Is there a way to delete all current sessions for a specific application on a coldfusion server. I want to force all users to renew their session variables and add new session variables.
I thought about something like
<Cfset applicationStop()>
but i am not sure if it deletes all sessions. Even so, if it did i would still need to prevent it to delete all sessions for all applications. I just want to clear all sessions of 1 application and forces the execution of OnSessionStart (in application.cfc) for all users on that website/application.
Below is a snippet of an Application.cfc that will allow you to reset all session variables for an application. The controlling variable is application.loaded. You'll need to supply code that will change the value of this variable to force session reloads. When your code sets application.loaded to now(), it will have a date/time newer than session.loaded, it will reset the users session. This version is written in CF2016 level CFML.
This code is more of a template that you would have to revise for your implementation.
Application.cfc:
component displayname="myApp" {
this['Name'] = "myApp";
this['ApplicationTimeout'] = CreateTimeSpan(0, 12, 0, 0);
this['sessionTimeout'] = CreateTimeSpan(0, 0, 45, 0);
this['SessionManagement'] = true;
this['ClientManagement'] = false;
this['SetClientCookies'] = true;
public boolean function onApplicationStart() {
// app variable for session scope refresh
application['loaded'] = now();
return true;
} // onApplicationStart()
public void function onSessionStart() {
// this individual session loaded flag
session['loaded'] = now();
return;
} // onSessionStart()
public boolean function onRequestStart(required string targetPage) {
// if the applicaiton.loaded variable is more recent, force this session to be reset
if (application.keyExists("loaded") && session.keyExists("loaded") && application.loaded > session.loaded) {
// pick one or more of these FOUR options to reset the session.
// call the J2EE method of invalidating a session
getPageContext().getSession().invalidate();
// OR use the CF method
sessionInvalidate();
// OR clear the session struct
session.clear();
// OR clear important session variables that tell your app that the user is logged out, this will need to change based on YOUR implementation
session['user'] = "";
// if you clear the session with a form of invalidate(); onSessionStart() should be called to reset the session.loaded var. It can also be set here.
session['loaded'] = now();
// redirect to the target page, which should send the user back to the login page because the session was reset
location(url=arguments.targetPage, addtoken=false);
}
return true;
} // onRequestStart()
} // component
One oddity when I built this kind of system for a site is that; although applicationStop() was called, sessions did not clear. You'd think that sessions would be destroyed when the application was stopped, but they didn't. That's why I built this method. It seemed that sessions are tied to individual site cookies and are independent of the application that they may live in.