Pete Freitag Pete Freitag

SessionInvalidate for JEE Sessions

Published on January 22, 2021
By Pete Freitag

The builtin CFML function sessionInvalidate() works great for invalidating or clearing a ColdFusion session (CFID/CFTOKEN). But it doesn't invalidate the underlying J2EE / JEE session (the JSESSIONID).

You can dip down into the underlying JEE API and invoke the invalidate() function on the javax.servlet.http.HttpSession object. Here's how you can do this in CFML:

if (!isNull(getPageContext().getSession())) {

We are getting the Java HttpSession object from the PageContext object (which we can obtain from the CFML builtin function getPageContext()). It is possible that getSession() could return null if there is no JEE session associated with the current request.

java session j2ee

SessionInvalidate for JEE Sessions was first published on January 22, 2021.

If you like reading about java, session, or j2ee then you might also like:


The Fixinator Code Security Scanner for ColdFusion & CFML is an easy to use security tool that every CF developer can use. It can also easily integrate into CI for automatic scanning on every commit.

Try Fixinator

The weekly newsletter for the CFML Community


should Lucee do this by default?
by Zac Spitzer on 01/26/2021 at 11:08:21 PM UTC
bug filed
by Zac Spitzer on 01/29/2021 at 10:06:08 PM UTC
Thanks Zac, yes I think it should do this by default.
by Pete Freitag on 01/29/2021 at 10:14:39 PM UTC
Great tip, Pete. I think you could simplify the null check on more recent CFML engines using the safe navigation operator:

by Julian Halliwell on 02/03/2021 at 3:17:50 PM UTC
I've been using this for a while without issue, but now noticing that error logs are piling up. It seems that getPageContext().getSession() returns a struct? Is there another way to invalidate() a JEE session n Lucee?
by Andrew Kretzer on 04/14/2022 at 10:28:51 PM UTC