partTimeCrazy wrote:
one question though how does coldfusion know what is login information to store it in the session?
Ah, I can see where this is coming from. You said earlier,
after i log in i set a session variable called userID and if that userID isnt defined you have to log in again but i am still using the site so why do I have to log in again after 45minutes? shouldnt it only log me out if i'm not using the site for 45 minutes or more?
Remember the distinction between login and sessions that I mentioned? This is where it comes into play.
Login and session do not necessarily have to have the same timeout. A session may outlive a login. Imagine a user being logged in, to perform security-conscious activities on a site, but then continuing with the same session after having been logged out.
You should use the login framework, not sessions, to verify whether a user is logged in. I will assume you are using the cflogin and cfloginuser tags for login. See the documentation on cflogin for details on how to implement the tag.
<!--- Login timeout = 2700 seconds = 45 minutes --->
<cflogin idletimeout="2700">
<cfloginuser name="xyz" password="123" roles="admin">
</cflogin>
This code instructs ColdFusion to log the user out if he is idle for 45 minutes. Let us then suppose that the user continues to be active. Suppose also that you use the attribute loginStorage="session" in the cfapplication tag.
Then ColdFusion will run the cflogin tag the first time, but will skip it on subsequent occasions. ColdFusion will continue skipping it until one of 2 things happens: either it processes the cflogout tag or the session times out (remember that the session stores the login).
As long as the user is logged in, the function getAuthUser() will return "xyz". When the user is no longer logged in, the function returns an empty string. The following is therefore a more accurate login test:
<cfif trim(getAuthUser()) is not "">
<!--- Then user is logged in --->
</cfif>