I have recently created a new system. In this project, I was able to work with session management in ColdFusion. Once I started digging into sessions and how they work there were few things that are not very clear in Adobe documentation. There is the whole article about J2EE vs ColdFusion sessions which says J2EE is recommended as more secure. If I use J2EE am I still obligated to use ColdFusion session?
In my Application.cfc I have these settings:
<cfset THIS.sessionManagement = true>
<cfset THIS.applicationTimeout = CreateTimeSpan(0,1,0,0)>
<cfset THIS.sessionTimeout = CreateTimeSpan(0,0,30,0)>
After I enabled J2EE in the ColdFusion Administrator, my session scope shows:
struct
loggedin false
sessionid 0AB2908F874E5BE7C792D0AA6B3847B2.cfusion
urltoken CFID=8321&CFTOKEN=86134751&jsessionid=0AB2908F874E5BE7C792D0AA6B3847B2.cfusion
There are CFID, CFTOKEN, and sessionid. I'm wondering do I have to keep CFID and CFTOKEN if sessionid is there? If not, how they can be removed or turned off?
In my AppFunctions.cfc I have two cffunctions. One handles the Log out process and the other handles the session timeout process. Both of these should end the session once a user is no longer active. I found two different functions to do that.
sessionInvalidate() which will end/clear a ColdFusion sessiongetPageContext().getSession().invalidate() which will end a J2EE sessionHowever, if I have both sessions enabled in my Application how I will end sessions in that case? Should I use both methods or is there some other way to do this?
The Adobe documentation does not explain this very well. If anyone knows a good way to handle this please let me know. Since this is the single page app I'm also wondering how to secure my Ajax calls. Every time user sends the request I would like to check if their session and credentials are valid.
Promoted from the comments for greater visibility
Do you have SetClientCookies equal to true/yes? If so, that will create the CFID and CFTOKEN cookies I believe. You do not need that option for session management - it is for client management.
The other possibility is that you have local cookies with those in it from previous testing. Delete your browser cookies, set SetClientCookies to no, and try again.