No, you are missing nothing.
StructClear(Session)
This clears the session structure, but does not end the session. Suppose you had defined key-value pairs in the session, such as,
session.x = 1;
session.y = "some string";
Then the structClear function deletes the key-value pairs (x,1) and (y, "some string") from the session struct. Thus, after you run structClear, structKeyExists(session, "x") and structKeyExists(session, "y") will be false. But the session will remain active.
getPageContext().getSession().invalidate()
This invalidates a J2EE session. I do believe this has the effect you want, as it will end the current session and start a new one the next time the user visits. But then, it applies to a J2EE session, not to a ColdFusion session.
For this to be effective, you had to have switched on J2EE sessions in the ColdFusion Administrator. If you hadn't, then the ColdFusion session would remain active after this line of code.
The corresponding code for the ColdFusion session is: sessionInvalidate()
this.sessionTimeout = createTimeSpan( 0, 0, 0, 1 )
In older versions of ColdFusion, it was possible to end a session by changing the timeout to this.sessionTimeout = createTimeSpan( 0, 0, 0, 0 ) or this.sessionTimeout = createTimeSpan( 0, 0, 0, 1 ). However, that is undocumented practice. In other words, it was just a quirk in the language, which happened to work by chance, not a recommendation. In fact, it is bad practice, as we shall see in a moment.
A related, and documented, way to end sessions is to expire the session cookies. In the following example, the user will get a new session the next time he or she visits.
<cfcookie name="CFID" value="" expires="now">
<cfcookie name="CFTOKEN" value="" expires="now">
Each of the above methods affects every user that visits the page. However, there is hardly ever a use case requiring that you end all user sessions manually.
Use cases will usually require you to delete the variables stored in a specific session. They will also require you to do so in a targeted manner. For example, by ID or by means of user-specific code such as
<cfif not isLoggedIn>
<cfset structClear(session)>
<cfcookie name="CFID" value="" expires="now">
<cfcookie name="CFTOKEN" value="" expires="now">
</cfif>
<cfif not isLegalUser>
<cfset sessionInvalidate()>
</cfif>
No application server, including ColdFusion, expects you to end sessions manually. The reason is simple. The server holds sessions in memory and is designed to take care of its own session management itself.
When the server creates user sessions, it gives each an ID and an idle-time-to-live, its timeout. The server's session management then keeps track of each individual session.
If the user is inactive for a period of time exceeding the sessionTimeout, the server will end the session whose ID corresponds to the user. There then follows the process of deleting the session and removing it from memory.
If you end sessions manually it will affect these memory processes and may lead to inefficiency.
5
Replies
AdChoices