I have a usual website and created a folder “api”. You login and get a JWT Bearer-Token to access the (jsons-) endpoints A,B,C,… Nothing special so far.
But for each request to the endpoints, there will be a new session created, as we only get the JWT Bearer Token and not the CFID/CFTOKEN for the session. So, within a short time period, the server has to handle > 3000 Session until the timeout will hit (or like current the java heap space)
I am sure, I am not the first person here with such a problem - how do you handle it?
Create an Application.cfc in the api-folder and disable session management for the subfolder? Any way to merge the JWT Token and the Sessions?
Any other ideas?
Thanks!
if you don’t put anything in the session scope*, a session isn’t created
*that includes doing a structKeyExists(), use sessionExists instead
try it out with an Application.cfc
which enables session management
go.cfm
<h1>hello world</h1>
go.cfm doesn’t touch the session scope
D:\tmp\session>curl -v http://7.localhost:7888/session/go.cfm
* Host 7.localhost:7888 was resolved.
* IPv6: ::1
* IPv4: 127.0.0.1
* Trying [::1]:7888...
* Connected to 7.localhost (::1) port 7888
* using HTTP/1.x
> GET /session/go.cfm HTTP/1.1
> Host: 7.localhost:7888
> User-Agent: curl/8.13.0
> Accept: */*
>
* Request completely sent off
< HTTP/1.1 200
< Content-Type: text/html;charset=UTF-8
< Content-Length: 20
< Date: Tue, 01 Jul 2025 16:31:49 GMT
<
<h1>hello world</h1>
* Connection #0 to host 7.localhost left intact
adding a session.hello=1
, that triggers creating a session and returning Set-Cookie
headers
go.cfm
<h1>hello world</h1>
<cfset session.hello=1>
results in
D:\tmp\session>curl -v http://7.localhost:7888/session/go.cfm
* Host 7.localhost:7888 was resolved.
* IPv6: ::1
* IPv4: 127.0.0.1
* Trying [::1]:7888...
* Connected to 7.localhost (::1) port 7888
* using HTTP/1.x
> GET /session/go.cfm HTTP/1.1
> Host: 7.localhost:7888
> User-Agent: curl/8.13.0
> Accept: */*
>
< HTTP/1.1 200
< Set-Cookie: cfid=abff08ba-60f9-4211-a36b-14f031206235;Path=/;Expires=Mon, 21-Jul-2025 18:06:02 GMT;Secure;HttpOnly;SameSite=Strict
< Set-Cookie: cftoken=0;Path=/;Expires=Mon, 21-Jul-2025 18:06:02 GMT;Secure;HttpOnly;SameSite=Strict
< Content-Type: text/html;charset=UTF-8
< Content-Length: 22
< Date: Tue, 01 Jul 2025 16:27:58 GMT
<
<h1>hello world</h1>
* Connection #0 to host 7.localhost left intact
With 6.2, handling of memory sessions has also been improved
https://luceeserver.atlassian.net/browse/LDEV-5245
1 Like