Invalidate session, how to use correctly?

When do you call getPageContext().getSession().invalidate()?

I tried calling that at the logout page, then cflocat开发者_JS百科ion it back to the main page, and it throws exception.

How to assign a new session right after?

The documentation says:

You cannot destroy the session and create a session on the same request, as creating a new session involves sending session cookies back.sending session cookies back.

I thought cflocation to the main page already qualifies as a different request, is it not?

getPageContext().getSession().invalidate() will invalidate the session, subsequent request with that sessionID will get an error trying to access the Session scope but the memory will not be reclaimed until the actual session timeout.

What you can do is session.setMaxInactiveInterval(int) set it to very a low number in ms so it expires right away and release the memory. Then do a cflocation and for safe mesure use addToken="no"

Ben Nadel had series of posts related to "killing" session. As I remember it's not as easy as one method call. I'd google those.

you can use any of these for ur user logout function

1) Session.Remove(key)

2) Session(key) = nothing

Both are fine. But the later one is better if the user might want to re login or you actually....saves the effort of recreating a new key.