SessionInvalidate for JEE Sessions

January 22, 2021 by Pete Freitag

The builtin CFML function sessionInvalidate() works great for invalidating or clearing a ColdFusion session (CFID/CFTOKEN). But it doesn't invalidate the underlying J2EE / JEE session (the JSESSIONID).

You can dip down into the underlying JEE API and invoke the invalidate() function on the javax.servlet.http.HttpSession object. Here's how you can do this in CFML:

if (!isNull(getPageContext().getSession())) {
    getPageContext().getSession().invalidate();
}

We are getting the Java HttpSession object from the PageContext object (which we can obtain from the CFML builtin function getPageContext()). It is possible that getSession() could return null if there is no JEE session associated with the current request.

The Fixinator Code Security Scanner for ColdFusion & CFML is an easy to use security tool that every CF developer can use. It can also easily integrate into CI for automatic scanning on every commit.

Comments

Zac Spitzer January 26, 2021

should Lucee do this by default?

Zac Spitzer January 29, 2021

bug filed https://luceeserver.atlassian.net/browse/LDEV-3248

Pete Freitag January 29, 2021

Thanks Zac, yes I think it should do this by default.

Julian Halliwell February 3, 2021

Great tip, Pete. I think you could simplify the null check on more recent CFML engines using the safe navigation operator: GetPageContext().getSession()?.invalidate();

Andrew Kretzer April 14, 2022

I've been using this for a while without issue, but now noticing that error logs are piling up. It seems that getPageContext().getSession() returns a struct? Is there another way to invalidate() a JEE session n Lucee?

Related Posts

Comments