Session bleed CF 5

have you used exclusive locks when writing session variables when anyone
logs in ?

"mbowles" <webforumsuser@macromedia.com> wrote in message
news:efdv4s$t5l$1@forums.macromedia.com...
> I have recently taken over support for an older Cold Fusion site using
5.0. It
> has just start ed (past few weeks, been up for years) doing something odd.
> The code on the home page checks for session.uid and if it exists, gives
you a
> personal info snippet, else you get the login box. Now if I log in and
surf a
> little, the next person that logs in gets my session and credentials!!
This
> morning, a vp logged in , saw something of note, told another vp to go
look at
> it and voila, vp 2 was auto logged in as vp1. Very odd. Anyone seen this
out
> there?
>

I would start by creating a test page that dumps cookie.cfid and cookie.cftoken. Are users getting the same values? If so, try using UUID as token. That is controlled by a setting in coldfusion administrator's settings page.

If that is a solution, you could even test the length of a user's cookie.cftoken. If it is less than the UUID length, you could use cfcookie to delete the cfid and cftoken. Next page hit would create a brand new cfid/cftoken with a UUID cftoken. This is guaranteed to be unique as the name implies.

If that is not your issue, check your login logic.