There are many situations when it is necessary to access a session variable from outside the actual session. You may want an administrative page to list active users or you may want to utilize a scheduled task to process data stored in user’s sessions.
While it’s simple enough to create a sessions structure in the application scope to store all sessions, cleanup becomes an issue and you’re really duplicating work that ColdFusion must be doing internally anyways. After some digging I found that ColdFusion MX has a SessionTracker class that it uses to keep track of all sessions and you can access it to!
The following test code turns on session tracking and then grabs a structure containing all session variables which is dumped to the response.
getSessionCollection is a static function that returns a structure of all sessions for the specified application, which hopefully should be the current application. The sessions structure it returns has keys of in the following form:
applicationName_cfid_cftoken
or
applicationName_jsessionid
Depending on if you’re using CF sessions or J2EE sessions. The structure value is a reference to the session scope, which itself is a structure. Once you have this reference, you can read or manipulate the session as you would with any other structure.
Thanks, it was a nice tip!
Wow! This is great! Thanks a lot!
what about this option?
<cfset keySet = session.keySet()>
<cfset iterator = keySet.iterator()>
<cfloop condition=”#iterator.hasNext()#”>
<cfset key = iterator.next()>
<cfset aSession = session.get(key)>
</cfloop>
which doesnt require accessing and internal classes
Matt
Matt,
That’s nice use of the underlying Java code I haven’t seen before. Please note that the code I posted above will grab any session, not just the current session. The code you listed will iterate through all keys in the current session, which can also be done with
<cfloop item=”key” collection=”#session#”>
Best regards,
Sam
Would you still be able to access other CF application’s session data if they were running in seperate JVM’s and/or seperate instances of JRun (ala CF for J2EE)?
In a seperate, but related question, does J2EE have any built in mechanism for sessions shared across clustered environments?
Mind if I post a UDF version of this to cflib.orb?
Ray, thanks for asking. Yes, if course go ahead and post to cflib. I’ve been meaning to post this and the unzip thing, but I seem to have misplaced my cflib password. Any chance you can add a “forgot your password” feature to cflib?
I’m not sure a license applies to two lines of code, but if it does then the license at the bottom of or blog in really tiny letter says “Attribution-ShareAlike Creative Commons License” which means copy to your hearts content, but please mention me.
Herman, this method probably would not work across CF applications running in different instances of CF, but I think the valid use cases are primarily for administrative and scheduled stuff.
The only time I can think of that you’re doing cross-application session grabbing is if you’re doing something naughty.
Yes, J2EE sessions can be shared across a cluster. Not sure how to set it up though–but I’m certain it’s going to be different for each J2EE server.
I was considering the technique for use in a single-sign-on mechanism. ‘Naughty’ intentions should certainly be a concern, especially if there is an internal mechanism for getting a list of Applications running on a given server, something along the lines of coldfusion.runtime.ApplicationTracker (a fictitious class name, as far as i know).
But, concerning multiple JVM’s (not to be confused with multiple instances of CF)…It seems that CF will spawn many JVM simultaneously when running…Are you guaranteed to have an application running in only one JVM? I suppose my point is, is this technique guaranteed to give you all current sessions for a given application?
Herman, yes, single-signon is a great use for this. I hadn’t thought of that.
Regarding multiple JVM, I’d be really surprised if one application was split among several JVM ’cause it would be really hard to implement locking and sessions in that case. My understanding is that each instance of CF had one JVM, but I could be wrong. I’d suggest askign the question in webforums and perhaps you’ll get a more definitive answer from someone with more J2EE experience. If you do, please post the URL here so we can all follow the conversation.
The coldfusion.runtime.ApplicationTracker does indeed exist but under the name of ApplicationScopeTracker instead. I have posted an entry on my blog http://tech.badpen.com/ that extends the example given here to selecting all session data across all applications currently running.
I have also posted a follow up regarding security concerns based on this functionality…
In addition, I am assuming the use of JRun in-memory session replication will enable the SessionTracker to function across clusterd MX instances. This could be used for quick “how many users online” type functionality across a load-balanced site without the use of a database or other storage mechanism.
Nice find Tim, didn’t know about ApplicationScopeTracker. I agree there is a security issue but Macromedia doesn’t (I checked with them before posting).
Fantastic tip, thanks for the heads up!
Can some one give me the sample code, how to use the above tracker which enables single login at a time(How to loop structure of structures and find the user login id, if so error message)?
Thanks,
Ravi
Can some one give me the sample code, how to use the above tracker which enables single login at a time(How to loop structure of structures and find the user login id, if so error message)?
Thanks,
Ravi
So if I want to write a message:”There is 10 active users.”, what I have to do? I only need number of active session/users on one application. Thx.
Ravi, did you run the above code and see what it dumps to the screen? It will dump a structure of all sessions listing all session variables. To ensure a user only logs into one session at a time loop through those sessions checking the login id and if found, reject second login.
Gorandri, the getSessionCollection used above returns a structure. Each element in the structure represents one active session. If you’re not familiar with how to obtain a count of elements in a structure please refer to the documentation. http://livedocs.macromedia.com
Can some one please post the sample code which loops through structure of structures , I mean for a key the value itself is a structure which has again keys? I need to digtown to last structure and find the login code in the dumped session structures.? I don’t where I am missing it is always throwing some exception whenever I am trying to loop the structure inside the structure.
Any help will be greatly appreciated?
Thanks,
Ravi.
any ideas to modify FMX2004 components?
Yeah i have some question about that too
Flash MX 2004 components are packaged up into SWC’s. SWC’s simply are a compiled version of a component. There are several benefits to this new method of packaging component but one side affect is that the code is not editable without having the original source (well at least no easily). Macromedia was nice enough to include most of the source code for the components and the source Fla used to produce those swc’s with Flash MX 2004. You can find the classes in your classes folders under classes\mx\controls (most of them are there some are in other folders in the mx folder). The Fla’s used to produce the components are provided in the Flash MX 2004\en\First Run\ComponentFLA. If you want to edit the code you can edit the .as files in the classes folder. I word of advice though. I suggest you make a copy of the files needed to a working directory if you are going to modify the code for the classes directly. I recommend you leave those class files alone as Macromedia has distributed them. Also rather than edit the class code, try to sub-class the existing classes and to achieve your customization. This is a really lengthy subject to cover in a blog comment. Maybe I’ll write a more lengthy post on the subject another time.
This is a great idea. Thanks for bringing it to my attetion.
I do have one question. I set session.member_id variable before I run the code. I was looking to see if this code displays the session.member_id variable so that way I can loop through and see if the session already exits. When I login using 3 different windows I do not see session.member_id lised in the cfdump display when I thought I would.
Can anyone help me out with this? I want to check to see if the session.member_id is in use and if it is, want to send the second user to a bad login page.
Thanks.
guys,
i was browisng thru my application and my friend saw the url and started typing the url to some other page and he got the in to the application with out loging in . he used my cftoken&cfid and
used it to login and access the application.how ever he was able to do it while i have login in.
if i logout he was not able to do it.i think iam doing some thing wrong with handling sessions or configuration in the server is wrong.
i hope you guys can help me understand more. incase you need more information please get back to my email address which is rsubu@getgroup.com.
for past 4 hrs iam going crazy.
thanks in advance,
regards
subbu
I just wanted to thanks Sam and everyone for posting and adding to this thread. This information is very useful.
Sam,
This is interesting. Even if I delete all the keys while in a specific session or do a SructClear(Session) while in a specific session, your sessiontracker code still lists the session as MyAppName_sessionidvalue with an empty structure. Why does this artifact remain even though the session was specifically removed? How long do they last. I opened up several sessions, ended them and yet they all appeared to persist?
Thanks
Sam,
This is interesting. Even if I delete all the keys while in a specific session or do a SructClear(Session) while in a specific session, your sessiontracker code still lists the session as MyAppName_sessionidvalue with an empty structure. Why does this artifact remain even though the session was specifically removed? How long do they last. I opened up several sessions, ended them and yet they all appeared to persist?
Thanks
Sam,
This is interesting. Even if I delete all the keys while in a specific session or do a SructClear(Session) while in a specific session, your sessiontracker code still lists the session as MyAppName_sessionidvalue with an empty structure. Why does this artifact remain even though the session was specifically removed? How long do they last. I opened up several sessions, ended them and yet they all appeared to persist?
Thanks
To play pacific poker http://www.pacificpoker-online.com pacific poker online poker site is your target. Inside pacific poker website you can find poker tables, information, and friends.
Here, now, go pacific poker is just for you. No need for previous experience. Pacific poker http://pacific-poker.p6.org.uk pacific poker the poker leader.
Hi,
Interesting blog!
I thought I wanted to contribute with a cool site: http://poker365.info - it has got pokernews from all the big sites, and no ads!
Enjoy
I thought I wanted to contribute with a cool site:
http://www.universityofnorthtexas.info/
Thanking you!!!!!