Copy link to clipboard
Copied
Hi,
I am trying to implement session rotation using the article at https://www.petefreitag.com/item/829.cfm
I have added the relevant code to onSessionStart and added the jeeSessionRotate function to a component which i call when the user has been successfully cleared to login. I have called the function immediatley before where I call sessionRotate(). Problem is im getting a "setAttribute: Session [844E2EA3A042B40B5EA2545FC43C07FA.cfusion] has already been invalidated" error. Anyone know what I'm doing wrong here?
Thanks,
Paul
A user can only have one session at a time. The session is identified to the server by a session token. This is either a JSESSIONID cookie if you're using J2EE session variables, or CFID and CFTOKEN cookies if you're using "native" CF session variables. If you're trying to use both, that's not going to work, and you should only be rotating one type or the other, not both. It is possible to have both types of session tokens if you have multiple CF apps on the same server with different session to
...Copy link to clipboard
Copied
paulm1677332 wrote
Hi,
I am trying to implement session rotation using the article at https://www.petefreitag.com/item/829.cfm
I have added the relevant code to onSessionStart and added the jeeSessionRotate function to a component which i call when the user has been successfully cleared to login. I have called the function immediatley before where I call sessionRotate().
The function jeeSessionRotate rotates the J2EE session. So you should not use sessionRotate afterwards.
Copy link to clipboard
Copied
Taking it out still produces the same error. I always had sessionRotate in the code so I thought i could just add in the jeeSessionRotate after it and it wouldnt affect the other call. They affect different session variables don't they, so I would have thought theyd be ok together?
Copy link to clipboard
Copied
A user can only have one session at a time. The session is identified to the server by a session token. This is either a JSESSIONID cookie if you're using J2EE session variables, or CFID and CFTOKEN cookies if you're using "native" CF session variables. If you're trying to use both, that's not going to work, and you should only be rotating one type or the other, not both. It is possible to have both types of session tokens if you have multiple CF apps on the same server with different session token types, but you wouldn't want one app to rotate the session token of another app.
Dave Watts, Fig Leaf Software
Copy link to clipboard
Copied
Ok that clears it up. Thanks Dave.