, what you have to do is turn OFF the automatic of setting "client cookies" in the Application.cfc:












Then, once that is done, you have to set the Session-Scoped SESSION data into the cookies with NO expiration:














By leaving out the "expires" attribute, the browser will create a session-only cookie and therefore a single-browser SESSION.

And that's it. Pretty simple in the end.

This can also be implemented into applications still using the Application.cfm template by simply including the above code in your expressions which handle existing user authentication checks.

The choice of which to use is application dependant and should be decided BEFORE development, but most of our applications are already using Coldfusion SESSION management.

NOTE: When using tabs in browsers - closing the tab will not work with this, the entire browser must be closed!

If anyone would like to see a demonstration of this working, please feel free to contact me.

Hope this is useful!

Bookmark and Share

3 responses to “Ending a SESSION on Browser Close”

  1. Niall O'Doherty Says:
    Ben Nadel has also posted this on his site:

    http://www.bennadel.com/index.cfm?dax=blog:1131.view

    Niall.
  2. Joshi Says:
    Hi, I would like to see a demonstation of the working of code.
    I was trying to achieve using JSession Id, but is not working
  3. Niall O'Doherty Says:
    Hi Joshi
    If you're using JSession please refer to the link in my comments to Ben Nadels post. There are details there about enbling J2EE Sessions and also some sample code that demonstrate using CF Session management.

Leave a Reply

Leave this field empty:

Powered by Mango Blog. Design and Icons by N.Design Studio