SessionInvalidate for JEE Sessions

Description

The builtin CFML function sessionInvalidate() works great for invalidating or clearing a ColdFusion session (CFID/CFTOKEN). But it doesn't invalidate the underlying J2EE / JEE session (the JSESSIONID).

You can dip down into the underlying JEE API and invoke the invalidate() function on the javax.servlet.http.HttpSession object. Here's how you can do this in CFML:

if (!isNull(getPageContext().getSession())) {
getPageContext().getSession().invalidate();
}
We are getting the Java HttpSession object from the PageContext object (which we can obtain from the CFML builtin function getPageContext()). It is possible that getSession() could return null if there is no JEE session associated with the current request

https://www.petefreitag.com/item/913.cfm

Attachments

3

Activity

Zac Spitzer 
25 February 2025 at 17:17

oh, ok. different behaviour with cfml sessions?

Pothys - MitrahSoft 
25 February 2025 at 15:01

This issue occurs when I try to trigger the sessionInvalidate() function before initializing the session on the page

Zac Spitzer 
25 February 2025 at 11:22

hmmm, works for me, here’s my sample (the session timeout previously was only 1 sec, which was confusing)

start.cfm

then invalidating the session?

Tomcat 10.1, java 21, Lucee 6.2.1.37

Pete Freitag 
31 January 2025 at 17:38

Yeah, I never really understood why ACF didn’t just invalidate the JEE session. My best guess is that they assumed you might have a Java app also using the session. But I really can’t think of any scenario where I call sessionInvalidate that I don’t want to fully destroy the session across all apps. Only reasons people call it are when:

  1. Logout

  2. Something malicious detected

Details

Assignee

Reporter

New Issue warning screen

Before you create a new Issue, please post to the mailing list first https://dev.lucee.org

Once the issue has been verified, one of the Lucee team will ask you to file an issue

Fix versions

Priority

Created 29 January 2021 at 21:37
Updated 27 March 2025 at 05:57