Warning: This blog entry was written two or more years ago. Therefore, it may contain broken links, out-dated or misleading content, or information that is just plain wrong. Please read on with caution.
Clearing the Session
If you are not using J2EE sessions Adobes recommends clearing the session structure as follows.
This does clear out all the user specific data from the session reducing it in size, but it still does not time out the session. Nor does it make the session in accessible for subsequent page request. What it does do however is delete the cfid,cftoken and sessionid from the session struct leaving just the url token.
This can cause all sorts of strange behaviour. One thing I myself have noticed is that when you clear a session using the struct clear method you can still use it, ie set values to the session struct etc but you can no longer get the time since the session was last accessed. Amazingly CF can still work out how long a particular session has been inactive so it does clear it from memory.
This method while not perfect does at least significantly reduce the size of a session to its bare minimum.
Overriding the session timeout
This technique utilizes the "setMaxInactiveInterval()" function. In essence we can override the application defined session timeout with our own value. This means we can timeout the session after a single second. So the process of logging out the user is as simple as directing them to a screen that sets the timeout to 1 second while displaying a nice you have been logged out message to them.
<!---Set a 1 second timeout on this session--->
This is my preferred method of clearing user sessions when a user log's out as it emulates the invalidate method without the nasty error message and it works for non J2EE sessions also.
One word of caution though. You must not allow the user to continue to any other page until the second has passed. In other words "DO NOT REDIRECT THE USER AFTER CALLING THE SETMAXINACTIVEINTERVAL() FUNCTION" otherwise the session timeout can potentially be reset to the application default.
NOTE:This technique is meant to reduce the lifetime of the session as a post logout operation, it is not meant to actually serve the purpose of the actualy logout mechanism. Always call your logout mechanism first before changing the session timeout interval just in case the user does somehow manage to visit another page in the app before the 1 second timeout expires.