tracker issue : CF-3498172

select a category, or use search below
(searches all categories and all time range)

Simple and secure way to logout and end user session

| View in Tracker

Status/Resolution/Reason: Closed/Won't Fix/NotWorthEffort

Reporter/Name(from Bugbase): Gary Fenton / Gary Fenton (Gary Fenton)

Created: 02/10/2013

Components: Security

Versions: 10.0

Failure Type: Enhancement Request

Found In Build/Fixed In Build: Final /

Priority/Frequency: Trivial / Unknown

Locale/System: English / Win 2008 Server R2 64 bit

Vote Count: 0

The cflogout tag is not enough to properly end a user's session. Neither is deleting the session scope. If someone logs back into the CF app from the same computer they will inherit the last user's jsessionid.

I propose extending cflogout with a killsession attribute which should do all of the following:
1) Log the user out
2) Delete all session vars
3) Delete session related cookies
4) Remove the session from CF's memory
5) Create a new session with a new jsessionid (otherwise you'll get Session is Invalid messages if the user clicks on something else after logging out.

And cflogin should have an attribute to force a new jsessionid to be generated and assigned during login so it's not the same as the id assigned prior to logging in.

The current techniques to achieve all this are lengthy and require a lot of research on the web. We should just have one powerful tag to do it all. Security is so important.

----------------------------- Additional Watson Details -----------------------------

Watson Bug ID:	3498172

External Customer Info:
External Company:  
External Customer Name: Gary__F
External Customer Email:  
External Test Config: My Hardware and Environment details:



cflogout just clears the user association with the session. If you want to close the session, you should use invalidatesession along with logout.
Comment by Rupesh K.
16374 | September 06, 2013 05:37:22 AM GMT