The following rules apply to ending a session and deleting Session scope variables:
- If you use ColdFusion session management, ColdFusion automatically ends sessions and deletes all Session scope variables if the client is inactive for the session time-out period. The session does not end when the user closes the browser.
- If you use J2EE session management, ColdFusion ends the session and deletes all Session scope variables if the client is inactive for the session time-out period. However, the browser continues to send the same session ID, and ColdFusion will reuse this ID for sessions with this browser instance, as long as the browser remains active.
- Logging a user out does not end the session or delete Session scope variables.
- In many cases, you can effectively end a session by clearing the Session scope, as shown in the following line. The following list, however, includes important limitations and alternatives:
<cfset StructClear(Session)>
- Clearing the Session scope does not clear the session ID, and future requests from the browser continue to use the same session ID until the browser exits. It also does not log the user out, even if you use Session scope storage for login information. Always use the cflogout tag to log users out.
- If you use J2EE session management, you can invalidate the session, as follows:
<cfset getPageContext().getSession().invalidate()>
This line creates a pointer to the servlet page context and calls an internal method to reset the session. This clears all session information, including the session ID Session scope variables, and if you are using session login storage, the login information, for future request. However, the session information does remain available until the end of the current request. After you invalidate a session, attempts by the browser to access the application will generate an invalid session exception until the session times out.
Note: You cannot destroy the session and create a session on the same request, as creating a new session involves sending session cookies back.
- If you do not use client cookies, the Session scope and login state is available to your application only as long as you pass the session's CFID, CFTOKEN, and, for J2EE sessions, jsessionid values in the URL query string. After you stop using these values, however, the session data remains in memory until the session time-out period elapses.