Hello all....

Please help i need some input here. Im trying to develop a
login/authentication/security framework in Coldfusion for some apps im
developing. The problems I have run into are with sessions and
browsers. I want the sessions to die when a user closes a browser...or
if at least not die, i dont want the user to be able to get back into
that session. Right now I have it set up so that when a user logs outs
I just use <cflogut> and then use structdelete to get rid of the users
pertinent session variables (ldap user roles, user name, etc). That
part works fine....but what i cant seem to get working is when a user
closes the browser and then opens a new one....if I cut and paste the
url (which includes cfid, cftoken, and jsessionid) and enter it in the
browser the session variables from the session in the previously closed
browser appear ( i validate this through dumpng the session)
it seems i had this working before(when a user closed their browser and
opened another and tried to go to a previous session they were given
new session variables, even when passing cfid, cftoken, jsessionid from
a previous browser session), but i started messing around with stuff
and havent been able to recreate it
Im not even sure if it is but i think this is a security risk...even
though the user is still prompted to login, and of course wouldnt see
the dumped session variables, isnt it bad that the previous session is
still around?
If I need to elaborate more please say so....
Help guys please Im stumped!!