How to rotate j2ee session?

gunnar.lieb · September 26, 2022, 8:19am

Hello,

how can I rotate the session id if I’m using this.sessionType = 'j2ee'; ? sessionRotate() seems not to work.

Using latest lucee.

Best regards,

Gunnar

cfmitrah · September 26, 2022, 11:25am

@gunnar.lieb can you please file a bug in Jira for this issue: https://luceeserver.atlassian.net ?

Also please share your code to replicate the issue in that ticket

gunnar.lieb · September 26, 2022, 11:36am

I’m not sure if this is really a bug or some information missing in the documentation.
Please see here https://lucee.daemonite.io/t/any-gotchas-with-sessionrotate/2827

Igal wrote:

When you use JEE Sessions Lucee has no control over the session or the cookie, so SessionRotate() will not work.

Consult your Servlet Container’s documentation for a similar solution, and if you find one please post it here as well for the benefit of others.

I’m still wondering how to make this work with Tomcat

PeterJackson · September 26, 2022, 11:51am

You should be able to use getPageContext().getRequest.changeSessionId()

gunnar.lieb · September 26, 2022, 12:06pm

Thanks, that worked!

Leftbower · November 15, 2025, 8:00pm

Revisiting this issue, is there any reason why sessionRotate() cannot copy the session info over when using JEE sessions as it does with cfml sessions?

We have our own function that just calls getPageContext().getRequest.changeSessionId() and it works just fine, but wondering why Lucee’s sessionRotate() doesn’t do the same with JEE sessions? The getPageContext().getRequest.changeSessionId() has been part of the java servlet spec for an awfully long time now.

BK_BK · November 22, 2025, 11:38pm

Yes, there is a reason why sessionRotate() cannot copy the session over when you use JEE sessions as it does with CFML sessions. It is intentional and the main reason has to do with the span of each session type. That is, what you may think of as its jurisdiction.

A CFML session is owned by the CFML engine, has moderate entropy (security-wise) and spans just one application. Whereas a JEE session is owned by the underlying servlet container, has high entropy and may be shared across multiple applications.

The function sessionRotate() applies to the CFML engine, not to the servlet container. Hence it won’t work with JEE sessions.

For more detailed explanations why sessionRotate() and sessionInvalidate() won’t work for JEE, see Pete Freitag’s blog:

Leftbower · November 24, 2025, 7:55am

Thank you. I understand that and am familiar with those articles.

As I see it, Lucee provides for two types of session management: CFML and JEE. It provides functions (e.g. sessionInvalidate(), sessionRotate(), etc.) to help with the management of those sessions.

I posit that if those functions can behave the same for both session types, then they should strive to do so.

The changeSessionId() has been a part of the official Java Servlet specification for a long time, meaning it is a portable solution supported by all compliant servlet containers. Indeed, this ticket seems to indicate that the Lucee team has interest in getting its session management functions to work across both types of sessions. I’m just asking about completing that work.

Zackster · November 27, 2025, 3:52pm

It’s not currently working as it stands? I did a lot of work on session management, but it’s been a while.

https://luceeserver.atlassian.net/browse/LDEV-5942

CFML sessions are somewhat different to JEE sessions, mainly because with CFML sessions, we aka Lucee has complete end to end control over them, while JEE are a little more challenging as it’s tied to the servlet engine.

The example being unit tests, we can do complete testing of CFML sessions in our test suite, but the JEE session tests need to be run via Tomcat.

I did a lot of work on this, so some of the session management tests can detect if they are being run via tomcat and then they can do the JEE tests when runnning under a servlet

Zackster · November 27, 2025, 8:01pm

I fixed in the latest 6.2.4 and 7.0.1 SNAPSHOTS the following related bugs

https://luceeserver.atlassian.net/browse/LDEV-3248
https://luceeserver.atlassian.net/browse/LDEV-5730
https://luceeserver.atlassian.net/browse/LDEV-5942

Leftbower · November 27, 2025, 9:08pm

@Zackster Thank you! I will test the above fixes this weekend.

Leftbower · November 29, 2025, 8:13am

Confirmed that this is working in 7.0.1.89 - great job!

BK_BK · December 5, 2025, 4:45pm

That’s exactly the problem. Those functions cannot behave the same for both session types.

Take sessionRotate(), for example. With CFML sessions, it internally does something like this:

Create a new session
Generate a new session ID
Copy session data from the old session to the new
Invalidate the old session
Return new session ID to the client

However, with JEE sessions:

The CFML engine cannot instruct the servlet container to generate a new JSESSIONID.
The JEE API has no method to “rotate” or regenerate a JSESSIONID on command.
The servlet container owns the entire session lifecycle, so the CFML engine cannot override it.

Leftbower · December 5, 2025, 6:24pm

I disagree. The java servlet API does have such a method: changeSessionId() and CFML can instruct the servlet container to do that. Indeed, Lucee now does just that if you look at LDEV-5942 that @Zackster posted above. And now, when calling sessionRotate() when using JEE sessions, the session ID is changed and the session data copied over.

dawesi · December 6, 2025, 10:36pm

Why can’t sessionRotate() just call the above code when in j2ee?

Zackster · December 6, 2025, 11:23pm

As @Leftbower says it’s actually all implemented and fixed

dawesi · December 6, 2025, 11:52pm

super awesome