What is the most effective way to reset ColdFusion session variables (CFTOKEN, CFID, JSESSIONID)?

The conclusion of the following question was that rebuilding session token after switching from http to https is a good idea.

In ColdFusion do I need to reestablish session tokens after switch from http to https?

开发者_如何学GoThe question is, what is the most effective way to do so?

This is one of those easier-said-than-done things.

It has been a while since I have researched this, so please take this with the understanding that you may need to troubleshoot it.

For Java EE sessions I think it is a bit easier because you can call invalidate() on the session. But, unfortunately, that is only half of the battle. You really have several problems to solve. They are

1. Find some way to store any existing session data that you need (serialize and store)

2. Invalidate the old session (Possible with both Java EE and CF sessions but the way to do it with CF sessions is undocumented)

3. Expire the old cookies

4. Create a new session

5. Copy the data from the old session that you stored in step 1 into the new session

6. Set new cookies for the new session

This may not seem too tricky, the potentially hard part is doing it in one request, since normally a session is not created until a request is made and cookies are not set until a response is returned.

I think it is easiest using Java EE because you can call invalidate() on the old session, and get a new one by called getRequestContext().getSession() (I believe this is the case, and I believe it ONLY works with Java EE sessions).

I have contemplated how to do these things with CF Sessions and the only thing I can think is to have the code that is creatign a new session make a CFHTTP request to a page on the site so that a new session can be created. The CFHTTP response will have a new cookie in it, then you can expire the old cookies, and set the new using the tag.

Hope this helps

After performing a whole bunch of tests, it seems like the most effective way to kill the session is to expire the jsessionid cookie with a value of now.

<cfcookie name="jsessionid" expires="now"/>

This obviously assumes the use of J2EE session variables.

If J2EE session variables are not being used, then it seems that session variables and client variables are both keyed off of the CFID and CFTOKEN cookie variables. Which means the only way to kill the session is to expire those cookies with a value of now.

<cfcookie name="cftoken" expires="now"/>
<cfcookie name="cfid" expires="now"/>

This method will also invalidate the client variables.

It seems like the best way to kill sessions without killing client vars while not using the J2EE session variables would be to create a session cookie that expires on browser close and check for that value under application.cfc request processing. If the value does not exist, clear the session struct.

structDelete(session, "CFTOKEN");
structDelete(session, "CFID");
structDelete(session, "JESSIONID");

Will delete the keys from the struct, but I am unsure if you will have issues with CF 'reapplying' those variables to the session.