Check if Session still exists

Question

On the time of login, coldfusion server assigns me a CFID and a CFTOKEN. Later on using those CFID and CFTOKEN how can I check if my session still exists or not.

In other words I want a function that will take CFID and CFTOKEN and will tell if the session related to those CFID and CFTOKEN still exists or not.

Thanks

Answer 1

There is nothing wrong with Chris' answer and is usually the standard norm when checking for sessions.

These two cookies are meant to "link" your browser with your session, not to actually maintain that session (in fact, I believe these cookies are set to expire in 30 years(?) and are even ignored if you're using J2EE session management if I'm not mistaken). From the docs:

To use client and session variables, ColdFusion must be able to identify the client. It normally does so by setting the following two cookie values on the client’s system:

CFID: A sequential client identifier

CFToken: A random-number client security token These cookies uniquely identify the client to ColdFusion, which also maintains copies of the variables as part of the Session and Client scopes.

As you can read here, Ben Nadel did some playing around with CFID and CFTOKEN where CF used the same CFID and CFTOKEN cookies to create NEW sessions after it had expired.

As for your 'ColdFusion Proper' way, you could look into using CFLOGIN and other security tags which are meant to assist in handling authentication but I don't believe many people use it because maintaining your session is very easy as Chris demonstrated.

Answer 2

The easiest way to achieve this would be to set a flag in the session when your user logs in.

for example

<cfset session.loggedin = true />

then when you want to check if the user still has a valid session you can do

<cfparam name="session.loggedin" default="false" />
<cfif NOT session.loggedin>
  <!--- do something here --->
</cfif>