Copy link to clipboard
Copied
Hi,
I have Use J2EE session variables enabled on my server and now want to rotate the corresponding jessionid on login. I used to rotate the inbuilt coldfusion session variables using sessionRotate but now have no need so replaced this in my code with jeeSessionRotate (https://www.petefreitag.com/item/829.cfm).
I have also added the relevant code in onSessionStart but I keep getting an error a few lines after calling jeeSessionRotate. The error happens when I try and set some session variable and I get an "set attribute... session has already been invalidated" error because its trying to use the previous session. I assume the code in onSessionStart would cater for this. Am I missing something along the line here? I'm calling jeeSessionRotate on successful login and later on in that file i'm setting some variables.
Seems from the post that all required was to create the new function and add the code to onSessionStart and it should work. Anyone any ideas?
Thanks
Hi,
Yes that worked. Thought I might have been able to get it working all from the 1 page but calling onSessionStart directly or creating a new function with the code from onSessionStart and calling that directly after the rotate also didnt work. Sending it to the new page did the job.
Thanks
Copy link to clipboard
Copied
An idea.
You're perhaps getting an error because, even though the old session has been invalidated, it is still in effect in the current page. So, if a line of code writes to the session scope, ColdFusion will attempt to write to the invalidated session.
You therefore have to initiate the new session directly after session rotation. That is, before any line of code that writes to session. One way to do this is by starting a new request to a CFM page.
Start by copying all the code that comes after the call jeeSessionRotate() from the login page to a new page, postLogin.cfm. The pseudocode follows.
login.cfm
<!--- Login code --->
<!--- Code that invokes the function jeeSessionRotate() --->
<cflocation url="postLogin.cfm">
postLogin.cfm
<!--- Code that comes after jeeSessionRotate() in the previous login page --->
In this way, the new session will be in effect on the page postLogin.cfm.
Copy link to clipboard
Copied
Hi,
Yes that worked. Thought I might have been able to get it working all from the 1 page but calling onSessionStart directly or creating a new function with the code from onSessionStart and calling that directly after the rotate also didnt work. Sending it to the new page did the job.
Thanks
Copy link to clipboard
Copied
Paul, I think you'd be wise to add a comment on Pete's post, either asking the same question or (perhaps better) pointing to this, not only to get Pete's attention but also that of others who may have used that function.
And since it's a post from 2014 and talking about cf10 (cf11 came out in 2014 also), perhaps things have changed, either in those (per updates) or in cf2016 or 2018, so you may want to clarify also which you're using, to better help those who may want to help you.
Copy link to clipboard
Copied
Hi Charlie,
Thanks for that. I did see some comments on Petes article but hadn't seen any recent replies so I didn't think he was replying. BKBK's way worked, I just thought the J2EE session rotation would have worked similiarly to the sessionRotate function and not required alterations to my login process.