Use session variables when you need the variables for a single site visit or set of requests. For example, you might use session variables to store a user's selections in a shopping cart application. (Use client variables if you need a variable in multiple visits.)
Caution: Put code that uses session variables inside cflock tags in circumstances that might result in race conditions from multiple accesses to the same variable. For information on using cflock tags see Locking code with cflock.
This section describes the following topics:
A session refers to all the connections that a single client might make to a server in the course of viewing any pages associated with a given application. Sessions are specific to both the individual user and the application. As a result, every user of an application has a separate session and has access to a separate set of session variables.
This logical view of a session begins with the first connection to an application by a client and ends after that client's last connection. However, because of the stateless nature of the web, it is not always possible to define a precise point at which a session ends. A session should end when the user finishes using an application. In most cases, however, a web application has no way of knowing if a user has finished or is just lingering over a page.
Therefore, sessions always terminate after a time-out period of inactivity. If the user does not access a page of the application within this time-out period, ColdFusion interprets this as the end of the session and clears any variables associated with that session.
The default time-out for session variables is 20 minutes. You can change the default time-out on the Memory Variables page in the Server Settings area in the ColdFusion MX Administrator.
You can also set the time-out period for session variables inside a specific application (thereby overruling the Administrator default setting) by setting the Application.cfc This.sessionTimeout variable or by using the cfapplication tag sessionTimeout attribute. However, you cannot set a time-out value for that is greater than the maximum session time-out value set on the Administrator Memory Variables page.
For detailed information on ending sessions and deleting session variables, see Ending a session.
The ColdFusion server can use either of the following types of session management:
ColdFusion session management uses the same client identification method as ColdFusion client management.
J2EE session management provides the following advantages over ColdFusion session management:
jsessionid, which is created afresh at the start of each session.
Therefore, consider using J2EE session management in any of the following cases: