ColdFusion MX 7 -- Ending a session -- Version 7

Ending a session

The following rules apply to ending a session and deleting Session scope variables:

If you use ColdFusion session management, ColdFusion automatically ends sessions and deletes all Session scope variables if the client is inactive for the session time-out period. The session does not end when the user closes the browser.

If you use J2EE session management, ColdFusion MX ends the session and deletes all Session scope variables when the user closes the browser, or if the client is inactive for the session time-out period. If the session times out, however, the browser continues to send the same session ID, and ColdFusion will reuse this ID for sessions with this browser instance, as long as the browser remains active.

Logging a user out does not end the session or delete Session scope variables.

In many cases, you can effectively end a session by clearing the Session scope, as shown in the following line. The following list, however, includes important limitations and alternatives:

<cfset StructClear(Session)>

Clearing the Session scope does not clear the session ID, and future requests from the browser continue to use the same session ID until the browser exits. It also does not log the user out, even if you use Session scope storage for login information. Always use the cflogout tag to log users out.

If you use J2EE session management, you can invalidate the session, as follows:

<cfset getPageContext().getSession().invalidate()>

This line creates a pointer to the servlet page context and calls an internal method to reset the session. This clears all session information, including the session ID Session scope variables, and if you are using session login storage, the login information, for future request. However, the session information does remain available until the end of the current request. After you invalidate a session, attempts by the browser to access the application will generate an invalid session exception until the session times out.

Note: You cannot destroy the session and create a session on the same request, as creating a new session involves sending session cookies back.

If you do not use client cookies, the Session scope and login state is available to your application only as long as you pass the session's CFID, CFTOKEN, and, for J2EE sessions, jsessionid values in the URL query string. After you stop using these values, however, the session data remains in memory until the session time-out period elapses.

Version 7

Comments

Kronin555 said on Oct 14, 2005 at 7:53 AM :

This statement:
"If you use J2EE session management, ColdFusion MX ends the session and deletes all Session scope variables when the user closes the browser"
is wrong. It gives the impression that immediately upon closing my browser, coldfusion deletes my session variables. Since coldfusion (or jrun in this case, since we're using J2EE session management) doesn't have any _clue_ that I closed my browser, it must wait until the session timeout period elapses. _Then_ the session variables are deleted.

A nitpicky difference, but it's a difference that most people don't get or understand.

ASandstrom said on Oct 14, 2005 at 11:08 AM :

What you say is true about session variables. But, for all intents and purposes, the session ends when the user closes the browser.

mm_202 said on Feb 3, 2006 at 8:19 AM :

They could close their browser, open it, pull up a page from history (that has their url session variables) and effectively continue using their session. So I totally agree with Kronin555.

No screen name said on Jul 24, 2006 at 12:28 PM :

JRUN doesn't need to know when the user closes the browser. The browser is what holds the session information in a cookie. Closing the browser should kill the life of those variables in the cookie on the client machine. Which it does, what it does not do is destroy the session ID as the docs clearly indicate, which if goes unhandled can open up a security hole in your apps. The tricky part is claiming that CF does this, it does not, this is browser behavior.

URL based session variables are not what is being discussed in this document either. We are specificly talking about the Cookie-based Session variables here. The comment about URL session variables does not apply here.

Therefore I agree with ASandstrom and disagree with Kronin and mm_202.

No screen name said on Jan 17, 2007 at 1:17 PM :

Re: Ending a session

This docs page should have the part about StructClear(Session) removed. This is noted in the StructClear() method documentation and also the ColdFusion TechNote 17479.

Current page: http://livedocs.adobe.com/coldfusion/7/htmldocs/00001163.htm