Status/Resolution/Reason: Closed/Won't Fix/NotWorthEffort
Reporter/Name(from Bugbase): Gary Fenton / Gary Fenton (Gary Fenton)
Created: 02/10/2013
Components: Security
Versions: 10.0
Failure Type: Enhancement Request
Found In Build/Fixed In Build: Final /
Priority/Frequency: Trivial / Unknown
Locale/System: English / Win 2008 Server R2 64 bit
Vote Count: 0
The cflogout tag is not enough to properly end a user's session. Neither is deleting the session scope. If someone logs back into the CF app from the same computer they will inherit the last user's jsessionid.
I propose extending cflogout with a killsession attribute which should do all of the following:
1) Log the user out
2) Delete all session vars
3) Delete session related cookies
4) Remove the session from CF's memory
5) Create a new session with a new jsessionid (otherwise you'll get Session is Invalid messages if the user clicks on something else after logging out.
And cflogin should have an attribute to force a new jsessionid to be generated and assigned during login so it's not the same as the id assigned prior to logging in.
The current techniques to achieve all this are lengthy and require a lot of research on the web. We should just have one powerful tag to do it all. Security is so important.
----------------------------- Additional Watson Details -----------------------------
Watson Bug ID: 3498172
External Customer Info:
External Company:
External Customer Name: Gary__F
External Customer Email:
External Test Config: My Hardware and Environment details:Attachments:
Comments: