Default Security Interceptor: How does it handle an expired session ?

Communities ColdBox HMVC
1

Imagine the following scenario:
- An app secured with the help of the default security interceptor
- An user logs into the app
- The user does nothing until the session expires
- The user then refreshes the page; which has an URL with a secured
Event
- Instead of being redirected to the Login Page, the view of the
Secured Event Page is displayed ...
- This security misbehaviour occurs also if I call cflogout in an
onSessionEnd method ...

So the question is: Why does the default security interceptor not
redirect properly after a logout caused by an expired session ?

2

Whether it is the default security interceptor or not, you still have to
maintain and manage the session yourself. In other words, how would you
normal manage a user logged in!!

As for using cflogout on onSessionEnd is not the right way to do it either,
all though you could do it this way I wouldn't recommend it. The security
interceptor is just that an interceptor that allows you to define your own
service to then manage the user, check whether the user is still signed in
or out, expired or what not.

So my advice is to treat the userValidator method that you need to define in
the security interceptor to manage the user yourself, and then you can
control how and when the session is expired or how and when the user is
logged out.

I would be more inclined to use the onRequestStart and before the user is
validated to see if the user session is still validate, if not then remove
the data at that point rather than onSessionEnd()

Regards,
Andrew Scott
http://www.andyscott.id.au/

From: coldbox@googlegroups.com [mailto:coldbox@googlegroups.com] On
Behalf Of verlsnake
Sent: Monday, 20 June 2011 1:07 AM
To: ColdBox Platform
Subject: [coldbox:10474] Default Security Interceptor: How does it handle

an

expired session ?

Imagine the following scenario:
- An app secured with the help of the default security interceptor
- An user logs into the app
- The user does nothing until the session expires
- The user then refreshes the page; which has an URL with a secured Event
- Instead of being redirected to the Login Page, the view of the Secured
Event Page is displayed ...
- This security misbehaviour occurs also if I call cflogout in an

onSessionEnd