Skip to main content
paulm1677332
Inspiring
September 17, 2018
Answered

J2EE session rotate query

  • September 17, 2018
  • 1 reply
  • 1483 views

Hi,

I am trying to implement session rotation using the article at https://www.petefreitag.com/item/829.cfm

I have added the relevant code to onSessionStart and added the jeeSessionRotate function to a component which i call when the user has been successfully cleared to login. I have called the function immediatley before where I call sessionRotate(). Problem is im getting a "setAttribute: Session [844E2EA3A042B40B5EA2545FC43C07FA.cfusion] has already been invalidated"  error. Anyone know what I'm doing wrong here?

Thanks,

Paul

    This topic has been closed for replies.
    Correct answer Dave Watts

    A user can only have one session at a time. The session is identified to the server by a session token. This is either a JSESSIONID cookie if you're using J2EE session variables, or CFID and CFTOKEN cookies if you're using "native" CF session variables. If you're trying to use both, that's not going to work, and you should only be rotating one type or the other, not both. It is possible to have both types of session tokens if you have multiple CF apps on the same server with different session token types, but you wouldn't want one app to rotate the session token of another app.

    Dave Watts, Fig Leaf Software

    1 reply

    BKBK
    Community Expert
    Community Expert
    September 18, 2018

    paulm1677332  wrote

    Hi,

    I am trying to implement session rotation using the article at https://www.petefreitag.com/item/829.cfm

    I have added the relevant code to onSessionStart and added the jeeSessionRotate function to a component which i call when the user has been successfully cleared to login. I have called the function immediatley before where I call sessionRotate().

    The function jeeSessionRotate rotates the J2EE session. So you should not use sessionRotate afterwards.

    paulm1677332
    Inspiring
    September 18, 2018

    Taking it out still produces the same error. I always had sessionRotate in the code so I thought i could just add in the jeeSessionRotate  after it and it wouldnt affect the other call. They affect different session variables don't they, so I would have thought theyd be ok together?

    Dave WattsCommunity ExpertCorrect answer
    Community Expert
    September 18, 2018

    A user can only have one session at a time. The session is identified to the server by a session token. This is either a JSESSIONID cookie if you're using J2EE session variables, or CFID and CFTOKEN cookies if you're using "native" CF session variables. If you're trying to use both, that's not going to work, and you should only be rotating one type or the other, not both. It is possible to have both types of session tokens if you have multiple CF apps on the same server with different session token types, but you wouldn't want one app to rotate the session token of another app.

    Dave Watts, Fig Leaf Software

    Dave Watts, Eidolon LLC