Managing Sessions In CF Ajax Applications

Posted By : todd sharp Posted At : April 9, 2008 10:58 AM Posted In: Ajax

9

Everyone is likely familiar with standard application logic for managing authenticated sessions with ColdFusion. Typically you do some sort of check inside your Application.cfc file (usually in onRequestStart()) and if the current user is not authenticated (or there session has timed out) you redirect them to a login screen. Nothing new there, but when you think of the nature of an Ajax application you realize that there is a fundamental issue with that concept. What happens if a cfdiv were to be refreshed and the users session has timed out? Well, likely your cfdiv would then contain the results of the redirection (maybe a login.cfm template), but that may not be the 'prettiest' solution depending on your application.

So I put together a quick application to demo one possible solution. The basic concept this:

  • Log a timestamp of the last 'hit' by a given user in their session
  • Create a simple facade that looks at the time difference between the last hit and the current time
  • Create a ajax proxy to query that session facade
  • Make sure the proxy request does not update the 'last hit' - otherwise your session will never time out
  • Run a call to the session facade (via the ajax proxy) on a set interval
  • Evaluate the inactivity period, if in a 'warning' period (say between 15-19 minutes) display a modal window warning the user.
  • If the user chooses to extend the session, ping the session facade which will update the 'last hit' variable.
  • If the inactivity is beyond the session timeout (I usually go with >= 19 minutes display a modal (non-closable) window telling them the session has timed out

I have a demo online here. If you open the demo and wait longer then a minute you'll be warned. Longer then 2 minutes and you're logged out. Full source is attached to this entry. As always, feel free to post questions/comments.

4004 Views Download Send Print Comments (9)

Comments (9)

Subscribe to Comments Add Comment

Bruce's Gravatar Dude - You ROCK!

Posted by: Bruce on: 4/9/08 7:38 PM

todd sharp's Gravatar Thank you sir :) Glad to help.

Posted by: todd sharp on: 4/10/08 9:45 AM

Trond Ulseth's Gravatar Sweet work Todd!

During the last weeks (and coming weeks) I'm working on a application using the CFajax stuff exclusivly. Thanks to the blogging of you, Dan Vega, Ray Camden and a few others the process have been easier than it would have been leaning on the CF docs only.

What you are showing of here is something that was on my "to solve" list. Excelent!!!

Thanx a lot for this, and your other posts on the topic.

Posted by: Trond Ulseth on: 4/16/08 11:40 AM

Henry's Gravatar that's a lot of ping's going back and forth.

on my last cf ajax app, I made use of onbinderror. Just use cfheader to send back an error code when session expired.

Posted by: Henry on: 4/18/08 7:37 AM

Brian's Gravatar Henry,
Can you show a sample of the code?

Posted by: Brian on: 8/11/08 8:56 AM

Brian's Gravatar Todd,
I got your approach to work after I changed the path to the session.cfc (currently index.cfm points to test8...) in your download files.

Also any thoughts on Henry's approach?

Posted by: Brian on: 9/13/08 12:23 PM

Henry Ho's Gravatar Basically, my approach is... if I reuse the example above, when the CFDIV request something but the user session has been timed out, instead of redirecting to the login page inside the CFDIV, I'd send an error to the CFDIV by sending an error http status code (any non 200 code seems fine), and then use the CFDIV's onbinderror attribute to call a javascript function.

In that JS function, I just pop up a CFWINDOW and ask the user to re-login. If you like you can even save the username in the JS when the page was first loaded, and just ask for only the password.

Some of you might find this link interesting: http://www.coldfusionjedi.com/index.cfm/2008/9/8/A...

Posted by: Henry Ho on: 9/14/08 2:49 AM

jlomoglio's Gravatar I tried adding this code into my application and when I run it I get the following error:

The THENAME parameter to the onRequestStart function is required but was not passed in.

I am new to CF and I don't understand the process of what theName is representing.

Posted by: jlomoglio on: 1/2/09 4:01 PM

Jacki's Gravatar I have added a CountDown Timer to your warning window and it is tyed to session.lasthit variable. When it is displayed after the YES has been selected the next time it appears, I have noticed that the session.lasthit has not been updated to the new NOW() time.

It looks like the sessions.cfc is not reseting the session.lasthit variable... Am I missing something or is it impossible to test the actual session.lasthit reset after the YES is selected by the user??? Please HELP I'm new to AJAX stuff.

Posted by: Jacki on: 1/18/09 1:40 PM
Add Comment

  • Calendar

    << September 2010 >>
    Sun Mon Tue Wed Thu Fri Sat
       1234
    5 6 7 8 9 10 11
    12 13 14 15 16 17 18
    19 20 21 22 23 24 25
    26 27 28 29 30   

  • Subscribe

    • Enter your email address to subscribe to this blog.