SessionInvalidate for JEE Sessions

Description

The builtin CFML function sessionInvalidate() works great for invalidating or clearing a ColdFusion session (CFID/CFTOKEN). But it doesn't invalidate the underlying J2EE / JEE session (the JSESSIONID).

You can dip down into the underlying JEE API and invoke the invalidate() function on the javax.servlet.http.HttpSession object. Here's how you can do this in CFML:

if (!isNull(getPageContext().getSession())) {
getPageContext().getSession().invalidate();
}
We are getting the Java HttpSession object from the PageContext object (which we can obtain from the CFML builtin function getPageContext()). It is possible that getSession() could return null if there is no JEE session associated with the current request

https://www.petefreitag.com/item/913.cfm

Attachments

25 Feb 2025, 11:22 am
25 Feb 2025, 11:22 am
31 Jan 2025, 04:12 pm

Linked work items

relates to

LDEV-4166

onSessionEnd() never triggered using SessionInvalidate()

LDEV-5292

scopeContext.hasExistingCFSessionScope(pc) creates a session

Activity

Zac Spitzer
25 February 2025 at 17:17

oh, ok. different behaviour with cfml sessions?

Pothys - MitrahSoft
25 February 2025 at 15:01

This issue occurs when I try to trigger the sessionInvalidate() function before initializing the session on the page

Zac Spitzer
25 February 2025 at 11:22

@Pothys - MitrahSoft hmmm, works for me, here’s my sample (the session timeout previously was only 1 sec, which was confusing)

start.cfm

then invalidating the session?

Tomcat 10.1, java 21, Lucee 6.2.1.37

Zac Spitzer
11 February 2025 at 14:10

https://github.com/lucee/Lucee/commit/8693070b8cc224dc098b6cc6b700883b1c8049b6

Pete Freitag
31 January 2025 at 17:38

Yeah, I never really understood why ACF didn’t just invalidate the JEE session. My best guess is that they assumed you might have a Java app also using the session. But I really can’t think of any scenario where I call sessionInvalidate that I don’t want to fully destroy the session across all apps. Only reasons people call it are when:

Logout
Something malicious detected

Resize issue view side panel

Details

Assignee

Pothys - MitrahSoft

Reporter

Zac Spitzer

Labels

JEEsessionmanagement

New Issue warning screen

Before you create a new Issue, please post to the mailing list first https://dev.lucee.org

Once the issue has been verified, one of the Lucee team will ask you to file an issue

Fix versions

6.2.1.14

Priority

New

Parent

LDEV-5290 Session Management bugs

Created 29 January 2021 at 21:37

Updated 27 March 2025 at 05:57