Our application has about 150-200 concurrent users at any
given time. We're using session management with the basic CFID and
CFTOKEN, which is a UUID. We have an exclusive CFLOCK around the
bit of login code that sets their session's user id. We also
provide a login option to keep them logged in, which when set is a
cookie of their password hashed. If their session has expired and
they have this cookie we pass them through the login procedure.
All of this works fine until we restart the ColdFusion (8)
server. It seems as soon as we do this at least a few of the people
sitting there refreshing and waiting for the app to come back up
get the wrong login credentials and end up logged in as someone
else. It's very disconcerting.
Does anyone have any suggestions to avoid this happening? I
thought the exclusive lock would be all we needed.
I'm not sure if I understand completely...are you saying that
if a user logs in, and than waits...and you restart the ColdFusion
server, on their next request they appear to have assumed someone
Session data cannot persist between server restarts, since
session data is always stored in memory on the ColdFusion server.