Hi.
I do have a very simple app. It only outputs the session open in that app.
On application.cfc I do a login, and works OK.
Also, for test purposes, the session times out at 10 seconds.
When the session get expired (after 10 seconds), I can see that my session variables gets deleted as supposed (I see that in other browser, to make the session expired a reality), but I also suppose that the user that is logged in, has been logged out, which doesn’t.
I test the same app with an ACF 2023, and it works. The user gets out after 10 seconds.
I must say, the login storage is in cookie, not session. But this works on ACF.
i look in lucee code and i think i should see an reference to clearRemoteUser() anywhere but i cant find nothing related to that in session end.
Post data: Sessions expires in 10 seconds, but onSessionEnd() only get called after a minute o so, no matter what i do.
It sounds like you’re using cflogin. Many never touch that. That’s what the loginstorage relates to.
Do you have a compelling reason to set that to cookie? Why not leave it as session? And does it really matter if it takes a minute for the timed out session to be removed?
Certainly, if someone DOES manually logout, you could call cflogout which is immediate. Many often call structclear(session) on logoutl, though there may be things stored by the app in the session other than just login status, so be careful.
Or are your questions really more academic, wondering mostly why/how Lucee is different? Do beware it doesn’t claim complete compatibility with acf (let alone any specific cf version).
And this points out how such “timing of removal of expired sessions” is one of those things that most would never know or care about, and about which the Lucee team might not feel was worth documenting.
Or maybe it is, somewhere… or only in the code, for those with the motivation to find it.
Often such topics only get discussed here, so at least might be found by someone doing searches.
Worse, such insights might only be discussed in the cfml slack, and after 90 days…poof, the knowledge exchange is gone, known only to those who happened to be watching the river as the boat with a big sign floated by.
By lucee default, this.loginStorage is set to cookie. This works in ACF.
In lucee, if the user forgets about the website, the session ends (and so some needed variables for my website), but the user is still logged-in (so the user can enter and get a bunch of errors). No in ACF. ACF gets the cookie and check f it still valid somehow. So in ACF, if the session timeout, you are out as well. No in Lucee
But in the docs, it says that the user is logged out when the session ends
@rodriciru, only one paragraph of my reply was about manual logout. I offered that for additional context. The rest understood your focus was about expired sessions/“forgotten” logout.
Anyway, thanks for clarifying your additional experience with things, and to Zac for his about the prospects. Again, perhaps future readers using cflogin will find this discussion.
ok, one thing to keep in mind, sessions are purged by a background controller thread every 60s or so, so when testing with a short session expiry, it’s confusing
that’s why I added this for our unit tests which all use short sessions
It is likely that Lucee, as well as Adobe Coldfusion, manages the cookie scope, the client scope and the session scope differently. An event may occur in one of these scopes, but not necessarily have any consequence in the other two. I should have mentioned this in my last post.
