Search code examples
coldfusioncoldfusion-9coldfusion-2016

Delete all sessions on a coldfusion server


Is there a way to delete all current sessions for a specific application on a coldfusion server. I want to force all users to renew their session variables and add new session variables.

I thought about something like

<Cfset applicationStop()>

but i am not sure if it deletes all sessions. Even so, if it did i would still need to prevent it to delete all sessions for all applications. I just want to clear all sessions of 1 application and forces the execution of OnSessionStart (in application.cfc) for all users on that website/application.


Solution

  • Below is a snippet of an Application.cfc that will allow you to reset all session variables for an application. The controlling variable is application.loaded. You'll need to supply code that will change the value of this variable to force session reloads. When your code sets application.loaded to now(), it will have a date/time newer than session.loaded, it will reset the users session. This version is written in CF2016 level CFML.

    This code is more of a template that you would have to revise for your implementation.

    Application.cfc:

    component displayname="myApp" {
        this['Name'] = "myApp";
        this['ApplicationTimeout'] = CreateTimeSpan(0, 12, 0, 0);
        this['sessionTimeout'] = CreateTimeSpan(0, 0, 45, 0);
        this['SessionManagement'] = true;
        this['ClientManagement'] = false;
        this['SetClientCookies'] = true;
    
        public boolean function onApplicationStart() {
            // app variable for session scope refresh
            application['loaded'] = now();
    
            return true;
        } // onApplicationStart()
    
        public void function onSessionStart() {
            // this individual session loaded flag
            session['loaded'] = now();
    
            return;
        } // onSessionStart()
    
        public boolean function onRequestStart(required string targetPage) {
            // if the applicaiton.loaded variable is more recent, force this session to be reset
            if (application.keyExists("loaded") && session.keyExists("loaded") && application.loaded > session.loaded) {
    
                // pick one or more of these FOUR options to reset the session.
    
                // call the J2EE method of invalidating a session
                getPageContext().getSession().invalidate();
    
                // OR use the CF method
                sessionInvalidate();
    
                // OR clear the session struct
                session.clear();
    
                // OR clear important session variables that tell your app that the user is logged out, this will need to change based on YOUR implementation
                session['user'] = "";
    
                // if you clear the session with a form of invalidate(); onSessionStart() should be called to reset the session.loaded var.  It can also be set here.
                session['loaded'] = now();
    
                // redirect to the target page, which should send the user back to the login page because the session was reset
                location(url=arguments.targetPage, addtoken=false);
            }
    
            return true;
        } // onRequestStart()
    
    } // component
    

    One oddity when I built this kind of system for a site is that; although applicationStop() was called, sessions did not clear. You'd think that sessions would be destroyed when the application was stopped, but they didn't. That's why I built this method. It seemed that sessions are tied to individual site cookies and are independent of the application that they may live in.