How ColdFusion manages a SESSION internally?

Question

While using Coldfusion session (not J2EE) , <cfset StructClear(Session)> does not ends a session,It deletes the CFID,CFTOKEN and SESSIONID but does not deletes the URLTOKEN.

In the subsequent request, it does not starts a new SESSION and keep maintaining the old session.

(Explain in: http://www.bennadel.com/blog/1846-Clearing-The-Session-Scope-Does-Not-End-Your-ColdFusion-Session.htm)

My question is, Now without CFID and CFTOKEN in SESSION scope How Coldfusion maintains the SESSION?

As previously I was thinking each time ColdFusion server checks the cfid and cftoken sent in the request header with the cfid and cftoken present in session scope to maintain the session.But I think i am wrong because without cfid and cftoken in the session scope also Coldfusion continues to maintain SESSION.

So How ColdFusion manage a SESSION internally, I mean how it decide to continue with a old session or to create a new one?

Answer 1

The session variables CFID and CFTOKEN obviously (?) can't be used to associate a browser to a session, because they're in the session. They'd have to be self-aware for that to work.

However the CFID and CFTOKEN cookies do associate a browser with a session (because both browser and CFML server (via the HTTP request and web server) have access to the cookies.

So if the CFML server receives cookies with a certain CFID/CFTOKEN combo, it'll try to fine an associated session. The session scope copies of these are just for the sake of convenience, I don't think they serve any purpose beyond that.

If the browser sends a CFID/CFTOKEN combo that doesn't have a corresponding session in server memory, the server will start a new session, but I think it will also set a new CFID/CFTOKEN pair, too, for safety's sake (you better test that though).

The server manages session expiration, and that is based entirely on the session timeout set on the CF instance (via CFAdmin) or for the application (via Application.cfc).

One can also monkey with sessions via the SessionTracker, which I will leave you to google, as it's not really within the scope of your question, and is co-opting ColdFusion internals (I dunno if Railo has an equivalent).

One thing to bear in mind when investigating this is that neither clearing the session scope nor running onSessionEnd() will cause the session to end. I make observations about this in my blog article "The difference between events and event handlers".