SessionInvalidate for JEE Sessions

The builtin CFML function sessionInvalidate() works great for invalidating or clearing a ColdFusion session (CFID/CFTOKEN). But it doesn't invalidate the underlying J2EE / JEE session (the JSESSIONID).

You can dip down into the underlying JEE API and invoke the invalidate() function on the javax.servlet.http.HttpSession object. Here's how you can do this in CFML:

if (!isNull(getPageContext().getSession())) {
    getPageContext().getSession().invalidate();
}

We are getting the Java HttpSession object from the PageContext object (which we can obtain from the CFML builtin function getPageContext()). It is possible that getSession() could return null if there is no JEE session associated with the current request.

Like this? Follow me ↯

Follow @pfreitag

SessionInvalidate for JEE Sessions was first published on January 22, 2021.

If you like reading about java, session, or j2ee then you might also like:

FuseGuard Web App Firewall for ColdFusion

The FuseGuard Web Application Firewall for ColdFusion & CFML is a high performance, customizable engine that blocks various attacks against your ColdFusion applications.

Comments

should Lucee do this by default?

by Zac Spitzer on 01/26/2021 at 11:08:21 PM UTC

bug filed https://luceeserver.atlassian.net/browse/LDEV-3248

by Zac Spitzer on 01/29/2021 at 10:06:08 PM UTC

Thanks Zac, yes I think it should do this by default.

by Pete Freitag on 01/29/2021 at 10:14:39 PM UTC

SessionInvalidate for JEE Sessions

Like this? Follow me ↯

If you like reading about java, session, or j2ee then you might also like:

Comments

Post a Comment