Variable
Last updated on
Apr 27, 2021
How sessions are managed in ColdFusion and J2EE
What is a session?
A session refers to all the connections that a single client makes to a server during viewing all pages associated with a given application. Sessions are specific to both the individual user and the application. Thus, every user of an application has a separate session and has access to a separate set of session variables.
This logical view of a session begins with the first connection to an application by a client and ends after that client's last connection. However, because of the stateless nature of the web, it is not always possible to define a precise point at which a session ends. A session should end when the user finishes using an application. In most cases, however, a web application has no way of knowing if a user has finished or is just lingering over a page.
Therefore, sessions always terminate after a time-out period of inactivity. If the user does not access a page of the application within this time-out period, ColdFusion interprets this as the end of the session and clears any variables associated with that session.
The default time-out for session variables is 20 mins. You can change the default time-out on the Memory Variables page in the Server Settings area in the ColdFusion Administrator. The amount of time depends on the web application. For example, a trading application will have a short session time. If a user leaves a session without logging out, and if another user logs ion to the application after some time, the second user cannot continue with the first user’s session.
You can also set the time-out period for session variables inside a specific application by setting the this.sessionTimeout variable n Application.cfc or by using the cfapplication tag sessionTimeout attribute. However, you cannot set a time-out value for that is greater than the maximum session time-out value set on the Administrator Memory Variables page.
There are two ways you can manage session data in ColdFusion:
- ColdFusion sessions
- J2EE sessions
ColdFusion session management
A ColdFusion session uses cfid and cftoken to identify the client. Whenever a client visits your app within a fixed time, the page requests are part of the same session. By default, the time is set to 20 minutes. If more than 20 minutes have passed and the client has not issued any new request, the page times out.
If you use ColdFusion session variables, the session scope has four built-in variables that your application can use. The table below describes the variables:
|
|
Description |
|---|---|
|
Session.CFID |
ColdFusion session management only: the client ID, normally stored on the client system as a cookie. |
|
Session.CFToken |
ColdFusion session management only: the client security token, normally stored on the client system as a cookie. |
|
Session.URLToken |
ColdFusion session management: A combination of the CFID and CFToken values in the form CFID=IDNum&CFTOKEN=tokenNum. Use this variable if the client does not support cookies and you must pass the CFID and CFTokenvariables from page to page. |
|
Session.SessionID |
A unique identifier for the session. ColdFusion session management: a combination of the application name and CFID and CFToken values. |
J2EE session management
A J2EE session can be shared by ColdFusion and other Java code (JSP, Servlets, and so on). A J2EE session uses jsessionID to identify sessions. jsessionID is not persistent and expires when you close the browser. If a user exits and reopens a session, it is a new session entirely.
To enable the J2EE session variables feature, select the Use J2EE Session Variables check box on the ColdFusion Administrator’s Memory Variables page.
Once you enable this option, sessions will expire whenever the user closes their browser, or when the session timeout period elapses between requests (whichever comes first).
If you use J2EE session management, the Session scope has two built-in variables, as described below:
|
Variable |
Description |
|---|---|
|
Session.URLToken |
J2EE session management: A combination of the CFID and CFToken cookies and the J2EE session ID, in the form CFID=IDNum&CFTOKEN=tokenNum&jsessionid=SessionID. |
|
Session.SessionID |
A unique identifier for the session. J2EE session management: the jsessionid value. |
There are some advantages of using J2EE session variables over ColdFusion session variables.
- J2EE Sessions end when you close the browser. This is not the case with ColdFusion session variables.
- A J2EE session scope is serializable, which allows session variables to be shared across servers.
- J2EE session management uses a session-specific session identifier, jsessionid , which is created afresh at the start of each session.
We recommend using J2EE session management, if:
- You want to maximize session security, particularly if you also use client variables
- You want to share session variables between ColdFusion pages and JSP pages or servlets in a single application.
- You want to be able to manually terminate a session while maintaining the client identification cookie for use by the Client scope.
- You want to support clustered sessions; for example, to support session failover among servers.
