2

I have an application which has different types of users. I need to set sessionTimeout based on user type. For example admin 30 minutes, user 10 minutes. To do this, I gave a default sessionTimeout of 30 minutes in application.cfc

<cfcomponent output="false" extends="org.corfield.framework">   
    <cfset this.applicationTimeout = createTimeSpan(1,0,0,0) />
    <cfset this.sessionManagement = true />
    <cfset this.sessionTimeout = createTimeSpan(0,0,30,0) />
    .............
    ............

</cfcomponent>

When I dump the application variables I can see sessionTimeout is 600 which is correct. Now in the onRequestStart method, I wrote a code to check the loggedIn user type and set the sessionTimeout accordingly. 

<cfif StructKeyExists(session,"user") AND ListLast(CGI.HTTP_REFERER,"/") EQ "login.cfm" >
    <cfif session.user.userType EQ "GSA">
        <cfset this.sessionTimeout = createTimeSpan(0,0,10,0) />
    </cfif>
</cfif>

After this when I dump application variables, sessionTimeout is showing in days not in seconds. And also session is not getting ended after 10 minutes. Can someone help on this? How to implement two different sessionTimeout in an application? Also why it is showing the sessionTimeout in days instead of seconds once I set the sessionTimeout again?

James A Mohler
  • 11,060
  • 15
  • 46
  • 72
Vineesh
  • 3,762
  • 20
  • 37

4 Answers4

1

I don't believe there is any way to modify this scope metadata from inside one of these functions: onApplicationStart, onSessionStart or onRequestStart. Meaning you can't set this.sessionTimeout in any of those methods.

I was recently looking into this ColdFusion 11: Changing Application "this" Scope metadata from different functions in extended Application.cfc. However metadata is set for every request made by ColdFusion. Meaning you can try an approach like mentioned in this article, by Ben Nadel, and move the logic that sets the timeout out of onRequest() and onto the this scope and try creating dynamic session timeouts.

Delaying ColdFusion Session Persistence Until User Logs In

You are probably going to have to get creative in figuring out which user is logging in at that point though. ( Even if authentication occurs later ... any harm in setting a timeout?)

Community
  • 1
  • 1
Hedge7707
  • 557
  • 1
  • 5
  • 17
0

Session timeouts are common for all users. The timeout duration is set application-wide when the first request comes.

I think the short answer is, you cannot set two different session timeout durations.

James A Mohler
  • 11,060
  • 15
  • 46
  • 72
  • Are there any tweaks I can do, to achieve this? – Vineesh Jan 16 '18 at 05:15
  • A trully horrible way to do this would be to set a variable in the `session` scope and test and update that variable with each request. You would then have to build you own session checking. OT: When I am asked to build something that makes a system less capable, I usually push back. What is the thing you are trying to protect against? And how is this supposed to solve what ever problem you think might exist? – James A Mohler Jan 16 '18 at 05:21
  • It was a requirement from the client, I was trying to find if any solution is available otherwise I can convince them. – Vineesh Jan 16 '18 at 05:29
  • I know that you are using FW/1. IFF all of the security is handled one way or the other in `application.cfc` then you are in good shape at it would have a LOE. OTOH, you have to consider that that `session`s could be good from the CF point of view BUT not valid from your business logic point of view. – James A Mohler Jan 16 '18 at 05:36
0

Here is one method you can use. It's kind of creating your own session management client side, but it would allow for custom session timeouts per user role. Create a timestamp in the session scope that is initially set to the current time a user logs on to your app. In your app's client JavaScript, create a timer that calls a function every minute or so that in turn calls a server side function to see how much time has elapsed since the last recorded timestamp for that user. If the time elapsed reaches the maximum allowed for that user's role, use the JavaScript function to logout the user.
With this method you reset the timestamp each time the user "interacts" with the app (runs a script, calls a cfc library function, etc.), such that the user does not get logged out while actively using the app. The user is only logged out after "x" minutes of inactivity that you define, and the function you call on the server side can further define what that number is per user role.

Jeff
  • 211
  • 1
  • 4
  • 14
0

I've used this in railo but i think it applies to coldfusion too.

getPageContext().getSession().setMaxInactiveInterval(javaCast("int", 60));

It basically sets the session time out value of the currently running request to 60 something (i can't remember if it's in minutes or seconds)

Snipzwolf
  • 533
  • 1
  • 8
  • 22