LDEV-6046 sessionInvalidate() de-activate old session when using database storage

Author: zspitzer

core/src/main/java/lucee/runtime/type/scope/ScopeContext.java

@@ -504,7 +504,7 @@ public Session getExistingCFSessionScope(String applicationName, String cfid) {
 		return null;
 	}
 
-	public void removeSessionScope(PageContext pc) throws PageException {
+	public void removeSessionScope(PageContext pc) {
 		removeCFSessionScope(pc);
 		removeJSessionScope(pc);
 	}
@@ -517,24 +517,30 @@ public void removeJSessionScope(PageContext pc) {
 		}
 	}
 
-	public void removeCFSessionScope(PageContext pc) throws PageException {
+	public void removeCFSessionScope(PageContext pc) {
 
 		ApplicationContext appContext = pc.getApplicationContext();
 		Map<String, Scope> context = getSubMap(cfSessionContexts, appContext.getName());
 		if (context != null) {
-			context.remove(pc.getCFID());
-			StorageScope scope = getCFScope(pc, false, Scope.SCOPE_SESSION);
-			if (scope != null) scope.unstore(pc.getConfig());
+			// LDEV-6046: Get scope BEFORE removing from memory, so we can unstore it
+			// Don't use getCFScope() as it would reload from DB and put back in memory
+			Scope scope = context.remove(pc.getCFID());
+			if (scope instanceof StorageScope) {
+				((StorageScope) scope).unstore(pc.getConfig());
+			}
 		}
 	}
 
-	public void removeClientScope(PageContext pc) throws PageException {
+	public void removeClientScope(PageContext pc) {
 		ApplicationContext appContext = pc.getApplicationContext();
 		Map<String, Scope> context = getSubMap(cfClientContexts, appContext.getName());
 		if (context != null) {
-			context.remove(pc.getCFID());
-			StorageScope scope = getCFScope(pc, false, Scope.SCOPE_CLIENT);
-			if (scope != null) scope.unstore(pc.getConfig());
+			// LDEV-6046: Get scope BEFORE removing from memory, so we can unstore it
+			// Don't use getCFScope() as it would reload from DB and put back in memory
+			Scope scope = context.remove(pc.getCFID());
+			if (scope instanceof StorageScope) {
+				((StorageScope) scope).unstore(pc.getConfig());
+			}
 		}
 	}
 

loader/build.xml

@@ -2,7 +2,7 @@
 <project default="core" basedir="." name="Lucee" 
   xmlns:resolver="antlib:org.apache.maven.resolver.ant">
 
-  <property name="version" value="7.0.2.33-SNAPSHOT"/>
+  <property name="version" value="7.0.2.34-SNAPSHOT"/>
 
   <taskdef uri="antlib:org.apache.maven.resolver.ant" resource="org/apache/maven/resolver/ant/antlib.xml">
     <classpath>

loader/pom.xml

@@ -3,7 +3,7 @@
 
   <groupId>org.lucee</groupId>
   <artifactId>lucee</artifactId>
-  <version>7.0.2.33-SNAPSHOT</version>
+  <version>7.0.2.34-SNAPSHOT</version>
   <packaging>jar</packaging>
 
   <name>Lucee Loader Build</name>

test/tickets/LDEV6046.cfc

@@ -0,0 +1,237 @@
+component extends="org.lucee.cfml.test.LuceeTestCase" labels="session,mysql" {
+
+	// LDEV-6046: sessionInvalidate() not de-activating old session when using DB for session storage
+	// Reported: After v6.2.0.321, sessionInvalidate() stopped properly invalidating sessions stored in database
+	//
+	// The bug: sessionInvalidate() switches the user's cfid token but the old session remains active.
+	// If a different browser uses the old cfid cookie value, the user is still logged in.
+	// Works fine with sessionStorage = "memory", broken with database storage.
+
+	function isMySqlNotSupported() {
+		var mySql = mySqlCredentials();
+		return isEmpty( mysql );
+	}
+
+	function run( testResults, testBox ) {
+		describe( "LDEV-6046: sessionInvalidate() with database session storage", function() {
+
+			it( title="sessionInvalidate() should de-activate old session so it cannot be reused", skip=isMySqlNotSupported(), body=function( currentSpec ) {
+				var uri = createURI( "LDEV6046" );
+
+				// First request - create session with user_id (simulating logged in user)
+				var result1 = _InternalRequest(
+					template: "#uri#/mysql/createSession.cfm"
+				);
+				var data1 = deserializeJSON( result1.filecontent.trim() );
+				expect( data1.sessionId ).notToBeEmpty();
+				expect( data1.user_id ).notToBeEmpty();
+
+				var originalSessionId = data1.sessionId;
+				var originalCfid = data1.cfid;
+				var originalCftoken = data1.cftoken;
+
+				// Second request - invalidate session (same "browser" - pass cookies)
+				var result2 = _InternalRequest(
+					template: "#uri#/mysql/invalidateSession.cfm",
+					cookies: {
+						cfid: originalCfid,
+						cftoken: originalCftoken
+					}
+				);
+				var data2 = deserializeJSON( result2.filecontent.trim() );
+
+				// Verify session was invalidated and a new one created
+				expect( data2.oldSessionId ).toBe( originalSessionId );
+				expect( data2.newSessionId ).notToBe( originalSessionId, "Session ID should change after sessionInvalidate()" );
+				expect( data2.hasUserId ).toBeFalse( "New session should not have user_id from old session" );
+
+				// THE CRITICAL TEST: Simulate another browser trying to use the OLD cfid/cftoken
+				// This should NOT return the old session with user_id
+				var result3 = _InternalRequest(
+					template: "#uri#/mysql/accessWithOldCfid.cfm",
+					cookies: {
+						cfid: originalCfid,
+						cftoken: originalCftoken
+					}
+				);
+				var data3 = deserializeJSON( result3.filecontent.trim() );
+
+				// The old session should NOT be accessible - user should not be "logged in"
+				expect( data3.hasUserId ).toBeFalse( "Old session should not be accessible after sessionInvalidate() - user_id should not exist" );
+			});
+
+			it( title="old session row should be deleted from database after sessionInvalidate()", skip=isMySqlNotSupported(), body=function( currentSpec ) {
+				var uri = createURI( "LDEV6046" );
+
+				// Create session
+				var result1 = _InternalRequest(
+					template: "#uri#/mysql/createSession.cfm"
+				);
+				var data1 = deserializeJSON( result1.filecontent.trim() );
+				var originalSessionId = data1.sessionId;
+				var originalCfid = data1.cfid;
+				var originalCftoken = data1.cftoken;
+
+				// Invalidate session (same browser - pass cookies)
+				var result2 = _InternalRequest(
+					template: "#uri#/mysql/invalidateSession.cfm",
+					cookies: {
+						cfid: originalCfid,
+						cftoken: originalCftoken
+					}
+				);
+
+				// Verify old session row is removed from database
+				var result3 = _InternalRequest(
+					template: "#uri#/mysql/checkSession.cfm",
+					url: { sessionId: originalSessionId }
+				);
+				var data3 = deserializeJSON( result3.filecontent.trim() );
+				expect( data3.sessionExists ).toBeFalse( "Old session row should be deleted from cf_session_data table" );
+			});
+
+		});
+
+		describe( "LDEV-6046: sessionInvalidate() with database session storage (sessionCluster=false)", function() {
+
+			it( title="sessionInvalidate() should de-activate old session with sessionCluster=false", skip=isMySqlNotSupported(), body=function( currentSpec ) {
+				var uri = createURI( "LDEV6046" );
+
+				// First request - create session with user_id (simulating logged in user)
+				var result1 = _InternalRequest(
+					template: "#uri#/mysql/createSession.cfm",
+					url: { sessionCluster: false }
+				);
+				var data1 = deserializeJSON( result1.filecontent.trim() );
+				expect( data1.sessionId ).notToBeEmpty();
+				expect( data1.user_id ).notToBeEmpty();
+
+				var originalSessionId = data1.sessionId;
+				var originalCfid = data1.cfid;
+				var originalCftoken = data1.cftoken;
+
+				// Second request - invalidate session (same "browser" - pass cookies)
+				var result2 = _InternalRequest(
+					template: "#uri#/mysql/invalidateSession.cfm",
+					url: { sessionCluster: false },
+					cookies: {
+						cfid: originalCfid,
+						cftoken: originalCftoken
+					}
+				);
+				var data2 = deserializeJSON( result2.filecontent.trim() );
+
+				// Verify session was invalidated and a new one created
+				expect( data2.oldSessionId ).toBe( originalSessionId );
+				expect( data2.newSessionId ).notToBe( originalSessionId, "Session ID should change after sessionInvalidate()" );
+				expect( data2.hasUserId ).toBeFalse( "New session should not have user_id from old session" );
+
+				// THE CRITICAL TEST: Simulate another browser trying to use the OLD cfid/cftoken
+				var result3 = _InternalRequest(
+					template: "#uri#/mysql/accessWithOldCfid.cfm",
+					url: { sessionCluster: false },
+					cookies: {
+						cfid: originalCfid,
+						cftoken: originalCftoken
+					}
+				);
+				var data3 = deserializeJSON( result3.filecontent.trim() );
+
+				// The old session should NOT be accessible - user should not be "logged in"
+				expect( data3.hasUserId ).toBeFalse( "Old session should not be accessible after sessionInvalidate() with sessionCluster=false" );
+			});
+
+			it( title="old session row should be deleted from database after sessionInvalidate() with sessionCluster=false", skip=isMySqlNotSupported(), body=function( currentSpec ) {
+				var uri = createURI( "LDEV6046" );
+
+				// Create session
+				var result1 = _InternalRequest(
+					template: "#uri#/mysql/createSession.cfm",
+					url: { sessionCluster: false }
+				);
+				var data1 = deserializeJSON( result1.filecontent.trim() );
+				var originalSessionId = data1.sessionId;
+				var originalCfid = data1.cfid;
+				var originalCftoken = data1.cftoken;
+
+				// Invalidate session (same browser - pass cookies)
+				var result2 = _InternalRequest(
+					template: "#uri#/mysql/invalidateSession.cfm",
+					url: { sessionCluster: false },
+					cookies: {
+						cfid: originalCfid,
+						cftoken: originalCftoken
+					}
+				);
+
+				// Verify old session row is removed from database
+				var result3 = _InternalRequest(
+					template: "#uri#/mysql/checkSession.cfm",
+					url: { sessionId: originalSessionId, sessionCluster: false }
+				);
+				var data3 = deserializeJSON( result3.filecontent.trim() );
+				expect( data3.sessionExists ).toBeFalse( "Old session row should be deleted from cf_session_data table with sessionCluster=false" );
+			});
+
+		});
+
+		describe( "LDEV-6046: sessionInvalidate() with MEMORY session storage (control test)", function() {
+
+			it( title="sessionInvalidate() should de-activate old session with memory storage", body=function( currentSpec ) {
+				var uri = createURI( "LDEV6046" );
+
+				// First request - create session with user_id (simulating logged in user)
+				var result1 = _InternalRequest(
+					template: "#uri#/memory/createSession.cfm"
+				);
+				var data1 = deserializeJSON( result1.filecontent.trim() );
+				expect( data1.sessionId ).notToBeEmpty();
+				expect( data1.user_id ).notToBeEmpty();
+
+				var originalSessionId = data1.sessionId;
+				var originalCfid = data1.cfid;
+				var originalCftoken = data1.cftoken;
+
+				// Second request - invalidate session (same "browser" - pass cookies)
+				var result2 = _InternalRequest(
+					template: "#uri#/memory/invalidateSession.cfm",
+					cookies: {
+						cfid: originalCfid,
+						cftoken: originalCftoken
+					}
+				);
+				var data2 = deserializeJSON( result2.filecontent.trim() );
+
+				// Verify session was invalidated and a new one created
+				expect( data2.oldSessionId ).toBe( originalSessionId );
+				expect( data2.newSessionId ).notToBe( originalSessionId, "Session ID should change after sessionInvalidate()" );
+				expect( data2.hasUserId ).toBeFalse( "New session should not have user_id from old session" );
+
+				// THE CRITICAL TEST: Simulate another browser trying to use the OLD cfid/cftoken
+				// With memory storage, this should work correctly
+				var result3 = _InternalRequest(
+					template: "#uri#/memory/accessWithOldCfid.cfm",
+					cookies: {
+						cfid: originalCfid,
+						cftoken: originalCftoken
+					}
+				);
+				var data3 = deserializeJSON( result3.filecontent.trim() );
+
+				// The old session should NOT be accessible - user should not be "logged in"
+				expect( data3.hasUserId ).toBeFalse( "Old session should not be accessible after sessionInvalidate() - user_id should not exist (memory storage)" );
+			});
+
+		});
+	}
+
+	private string function createURI( string calledName ) {
+		var baseURI = "/test/#listLast( getDirectoryFromPath( getCurrentTemplatePath() ), "\/" )#/";
+		return baseURI & calledName;
+	}
+
+	private struct function mySqlCredentials() {
+		return server.getDatasource( "mysql" );
+	}
+
+}

test/tickets/LDEV6046/memory/Application.cfc

@@ -0,0 +1,23 @@
+component {
+	this.name = "ldev-6046-memory-" & hash( getCurrentTemplatePath() );
+	this.sessionManagement = true;
+	this.sessionTimeout = createTimeSpan( 0, 0, 5, 0 );
+	this.setClientCookies = true;
+
+	// Use memory for session storage - this should work correctly
+	this.sessionStorage = "memory";
+
+	public function onRequestStart() {
+		setting requesttimeout=10 showdebugOutput=false;
+	}
+
+	function onSessionStart() {
+		systemOutput("------onSessionStart (memory)", true);
+		session.started = now();
+	}
+
+	function onSessionEnd( sessionScope, applicationScope ) {
+		systemOutput("------onSessionEnd (memory)", true);
+		server.LDEV6046_ended_sessions[ arguments.sessionScope.sessionid ] = now();
+	}
+}

test/tickets/LDEV6046/memory/accessWithOldCfid.cfm

@@ -0,0 +1,14 @@
+<cfscript>
+	// This simulates another browser/request trying to access with the OLD cfid/cftoken
+	// After sessionInvalidate(), this should NOT return a valid session with user_id
+
+	result = {
+		sessionId: session.sessionid,
+		hasUserId: structKeyExists( session, "user_id" ),
+		userId: session.user_id ?: "",
+		hasTestValue: structKeyExists( session, "testValue" ),
+		testValue: session.testValue ?: ""
+	};
+
+	echo( serializeJSON( result ) );
+</cfscript>

test/tickets/LDEV6046/memory/createSession.cfm

@@ -0,0 +1,19 @@
+<cfscript>
+	// Store test value if provided
+	if ( structKeyExists( url, "testValue" ) ) {
+		session.testValue = url.testValue;
+	}
+
+	// Set a marker to prove session is active
+	session.user_id = createUUID();
+
+	result = {
+		sessionId: session.sessionid,
+		cfid: session.cfid,
+		cftoken: session.cftoken,
+		user_id: session.user_id,
+		testValue: session.testValue ?: ""
+	};
+
+	echo( serializeJSON( result ) );
+</cfscript>

test/tickets/LDEV6046/memory/invalidateSession.cfm

@@ -0,0 +1,23 @@
+<cfscript>
+	// Capture old session info before invalidation
+	oldSessionId = session.sessionid;
+	oldCfid = session.cfid;
+	oldCftoken = session.cftoken;
+
+	// This is the function we're testing
+	sessionInvalidate();
+
+	// After invalidation, we should have a NEW session
+	result = {
+		oldSessionId: oldSessionId,
+		oldCfid: oldCfid,
+		oldCftoken: oldCftoken,
+		newSessionId: session.sessionid,
+		newCfid: session.cfid,
+		newCftoken: session.cftoken,
+		hasTestValue: structKeyExists( session, "testValue" ),
+		hasUserId: structKeyExists( session, "user_id" )
+	};
+
+	echo( serializeJSON( result ) );
+</cfscript>