Cookies / History

I'm trying to make it so that once my user has closed their browser window no-one else can view the same pages.

Im guessing the cfflush tag would be used at top and bottom of page so that even though page goes to history it is resubmitted to server everytime therefore requiring the login i have implemented in Aplication.cfm.

In other words the script will cause the browser not to cache the page and therefore when they access it from the history a new request to the server is made.

CFFLUSH has nothing to do with caching. CFFLUSH simply pushes the contents of the output buffer to the client. You want to look into the HTML META tags.

Using cookies for page permissions seems to work just fine. When they login the cookie gives them access to whatever you want, when they logout or close the browser, kill the cookie. If someone tries to access the page, they will be prompted for a username and password because the cookie is not there.

Not if the user is simply using the back button and the page was cached. The only way to prevent this is by expiring the content with META tags, as far as I know.

Right, but he was asking about after the browser was closed.

Right you are, I missed that part. In the case of a closed browser, you can do as suggested and delete the cookie, or if you don't want to rely on cookies you can append a unique string or identifier (like a UUID) to the URLs and track the user that way. If they don't have the right ID in the URL, they are rejected from the page.

If you handle this using CF's session management, a lot of it would be handled by CF itself.

thanks for response, but i was not clear...
My application is going to be used on public computers

What i must prevent is that someone hits the drop down url browser button or goes into history and sees...

htp:/www.alasapplication.cfm/TOKEN6474587ID78349
(something like that)

Why? Because if they type that in browser they will be able to see private info of another person. (granted they wont be able to change it since the session has expired, but they will be able to see it.)

I want to somehow resubmit the page to the server everytime therefore preventing showing privy info.

PS. META TAGS? i know CF tags, but not meta tags?

While I don't think that will happen. If the user has closed their browser and another user tries to use the link in the history to go to that page, I don't think the cache will just show that page. But I'm not 100% sure of this. I would use the META tags that control caching and timeout of the content to be sure.

Have you considered implementation of some sort of security? How private is the information? Is there a reason there can't be a simple login feature to create an extra level of protection?

I think his concern is that the browser will show the cached version of the page if the user pulls it up from the history.

Alas,

First

By default, CF sets a permanent cookie for the client. The first thing you want to do is force the client to 1) set CFID and CFTOKEN as session cookies or 2) convert those permanent cookies into a session cookies.

Learn the "how to" here: http://www.sys-con.com/story/?storyid=42100

The difference is that a permanent cookie is actually written to the hard drive, and a session cookie is written to memory. When ALL instances of the browser window are closed, then the session cookie is removed from memory. This takes care of your session sharing problem.

Second

You want to prevent to client from caching your pages. You might want to add the following to your pages:

<cfheader name="Pragma" value="no-cache">
<cfheader name="cache-control" value="no-cache, no-store, must-revalidate">

Third

Use a session variable as a flag (e.g. session.loggedIn)

In Application.cfm, insert something like <cfparam name="session.loggedIn" default="0">

When a user logs in, set session.loggedIn to 1.

Throughout your application, include something like

<cfif NOT session.loggedIn>
<cflocation url="youAreNotLoggedIn.cfm">
</cfif>

and request the usr to login.

Conclusion

This should take care of any concerns. When all instances of the browser are closed, CFID and CFTOKEN are removed from memory, thus the client no longer has a tie to the session values stored on the server. When the next user comes up, and potentially selects a page through the location bar's history, a non-cached page is displayed, and recognizes that the user is not logged in, thus redirecting him/her to a page that request for him/her to log in. Once the user has logged in, then they should only see databased on session/client variables set for them.