What is the best way from an admin to force a logo...
# luceel
leftbower
09/14/2022, 11:47 PMWhat is the best way from an admin to force a logout of all users to an application (effectively forcing them to re-login at their next request)? The users are stored in J2EE sessions.
Currently playing with this code, but is it safe/wise? Are there better ways to do it? FWIW, we're probably only talking about just a couple hundred users logged in at any given time.
Copy code
var userSessions = createObject( "java", "coldfusion.runtime.SessionTracker" ).getSessionCollection( application.applicationName );
userSessions.each( ( user ) => structClear( userSessions[ user ] ) );s
Scott Steinbeck
09/15/2022, 1:26 AMare you opposed to restarting the server?
Scott Steinbeck
09/15/2022, 1:27 AMalso this: https://www.petefreitag.com/item/913.cfm
w
websolete
09/15/2022, 1:36 AMif the situation is you've made some change to a session object or session vars and you need everyone to login anew to pick up the changes, i'd have to go along with just recycling the server instance, simple and certain
z
zackster
09/15/2022, 7:38 AMthis is what Micha has been planning to add to achieve just this! https://dev.lucee.org/t/applicationinvalidate-serverinvalidate/10985
r
Rodney
09/15/2022, 11:55 AMThis is why I also create a token in a database table for user logins. That way I can just invalidate those tokens and force a login for everyone.
l
leftbower
09/15/2022, 7:30 PM@Scott Steinbeck thx. Would prefer not to cycle the whole server. Also, I think the article from @foundeo doesn't allow an admin to remotely invalidate multiple users' sessions?
@websolete that's correct, adding new data to session objs that needs to be picked up, preferably on the next request.
@Rodney how does that work exactly? Or are you having each user hit the db on every request?
So is the use of the
"coldfusion.runtime.SessionTracker"w
websolete
09/15/2022, 7:35 PMi like rodney's idea tbh. you have an application variable with a token, maybe something like
application.sessionControl = gettickcount();websolete
09/15/2022, 7:36 PMi'm not sure it needs to come from a db, feels like gettickcount() persisting for the lifespan of the application would be fine, but maybe rodney has some specific experience that led him to store it in the db
r
Rodney
09/15/2022, 7:38 PM@Scott Steinbeck Yes, it hits the database on every request but it's so fast it's negligible. You can also do what Kevin said. Depends on how much control you want. We do it at the user level so we can kill all of an individual user's sessions or everyone's sessions.
Rodney
09/15/2022, 7:40 PMWell, technically the session still exists. It's just invalid to the application if the token doesn't exist for the user.
s
Scott Steinbeck
09/15/2022, 7:40 PMand implementation of pete’s solution is to set a date in the application scope and check to see if the session has that date and it matches otherwise invalidate their session, from the requestStart
Scott Steinbeck
09/15/2022, 7:40 PMthen for future instances where token invalidation needs to happen, just update the date in the application scope
Scott Steinbeck
09/15/2022, 7:44 PM Copy code
function onRequestStart(){
application.sessionStartDate = '2022-10-15';
if(!structKeyExists(session,'sessionStartDate') || session.sessionStartDate != application.sessionStartDate){
//invalidate token here
}
}w
websolete
09/15/2022, 7:46 PMSo is the use of theit certainly was in the past, not sure what the prevailing sentiment is about it nowadays. back when it was thrown around it would grind miserably if you had anything more than 'a few' sessions, whatever that number was. it was just a costly/uncodumented way of 'managing' sessionsa bad or unsafe practice?"coldfusion.runtime.SessionTracker"
l
leftbower
09/15/2022, 7:47 PMThank you all!
Yeah, I was looking at writing up something similar to the application scoped token to check per request - which would work great for logging out all users. But then when I found out about
coldfusion.runtime.SessionTracker6 Views