1

While using Coldfusion session (not J2EE) , <cfset StructClear(Session)> does not ends a session,It deletes the CFID,CFTOKEN and SESSIONID but does not deletes the URLTOKEN.

In the subsequent request, it does not starts a new SESSION and keep maintaining the old session.

(Explain in: http://www.bennadel.com/blog/1846-Clearing-The-Session-Scope-Does-Not-End-Your-ColdFusion-Session.htm)

My question is, Now without CFID and CFTOKEN in SESSION scope How Coldfusion maintains the SESSION?

As previously I was thinking each time ColdFusion server checks the cfid and cftoken sent in the request header with the cfid and cftoken present in session scope to maintain the session.But I think i am wrong because without cfid and cftoken in the session scope also Coldfusion continues to maintain SESSION.

So How ColdFusion manage a SESSION internally, I mean how it decide to continue with a old session or to create a new one?

Improve this question
2
  • 1
    If you truly want to remove a session and you are using ColdFusion 10, you can use the new SessionInvalidate() function. It will clear the session scope and invalidate the CFID,CFTOKEN values on the server. However, keep in mind it will not work if you are using J2EE sessions. Commented Dec 29, 2013 at 17:56
  • Yes I tried that,sessionInvalidate() works fine as it calls the onSessionEnd() to end a session. Commented Dec 30, 2013 at 1:23

1 Answer 1

Reset to default
4

The session variables CFID and CFTOKEN obviously (?) can't be used to associate a browser to a session, because they're in the session. They'd have to be self-aware for that to work.

However the CFID and CFTOKEN cookies do associate a browser with a session (because both browser and CFML server (via the HTTP request and web server) have access to the cookies.

So if the CFML server receives cookies with a certain CFID/CFTOKEN combo, it'll try to fine an associated session. The session scope copies of these are just for the sake of convenience, I don't think they serve any purpose beyond that.

If the browser sends a CFID/CFTOKEN combo that doesn't have a corresponding session in server memory, the server will start a new session, but I think it will also set a new CFID/CFTOKEN pair, too, for safety's sake (you better test that though).

The server manages session expiration, and that is based entirely on the session timeout set on the CF instance (via CFAdmin) or for the application (via Application.cfc).

One can also monkey with sessions via the SessionTracker, which I will leave you to google, as it's not really within the scope of your question, and is co-opting ColdFusion internals (I dunno if Railo has an equivalent).

One thing to bear in mind when investigating this is that neither clearing the session scope nor running onSessionEnd() will cause the session to end. I make observations about this in my blog article "The difference between events and event handlers".

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Does CFID and CFTOKENstored in server memory? If not How Coldfusion associate a session with the received cfid and cftoken in the request header.
"I think it will also set a new CFID/CFTOKEN pair, too, for safety's sake" Yes, ACF has been doing this since the Session Fixation hot fix in Feb 2011. See cfsimplicity.com/4/…
Deepak it will be storing some correlation between those values and the session object, yes. How else would it work? And @CfSimplicity: thanks for the clarification.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.