Every CF programmer is familiar with the basics setting up an application and its session management. Setting the application name, enabling session management and setting the session timeout are the most basic things developers do when creating an app. If you are not familiar with this then I suggest you checkout the adobe livedocs.
The problem with sessions is that logging out of a CF app does not clear the session. All it does is set a flag that the user is no longer logged in. This means that a user could log back in and continue on using the same session stored variables as before even if they close and reopen the browser (unless the server is configured to use J2EE sessions). On an app that makes heavy use of the session scope and/or has alot of users, unless you have a short session timeout set (which can cause its own problems) you will find that you have alot of memory being hogged by unused sessions.
Fortunately ColdFusion gives us three ways of tackling this problem.
If you are using J2EE sessions Adobes recommends invalidating the session as part of the logout process.
This has the effect of making the session inaccessible to subsequent page requests. However it does not actually timeout the session. It still continues to exist in memory until the sessiontimeout is reached. This actually does not tackle the problem, it only secures the stored session data from further retrieval.
Further when/if a page request tries to access the now invalid session the user will get an ugly error message.
If you are not using J2EE sessions Adobes recommends clearing the session structure as follows.
This does clear out all the user specific data from the session reducing it in size, but it still does not time out the session. Nor does it make the session in accessible for subsequent page request. What it does do however is delete the cfid,cftoken and sessionid from the session struct leaving just the url token.
This can cause all sorts of strange behaviour. One thing I myself have noticed is that when you clear a session using the struct clear method you can still use it, ie set values to the session struct etc but you can no longer get the time since the session was last accessed. Amazingly CF can still work out how long a particular session has been inactive so it does clear it from memory.
This method while not perfect does at least significantly reduce the size of a session to its bare minimum.
This technique utilizes the "setMaxInactiveInterval()" function. In essence we can override the application defined session timeout with our own value. This means we can timeout the session after a single second. So the process of logging out the user is as simple as directing them to a screen that sets the timeout to 1 second while displaying a nice you have been logged out message to them.
This is my preferred method of clearing user sessions when a user log's out as it emulates the invalidate method without the nasty error message and it works for non J2EE sessions also.
One word of caution though. You must not allow the user to continue to any other page until the second has passed. In other words "DO NOT REDIRECT THE USER AFTER CALLING THE SETMAXINACTIVEINTERVAL() FUNCTION" otherwise the session timeout can potentially be reset to the application default.
NOTE:This technique is meant to reduce the lifetime of the session as a post logout operation, it is not meant to actually serve the purpose of the actualy logout mechanism. Always call your logout mechanism first before changing the session timeout interval just in case the user does somehow manage to visit another page in the app before the 1 second timeout expires.