Skip to content

Sessions DO NOT expire on browser close

by Mike on October 1, 2007

I have interviewed quite a few people lately for a few positions at my company.   An interesting thing that I have noticed is that the majority of people I interview seem to think that session variables ALWAYS expire on browser close.  However in a default CF install, session variables will persist even after a browser is closed and re-opened.  This could mean that your users continue to be “logged in” to your application even after they close their browser.

The default behavior of a ColdFusion installation does not use per-session cookies in a browser, it uses persistent cookies instead.  The difference being that per-session cookies are stored in client memory and are destroyed on browser close where persistent cookies are stored on disk and are available after a browser has been closed an opened.

There are reasons to use both per-session cookies as well as persistent cookies, but you should be aware of the difference.  In a secure application, users generally expect that their session will end on browser close so you should be careful to enforce this behavior.

How do I change this???

There are a few ways to accomplish per-session cookie management in your application.  One approach is to enable “Use J2EE session variables” in ColdFusion administrator, but you can also accomplish this in code.   Take a look at this knowledgebase article for an extended explanation. – (Try this updated link, not the same article, but a good explanation – Adobe KB)

From → ColdFusion

  1. Jan van Hellemond permalink

    I think it is important to differentiate between sessions and the cookies that identify them. Even though the browser detroys per-session cookies when it closes, the session lives on until it’s idle timeout limit has been reached. The session itself is unaware of the methods used to identify it, being per-session cookies, persistent cookies or URL variables.

  2. Fernando S. Trevisan permalink

    The link to the knowledge base is broken :\

    BTW, great post, people should surely be aware of it! I’m so used to my CF installs with J2EE variables that I tend to forget about it when using other installs…

Comments are closed.