reloading page restarts expired session

Question

I have created a ColdFusion login page and Application.cfc file. It seems to work fine but I found a bug or hole that I cannot seem to fix.

Its a three page form: The login page; a lookup page with date selection and other questions; and an output page. The user logs in and is authenticated. If the session expires on the lookup page, the user is routed back to the login page when they try to submit a query. However, if the session expires they can circumvent the login page by just refreshing the lookup page.

How can I prevent this? What do I have wrong in my code? I'd like any refresh of that lookup page to also direct them to the login page.

<cfcomponent>
    <cfset This.name = "TEST_login">
    <cfset This.Sessionmanagement="True">
    <cfset This.loginstorage="session">
    <cfset This.sessionTimeout= CreateTimespan(0,0,1,0) />

    <cferror TYPE="exception" TEMPLATE="error.cfm" MAILTO="email address">

    <cffunction name="onSessionStart">
        <cfset session.loggedIn = false>
    </cffunction>

    <cffunction name="OnRequestStart">
        <cfargument name = "request" required="true"/>

        <cfif IsDefined("Form.logout")>
            <cflogout>
        </cfif>

        <cflogin idletimeout="1200">

            <cfif NOT IsDefined("cflogin")>
                <cfinclude template="acc_hgrant_login.cfm">
                <cfabort>
            <cfelse>
                <cfif cflogin.name IS "" OR cflogin.password IS "">
                    <cfinclude template="acc_hgrant_login2.cfm">
                    <cfabort>
                <cfelse>

                    <cfquery name="loginQuery" dataSource="cfsource">
                        SELECT username, role
                        FROM users
                        WHERE
                            username = '#cflogin.name#'
                            AND password = '#cflogin.password#'
                    </cfquery>

                    <cfif loginQuery.role EQ "admin">
                        <cfloginuser name="#cflogin.name#" Password = "#cflogin.password#"
                            roles="#loginQuery.role#">

                        <cfset Session.isLoggedIn = "Yes">

                    <cfelse>

                        <cfinclude template="login3.cfm">
                        <cfabort>
                    </cfif>

                </cfif>

            </cfif>

        </cflogin>
    </cffunction>

</cfcomponent>

On each subsequent page I add

 <cfif not isDefined("Session.isLoggedIn")>

at top of each page.

However, again, just reloading the 2nd page after a period of time will restart the session even after it expires.

Thanks.

Answer 1

From your description and without being able to see the code of the loaded page, I can only guess at the issue.

I believe a fuller representation of the issue is:

However, if the session expires they can circumvent the login page by just refreshing the lookup page and answering yes to "would you like to resubmit the form".

The way to fix that is to redirect the page after verifying their credentials and setting their session. A simple version of this is:

                <cfif loginQuery.role EQ "admin">
                    <cfloginuser name="#cflogin.name#" Password = "#cflogin.password#"
                        roles="#loginQuery.role#">

                    <cfset Session.isLoggedIn = "Yes">

                    <cflocation url="#CGI.SCRIPT_NAME#?#CGI.Query_STRING#" addtoken="false">

                <cfelse>

It should be the case that you want to do a cflocation at the end of processing every form submission. The most common counter instance is when asking a user to correct fix validation issues with their form, since a re-post of the form will just reload the validation page; not update databases, etc.