问题
I'm developing an app. in CF10. It's been decided that this app. will be opened through a link that is created in a dot net app. Users log in & out through the dot net application in order to see the link. When users click on that link they can access the CF application.
This link passes a user id, I'm using this user id to create session.userid in onSessionStart at application.cfc :
<cfset session.userid = #Trim(URL.userid)#>
The problem is, when I log out and log back in as a different user, my previous session.userid still exists. So I have two different session.userids In order to avoid this I thought I can do the following:
in onSessionStart at application.cfc, I start with sessionIvalidate function:
<cfset sessionInvalidate() />
<cfset session.userid = #Trim(URL.userid)#>
I thought every time the application start application.cfc ColdFsuion has to run through application.cfc then sessionInvalidate function will clean out existing session.userid then a new one is created so if I log in and out as a different users from the same computer then the application still maintains one session.userid. But unfortunately this approach does not work! I still get the older session while the new session is not created!
What is the best approach to my situation if I can't do it using this logic. Should I re-set session.userid index.cfm instead?
回答1:
onApplicationStart() only runs the first time the application is run. You should be running sessionInvalidate() as part of your log out process. If that is run correctly, there should be no ColdFusion session variables defined by the previous user ID.
You definitely don't need to run it at the top of onSessionStart(). That function does exactly what it's named to do: "run these processes when a new session starts".
Read more in the CF 10 docs.
You can end a session like this:
<cfset StructClear(Session)>or like this if you're using J2EE sessions:
<cfset getPageContext().getSession().invalidate()>Although, I'm sure the first example is essentially what sessionInvalidate() does.
Also, is this application only accessible via your internal network? So only people from your company can access it? If not, you need to look into implementing a more robust Single Sign On process to bridge access to this one from your other site.
回答2:
With my log out sequence I run 2 separate session destroyers. This way I know the session is destroyed.
<cfset structClear( session ) />
<cfset sessionInvalidate()/>
I am running CF11 and this works beautifully when my customers log out of my web application.
As for the CFLOCK, depending on your version of CF will depend on if you use it. It's been depreciated in CF11 and when I went to CF11, having it broke my application.
来源:https://stackoverflow.com/questions/30654700/how-to-reset-session-variables