Pete Freitag Pete Freitag

SessionInvalidate for JEE Sessions

coldfusionjava

The builtin CFML function sessionInvalidate() works great for invalidating or clearing a ColdFusion session (CFID/CFTOKEN). But it doesn't invalidate the underlying J2EE / JEE session (the JSESSIONID).

You can dip down into the underlying JEE API and invoke the invalidate() function on the javax.servlet.http.HttpSession object. Here's how you can do this in CFML:

if (!isNull(getPageContext().getSession())) {
    getPageContext().getSession().invalidate();
}

We are getting the Java HttpSession object from the PageContext object (which we can obtain from the CFML builtin function getPageContext()). It is possible that getSession() could return null if there is no JEE session associated with the current request.


Like this? Follow me ↯

SessionInvalidate for JEE Sessions was first published on January 22, 2021.

If you like reading about java, session, or j2ee then you might also like:

FuseGuard Web App Firewall for ColdFusion

The FuseGuard Web Application Firewall for ColdFusion & CFML is a high performance, customizable engine that blocks various attacks against your ColdFusion applications.

Comments

should Lucee do this by default?
by Zac Spitzer on 01/26/2021 at 11:08:21 PM UTC
bug filed https://luceeserver.atlassian.net/browse/LDEV-3248
by Zac Spitzer on 01/29/2021 at 10:06:08 PM UTC
Thanks Zac, yes I think it should do this by default.
by Pete Freitag on 01/29/2021 at 10:14:39 PM UTC
Great tip, Pete. I think you could simplify the null check on more recent CFML engines using the safe navigation operator:

GetPageContext().getSession()?.invalidate();
by Julian Halliwell on 02/03/2021 at 3:17:50 PM UTC

Post a Comment