What is the most effective way to reset ColdFusion session variables (CFTOKEN, CFID, JSESSIONID)?

Question

The conclusion of the following question was that rebuilding session token after switching from http to https is a good idea.

In ColdFusion do I need to reestablish session tokens after switch from http to https?

The question is, what is the most effective way to do so?

Answer 1

This is one of those easier-said-than-done things.

It has been a while since I have researched this, so please take this with the understanding that you may need to troubleshoot it.

For Java EE sessions I think it is a bit easier because you can call invalidate() on the session. But, unfortunately, that is only half of the battle. You really have several problems to solve. They are

1. Find some way to store any existing session data that you need (serialize and store)

2. Invalidate the old session (Possible with both Java EE and CF sessions but the way to do it with CF sessions is undocumented)

3. Expire the old cookies

4. Create a new session

5. Copy the data from the old session that you stored in step 1 into the new session

6. Set new cookies for the new session

This may not seem too tricky, the potentially hard part is doing it in one request, since normally a session is not created until a request is made and cookies are not set until a response is returned.

I think it is easiest using Java EE because you can call invalidate() on the old session, and get a new one by called getRequestContext().getSession() (I believe this is the case, and I believe it ONLY works with Java EE sessions).

I have contemplated how to do these things with CF Sessions and the only thing I can think is to have the code that is creatign a new session make a CFHTTP request to a page on the site so that a new session can be created. The CFHTTP response will have a new cookie in it, then you can expire the old cookies, and set the new using the tag.

Hope this helps