Invalidate session, how to use correctly?

views:

answers:

+1 Q:

Invalidate session, how to use correctly?

When do you call getPageContext().getSession().invalidate()?

I tried calling that at the logout page, then cflocation it back to the main page, and it throws exception.

How to assign a new session right after?

You cannot destroy the session and create a session on the same request, as creating a new session involves sending session cookies back.sending session cookies back.

I thought cflocation to the main page already qualifies as a different request, is it not?

you can use any of these for ur user logout function

1) Session.Remove(key)

2) Session(key) = nothing

Both are fine. But the later one is better if the user might want to re login or you actually....saves the effort of recreating a new key.

loxxy 2010-09-10 16:20:25

This is what I'm using currently, but I would like to use invalidate session for better security

Henry 2010-09-10 16:26:06

+2 A:

Ben Nadel had series of posts related to "killing" session. As I remember it's not as easy as one method call. I'd google those.

zarko.susnjar 2010-09-10 19:16:09

+1 Ben has done some pretty interesting experiment with the session scope.

jfrobishow 2010-09-10 20:08:04

This one? http://www.bennadel.com/blog/1847-Explicitly-Ending-A-ColdFusion-Session.htm

Henry 2010-09-10 21:41:14

+2 A:

getPageContext().getSession().invalidate() will invalidate the session, subsequent request with that sessionID will get an error trying to access the Session scope but the memory will not be reclaimed until the actual session timeout.

What you can do is session.setMaxInactiveInterval(int) set it to very a low number in ms so it expires right away and release the memory. Then do a cflocation and for safe mesure use addToken="no"

jfrobishow 2010-09-10 19:26:14

ansaurus

tags:

views:

answers:

Invalidate session, how to use correctly?

related questions