Every CF programmer is familiar with the basics setting up an application and its session management. Setting the application name, enabling session management and setting the session timeout are the most basic things developers do when creating an app. If you are not familiar with this then I suggest you checkout the adobe livedocs.

Sessions variables and Logout

The problem with sessions is that logging out of a CF app does not clear the session. All it does is set a flag that the user is no longer logged in. This means that a user could log back in and continue on using the same session stored variables as before even if they close and reopen the browser (unless the server is configured to use J2EE sessions). On an app that makes heavy use of the session scope and/or has alot of users, unless you have a short session timeout set (which can cause its own problems) you will find that you have alot of memory being hogged by unused sessions.

Fortunately ColdFusion gives us three ways of tackling this problem.

1. Invalidating the session (only works for J2EE sessions)
2. Clearing the contents of the session
3. Overriding the default session timeout at logout

Invalidating the session

If you are using J2EE sessions Adobes recommends invalidating the session as part of the logout process.

<cfset getPageContext().getSession().invalidate()>

This has the effect of making the session inaccessible to subsequent page requests. However it does not actually timeout the session. It still continues to exist in memory until the sessiontimeout is reached. This actually does not tackle the problem, it only secures the stored session data from further retrieval.

Further when/if a page request tries to access the now invalid session the user will get an ugly error message.