CODEWITHSUNDEEP
coldfusionsession-variablesapplication.cfccoldfusion-2016fw1
Vineesh
Vineesh

Reputation: 3782

Using multiple SessionTimeout in Coldfusion

I have an application which has different types of users. I need to set sessionTimeout based on user type. For example admin 30 minutes, user 10 minutes. To do this, I gave a default sessionTimeout of 30 minutes in application.cfc

<cfcomponent output="false" extends="org.corfield.framework">   
    <cfset this.applicationTimeout = createTimeSpan(1,0,0,0) />
    <cfset this.sessionManagement = true />
    <cfset this.sessionTimeout = createTimeSpan(0,0,30,0) />
    .............
    ............

</cfcomponent>

When I dump the application variables I can see sessionTimeout is 600 which is correct. Now in the onRequestStart method, I wrote a code to check the loggedIn user type and set the sessionTimeout accordingly. 

<cfif StructKeyExists(session,"user") AND ListLast(CGI.HTTP_REFERER,"/") EQ "login.cfm" >
    <cfif session.user.userType EQ "GSA">
        <cfset this.sessionTimeout = createTimeSpan(0,0,10,0) />
    </cfif>
</cfif>

After this when I dump application variables, sessionTimeout is showing in days not in seconds. And also session is not getting ended after 10 minutes. Can someone help on this? How to implement two different sessionTimeout in an application? Also why it is showing the sessionTimeout in days instead of seconds once I set the sessionTimeout again?

Upvotes: 2

Views: 1300

Answers (4)

Hedge7707
Hedge7707

Reputation: 567

I don't believe there is any way to modify this scope metadata from inside one of these functions: onApplicationStart, onSessionStart or onRequestStart. Meaning you can't set this.sessionTimeout in any of those methods.

I was recently looking into this ColdFusion 11: Changing Application "this" Scope metadata from different functions in extended Application.cfc. However metadata is set for every request made by ColdFusion. Meaning you can try an approach like mentioned in this article, by Ben Nadel, and move the logic that sets the timeout out of onRequest() and onto the this scope and try creating dynamic session timeouts.

Delaying ColdFusion Session Persistence Until User Logs In

You are probably going to have to get creative in figuring out which user is logging in at that point though. ( Even if authentication occurs later ... any harm in setting a timeout?)

Upvotes: 1

Snipzwolf
Snipzwolf

Reputation: 563

I've used this in railo but i think it applies to coldfusion too.

getPageContext().getSession().setMaxInactiveInterval(javaCast("int", 60));

It basically sets the session time out value of the currently running request to 60 something (i can't remember if it's in minutes or seconds)

Upvotes: 0

Jeff
Jeff

Reputation: 221

Here is one method you can use. It's kind of creating your own session management client side, but it would allow for custom session timeouts per user role. Create a timestamp in the session scope that is initially set to the current time a user logs on to your app. In your app's client JavaScript, create a timer that calls a function every minute or so that in turn calls a server side function to see how much time has elapsed since the last recorded timestamp for that user. If the time elapsed reaches the maximum allowed for that user's role, use the JavaScript function to logout the user.
With this method you reset the timestamp each time the user "interacts" with the app (runs a script, calls a cfc library function, etc.), such that the user does not get logged out while actively using the app. The user is only logged out after "x" minutes of inactivity that you define, and the function you call on the server side can further define what that number is per user role.

Upvotes: 0

James A Mohler
James A Mohler

Reputation: 11120

Session timeouts are common for all users. The timeout duration is set application-wide when the first request comes.

I think the short answer is, you cannot set two different session timeout durations.

Upvotes: 0

Related Questions