Session is not ending with StructClear function

Question

Normally, if we wanna clear a session we are doing it with StructClear function. But I can see that it is not actually ending a user's session because the same CFID and CFTOKEN values are existing once we cleared a session. So this means that it is not really ending a session. right ?????. But If we are expiring these cookie values (CFID and CFTOKEN) then we can see new values for these cookie variables. Here we forcing coldfusion to make new values for these cookie variable but actaually it has neither timed out nor has the onSessionEnd() event handler been invoked.

Then my question is how the session is actually ending. But it will work if we are using StructClear function because it will clear a business logic identifier that signaled to your business logic.

Any one has any thoughts on this.

Aegis_Kleais · Accepted Answer

Aegis,Thanks for your explanation.As per your comments once a session got expired new CFID/CFTOKEN values are generated. I created a sample application to check this where I set session time out as two mnts and that ssession got expired. But when I check the cookies in browser I am getting same values for CFID/CFTOKEN. But when I delete this I am getting new values. So just to know that whenever a session got expired , cant we see new updated CFID/CFTOKEN values in browser.??I followed below steps.1.Made a request for - http://localhost:8500/poc/nbt/2.got new CFID/CFTOKEN values as 10901/130925633.After session timeout (2 mnts) I checked my browser cookies but I can see same values for CFID/CFTOKEN.I had written files in onSessionEnd method also ( as given below ) to check whether I am getting new CFID/CFTOKEN values, but no luck its the same old values only. Any I dea why this is happening so??Let's say you set your session timeout to 2 minutes.When you visit the page, you start a new session, CF generates a CFID/CFToken and SENDS that back to you in your first request's response.When you visit a page before the session time's out, your browser sends the CFID/CFToken with the request, CF sees this, verifies its a live session, and doesn't issue you a new one.If you wait the 2 minutes for a session to timeout, CF kills the session, but DOES NOT MESS with your Cookies. It doesn't matter, because they're invalid anyways.When you make a request, you send the now old CFID/CFToken, CF sees that this does not correlate to a live Session, and generates a new CFID/CFToken which it sends back to you now and updates you cookies with the new values.Just because a session times out on the server does NOT mean ColdFusion removes the cookies from the user's browser. It just states that "For that CFID/CFToken combination, the session no longer exists, so let me generate a NEW session for you and send you it's CFID/CFToken to correlate your visitor to the new SESSION scope.Waiting for the timeout and checking your cookies should show the last cookies you had when you made a request. Nothing new.In your onSessionEnd() method, it will BE the old values because when the session expires, that method gets a COPY of the SESSION and APPLICATION scope, (the SESSION that just expired) and that is the old CFID/CFToken data. CF is performing as one would expect. What is it you're trying to do? I think the problem here is you're not understanding how sessions work.A SESSION, to CF is when it takes a provided CFIF/CFToken cookie from a user's request and checks to see if it is valid. If so, then any variables stored into the SESSION scope are made available to that request's processing. These cookies act as a way of your browser saying who they are. By default, Session values are stored in RAM.When you don't make a request in the amount of time specified in the THIS.sessionTimeout value, CF does not mess with ANY cookies on your machine. It simply says. "Hey, those variables I was holding for the SESSION that was for THIS CFID and THIS CFToken, well, delete them. The session expired. The browser won't see anything different whatsoever until it makes another request.When you make a request, again, your browser provides CF the CFID and CFToken cookies, but this time CF says "Hey, that session expired, so I'll make a new one for you (fires off the onSessionStart() method) and it sends back a new CFID and CFToken cookie to the user which now correlates to the new session. A session that will stay alive as long as the user makes requests within the timeout specified.If you deleted your cookies, the SESSION would still be ALIVE, however it would just be inaccessible, and after the timeout value, CF would expire it. But if you deleted your cookies, upon making a request to the server, there would be NO CFID/CFToken cookies sent, so CF would create a new session for you and send you back a new CFID/CFToken.

Adam Cameron. · Answer

OK, there are three things to consider here, all of which are separate - interrelated - concepts

Session

A session is a representation (for lack of a better word) on the ColdFusion server which reflects a current visitor to the site. Because the CF server and the client browser don't communicate with each other directly, the CF server relies on the CFID/CFTOKEN (or JSESSIONID) cookies to be passed from client to web server to CF server. Then CF can associate its session to the client's session.

Session Scope

As part of the above session, a session scope is availed to CFML code. The session scope is not "the session", it is something that exists as a result of a session existing. Once a session expires, the session scope for that session will be cleaned up too.

Session even handlers

When a session starts, one of the things it does it raise an "session start" event, which the CF application framework will listen for, and if an onSessionStart() handler is present, it'll run said event handler. This does not start the session, it runs as a side-effect of the session starting.

Similarly there is a session end event, and an onSessionEnd() handler.

Now... clearing the session scope does not expire a session. Running onSessionEnd() doesn't end the session any more than running onSessionStart() starts a session. Think of it in terms of mouse events: running the onClick() event handler manually does not cause the physical mouse button to depress, does it? No. Same with CF application framework event handler functions. Just because the framework runs those event handlers when events occur does not mean manually running those handlers causes the events to occur.

Also clearing the session cookies will likewise not end a session, all it will do is kill the association between the browser and an existing CF session on the server. On the next request the CF server will not find the cookies, go "ooh... new session..." and start a new session, and send new cookies to the browser. However as its lost its association between the browser and the previous session, it doesn't have any way of knowing that it should end that previous session. So that session will linger until the session time out occurs, at which point CF will terminate the session, raise the "session end" event, and the application framework will run the "onSessionEnd()" event handler if one is present.

If you want to actually kill a session, you will need to run sessionRotate() (or possibly sessionInvalidate() might work). I've never used these so don't know if they kill the previous session, or simply give the client a new set of cookies. These functions are new to CF10. If you have an earlier version, you're gonna have to mess with the SessionTracker (which you can google).

Make sense?

--

Adam

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded