Logging out users

After a user logs in, the ColdFusion user authorization and authentication information remains valid until any of the following happens:

  • The application uses a cflogout tag to log out the user, usually in response to the user clicking a log-out link or button.

  • If your application uses the Session scope for login information, the session ends.

  • If your application does not use the Session scope for login information, the user does not request a new page for the cflogin tag idleTimeout period.

  • If your application does not use Session scope for login information, or if you use J2EE-based session identification, the user closes all browser windows.

Logging out a user by using the cflogout tag does not close the user’s session, but if you use session login storage, it does remove the login information (the Session.cfauthorization variable) from the Session scope. For more information on ending sessions, see Ending a session.

Important: If you use web server–based authentication or any form authentication that uses a Basic HTTP Authorization header, the browser continues to send the authentication information to your application until the user closes the browser, or in some cases, all open browser windows. As a result, after the user logs out and your application uses the cflogout tag, until the browser closes, the cflogin structure in the cflogin tag will contain the logged-out user’s UserID and password. If a user logs out and does not close the browser, another user can access pages with the first user’s login.