Delete all sessions on a coldfusion server

Question

Is there a way to delete all current sessions for a specific application on a coldfusion server. I want to force all users to renew their session variables and add new session variables.

I thought about something like

<Cfset applicationStop()>

but i am not sure if it deletes all sessions. Even so, if it did i would still need to prevent it to delete all sessions for all applications. I just want to clear all sessions of 1 application and forces the execution of OnSessionStart (in application.cfc) for all users on that website/application.

Answer 1

I like to reset session scopes rather than delete or clear them, so that the most updated variables are set. The code below shows how to refresh all sessions. If you want to delete sessions in the code below, you can use the line <cfset StructClear(appSessions[sessionKey])> in the loop, and neglect the OnApplicationStart() method, invoked from the Application.cfc.

The setMaxInactiveInterval() method is an undocumented function that is tied to the session scope, in which you can set the session timeout. You can loop through all active sessions in an application through the Java object coldfusion.runtime.SessionTracker, then apply that method to them. After that, reset the application scope, so the default session timeout is applied again.

<cfscript>
    appName = "MY_APP_NAME";
    jSessTracker = CreateObject("java", "coldfusion.runtime.SessionTracker");
    appSessions = jSessTracker.getSessionCollection(JavaCast("string", appName));
</cfscript>

<cfloop collection="#appSessions#" item="sessionKey">
    <cfset appSessions[sessionKey].setMaxInactiveInterval(JavaCast("long", 1))>
</cfloop>

<cfinvoke component="Application" method="OnApplicationStart">

Answer 2

Below is a snippet of an Application.cfc that will allow you to reset all session variables for an application. The controlling variable is application.loaded. You'll need to supply code that will change the value of this variable to force session reloads. When your code sets application.loaded to now(), it will have a date/time newer than session.loaded, it will reset the users session. This version is written in CF2016 level CFML.

This code is more of a template that you would have to revise for your implementation.

Application.cfc:

component displayname="myApp" {
    this['Name'] = "myApp";
    this['ApplicationTimeout'] = CreateTimeSpan(0, 12, 0, 0);
    this['sessionTimeout'] = CreateTimeSpan(0, 0, 45, 0);
    this['SessionManagement'] = true;
    this['ClientManagement'] = false;
    this['SetClientCookies'] = true;

    public boolean function onApplicationStart() {
        // app variable for session scope refresh
        application['loaded'] = now();

        return true;
    } // onApplicationStart()

    public void function onSessionStart() {
        // this individual session loaded flag
        session['loaded'] = now();

        return;
    } // onSessionStart()

    public boolean function onRequestStart(required string targetPage) {
        // if the applicaiton.loaded variable is more recent, force this session to be reset
        if (application.keyExists("loaded") && session.keyExists("loaded") && application.loaded > session.loaded) {

            // pick one or more of these FOUR options to reset the session.

            // call the J2EE method of invalidating a session
            getPageContext().getSession().invalidate();

            // OR use the CF method
            sessionInvalidate();

            // OR clear the session struct
            session.clear();

            // OR clear important session variables that tell your app that the user is logged out, this will need to change based on YOUR implementation
            session['user'] = "";

            // if you clear the session with a form of invalidate(); onSessionStart() should be called to reset the session.loaded var.  It can also be set here.
            session['loaded'] = now();

            // redirect to the target page, which should send the user back to the login page because the session was reset
            location(url=arguments.targetPage, addtoken=false);
        }

        return true;
    } // onRequestStart()

} // component

One oddity when I built this kind of system for a site is that; although applicationStop() was called, sessions did not clear. You'd think that sessions would be destroyed when the application was stopped, but they didn't. That's why I built this method. It seemed that sessions are tied to individual site cookies and are independent of the application that they may live in.

Answer 3

I u are not using single login method then use separate Application.cfm for each Application.

When you log out one Application then only One Application Session will be ended.

I cann't add this comment as I don't have permission.