ColdFusion 10 backport - SessionInvalidate() * David Boyer

ColdFusion 10 backport - SessionInvalidate()

With all my digging around while putting together CFTracker, I realised that a few new functions in the ColdFusion 10 Beta release are possible in older versions. In this example, it’s SessionInvalidate().

SessionInvalidate() is a new function in ColdFusion 10 that will do exactly what you’d expect, invalidate the session. In more detail is appears to do the following:

Fires onSessionEnd for the session in question.
Stops the session completely, it’ll disappear from server monitor / CFTracker as if stopped.
Clears out the contents of the session. A dump of the session, after that function is called, returns empty.

Tools of the trade…

Firing onSessionEnd

How would we manage that, when the function can be called from anywhere? First we need to flip over the application scope to see what’s underneath…

&lt;cfset appClass = CreateObject(&quot;java&quot;, application.getClass().getName()) /&gt;
&lt;cfdump var=&quot;#appClass#&quot; /&gt;

Obviously, getAppInvoker() looks promising. Let’s grab that and dump it out as well.

&lt;cfset appEvents = application.getEventInvoker() /&gt;
&lt;cfdump var=&quot;#appEvents#&quot; /&gt;

Well that wasn’t too hard was it? There it is, onSessionEnd, but what’s with the argument java.lang.Object[]? Looking at the documentation for ColdFusion, we know that onSessionEnd expects to receive two arguments. The application scope and the session scope that is ending. A while guess of throwing these into an array and providing that as the argument appears to do the trick. For testing this, I set a low sessionTimeout and had an onSessionEnd that dumped the argument scope to a HTML file.

Application.cfc

&lt;cfcomponent output=&quot;false&quot;&gt;
  &lt;cfscript&gt;
    this.name = &apos;TestApp&apos;;
    this.sessionManagement = true;
    this.sessionTimeout = CreateTimeSpan(0, 0, 0, 30);
  &lt;/cfscript&gt;

  &lt;cffunction name=&quot;onSessionStart&quot; returnType=&quot;void&quot; output=&quot;false&quot;&gt;
    &lt;cfset session.stamp = Now() /&gt;
  &lt;/cffunction&gt;

  &lt;cffunction name=&quot;onSessionEnd&quot; returnType=&quot;void&quot; output=&quot;false&quot;&gt;
    &lt;cfargument name=&quot;sessionScope&quot; required=&quot;true&quot; /&gt;
    &lt;cfargument name=&quot;applicationScope&quot; required=&quot;false&quot; /&gt;
    &lt;cfset var lc = StructNew() /&gt;
    &lt;cfsavecontent variable=&quot;lc.output&quot;&gt;
      &lt;hr /&gt;
      &lt;cfoutput&gt;#DateFormat(Now(), &quot;yyyy-mm-dd&quot;)# #TimeFormat(Now(), &quot;HH:mm:ss&quot;)#&lt;/cfoutput&gt;
      &lt;cfdump var=&quot;#arguments#&quot; /&gt;
    &lt;/cfsavecontent&gt;
    &lt;cffile action=&quot;append&quot; file=&quot;#ExpandPath(&apos;.\&apos;)#\dump.html&quot; output=&quot;#lc.output#&quot; /&gt;
  &lt;/cffunction&gt;
&lt;/cfcomponent&gt;

index.cfm

&lt;cfscript&gt;
  if (StructKeyExists(url, &apos;invalidate&apos;)) {
    appEvents = application.getEventInvoker();
    args = ArrayNew(1);
    args[1] = application;
    args[2] = session;
    appEvents.onSessionEnd(args);
  }
&lt;/cfscript&gt;
&lt;cfdump var=&quot;#session#&quot; /&gt;
&lt;a href=&quot;index.cfm?refresh&quot;&gt;Refresh&lt;/a&gt;&lt;br /&gt;
&lt;a href=&quot;index.cfm?invalidate&quot;&gt;Invalidate&lt;/a&gt;&lt;br /&gt;
&lt;a href=&quot;dump.html&quot;&gt;View onSessionEnd dumps&lt;/a&gt;

When running this, you should see sessions naturally expiring and being dumped into the “dump.html” file. Also, if you start clicking the “Invalidate” link you’ll see additional entries in the log. Success! As least as far as firing onSessionEnd goes, now we need to kill that session since you may have spotted that calling onSessionEnd won’t do the trick.

Stopping the session

This is a trick I’ve already posted about, so if you want more detail you might want to pop off and read "SessionStop(), ending a CF session". I’ll still go over the code a little here though. Hidden away in ColdFusion is coldfusion.runtime.SessionTracker. This provides a lot of secrets about sessions, but the one we’re interested in is cleanUp(java.lang.String, java.lang.String). After a lot of trial and error, I finally figured out that it accepts the application name as the first parameter and session.cfid plus session.cftoken combined using an underscore for the second parameter.

&lt;cfdump var=&quot;#CreateObject(&quot;java&quot;, &quot;coldfusion.runtime.SessionTracker&quot;)#&quot; /&gt;

Updating our index.cfm file with the following will allow us to clean the session up after onSessionEnd has fired.

index.cfm

&lt;cfscript&gt;
  if (StructKeyExists(url, &apos;invalidate&apos;)) {
    appEvents = application.getEventInvoker();
    args = ArrayNew(1);
    args[1] = application;
    args[2] = session;
    appEvents.onSessionEnd(args);

  sessionId = session.cfid &amp; &quot;_&quot; &amp; session.cftoken;
    sessionTracker = CreateObject(&quot;java&quot;, &quot;coldfusion.runtime.SessionTracker&quot;);
    sessionTracker.cleanUp(application.appName, sessionId);
  }
&lt;/cfscript&gt;
&lt;cfdump var=&quot;#session#&quot; /&gt;
&lt;a href=&quot;index.cfm?refresh&quot;&gt;Refresh&lt;/a&gt;&lt;br /&gt;
&lt;a href=&quot;index.cfm?invalidate&quot;&gt;Invalidate&lt;/a&gt;&lt;br /&gt;
&lt;a href=&quot;dump.html&quot;&gt;View onSessionEnd dumps&lt;/a&gt;

Great! onSessionEnd fired and the session is cleaned up after the request. The only thing left to do is clear the session out, as you’ll see from running the code, the CFDump of the session still shows data. A good old call of StructClear(session) should do the trick.

Gift wrapped

Putting all of the above together, gives us this “backported” version of the SessionInvalidate() function from ColdFusion 10. All that’s left is to wrap it in an if statement to limit the version.

&lt;cfif ListFirst(server.coldfusion.productVersion) Lt 10&gt;
  &lt;cffunction name=&quot;SessionInvalidate&quot; output=&quot;false&quot; returntype=&quot;void&quot;&gt;
    &lt;cfscript&gt;
      var lc = StructNew();
      // Construct session ID for cleanup
      lc.sessionId = session.cfid &amp; &apos;_&apos; &amp; session.cftoken;

      // Fire onSessionEnd
      lc.appEvents = application.getEventInvoker();
      lc.args = ArrayNew(1);
      lc.args[1] = application;
      lc.args[2] = session;
      lc.appEvents.onSessionEnd(lc.args);

      // Make sure that session is empty
      StructClear(session);

      // Clean up the session
      lc.sessionTracker = CreateObject(&quot;java&quot;, &quot;coldfusion.runtime.SessionTracker&quot;);
      lc.sessionTracker.cleanUp(application.applicationName, lc.sessionId);
    &lt;/cfscript&gt;
  &lt;/cffunction&gt;
&lt;/cfif&gt;

Github

The function will be available as part of a little project on github called CFBackport. It’s going to be a collection of functions for older versions of ColdFusion to act like those added to newer releases. https://github.com/misterdai/cfbackport

Compatibility

I’ve tested this on Coldfusion 8 and I believe it’ll work on 9. Those of you using ColdFusion 7 will have to try it and let me know, but I have tried to avoid using any newer syntax (see ArrayNew(1) instead of []). Any Railo or OpenBD users will have to check their respective engines as their internals won’t be the same as Adobe ColdFusion. Although I’m sure it’s possible ;).