Session Management / JWT

dev support
1

I have a usual website and created a folder “api”. You login and get a JWT Bearer-Token to access the (jsons-) endpoints A,B,C,… Nothing special so far.

But for each request to the endpoints, there will be a new session created, as we only get the JWT Bearer Token and not the CFID/CFTOKEN for the session. So, within a short time period, the server has to handle > 3000 Session until the timeout will hit (or like current the java heap space)

I am sure, I am not the first person here with such a problem - how do you handle it?

Create an Application.cfc in the api-folder and disable session management for the subfolder? Any way to merge the JWT Token and the Sessions?
Any other ideas?

Thanks!

2

if you don’t put anything in the session scope*, a session isn’t created

*that includes doing a structKeyExists(), use sessionExists instead

try it out with an Application.cfc which enables session management

go.cfm

<h1>hello world</h1>

go.cfm doesn’t touch the session scope

D:\tmp\session>curl -v http://7.localhost:7888/session/go.cfm
* Host 7.localhost:7888 was resolved.
* IPv6: ::1
* IPv4: 127.0.0.1
*   Trying [::1]:7888...
* Connected to 7.localhost (::1) port 7888
* using HTTP/1.x
> GET /session/go.cfm HTTP/1.1
> Host: 7.localhost:7888
> User-Agent: curl/8.13.0
> Accept: */*
>
* Request completely sent off
< HTTP/1.1 200
< Content-Type: text/html;charset=UTF-8
< Content-Length: 20
< Date: Tue, 01 Jul 2025 16:31:49 GMT
<
<h1>hello world</h1>
* Connection #0 to host 7.localhost left intact

adding a session.hello=1, that triggers creating a session and returning Set-Cookie headers

go.cfm

<h1>hello world</h1>
<cfset session.hello=1>

results in

D:\tmp\session>curl -v http://7.localhost:7888/session/go.cfm
* Host 7.localhost:7888 was resolved.
* IPv6: ::1
* IPv4: 127.0.0.1
*   Trying [::1]:7888...
* Connected to 7.localhost (::1) port 7888
* using HTTP/1.x
> GET /session/go.cfm HTTP/1.1
> Host: 7.localhost:7888
> User-Agent: curl/8.13.0
> Accept: */*
>
< HTTP/1.1 200
< Set-Cookie: cfid=abff08ba-60f9-4211-a36b-14f031206235;Path=/;Expires=Mon, 21-Jul-2025 18:06:02 GMT;Secure;HttpOnly;SameSite=Strict
< Set-Cookie: cftoken=0;Path=/;Expires=Mon, 21-Jul-2025 18:06:02 GMT;Secure;HttpOnly;SameSite=Strict
< Content-Type: text/html;charset=UTF-8
< Content-Length: 22
< Date: Tue, 01 Jul 2025 16:27:58 GMT
<
<h1>hello world</h1>
* Connection #0 to host 7.localhost left intact

With 6.2, handling of memory sessions has also been improved

https://luceeserver.atlassian.net/browse/LDEV-5245

2 Likes
3

Never thought to check that.

I just put an /api folder with separate application.cfc wtih sessions turned off and just never called a session var, otherwise shares codebase (which takes both app types into account), we also have some flagging that flips a bit on sessionmanagment.

Oh man, now I’m going to go away and waste 3 hours on protyping the variations… #obsessed.

So if i create a session in one client, then another client comes, there is no session until they trigger something stored in session? (so no session placeholder until then? #makessense)