This content has been marked as final. Show 4 replies
have you used exclusive locks when writing session variables when anyone
logs in ?
"mbowles" <firstname.lastname@example.org> wrote in message
> I have recently taken over support for an older Cold Fusion site using
> has just start ed (past few weeks, been up for years) doing something odd.
> The code on the home page checks for session.uid and if it exists, gives
> personal info snippet, else you get the login box. Now if I log in and
> little, the next person that logs in gets my session and credentials!!
> morning, a vp logged in , saw something of note, told another vp to go
> it and voila, vp 2 was auto logged in as vp1. Very odd. Anyone seen this
by using cflock tags around the code that captures the users cookie to created the session for autologin?
I would start by creating a test page that dumps cookie.cfid and cookie.cftoken. Are users getting the same values? If so, try using UUID as token. That is controlled by a setting in coldfusion administrator's settings page.
If that is a solution, you could even test the length of a user's cookie.cftoken. If it is less than the UUID length, you could use cfcookie to delete the cfid and cftoken. Next page hit would create a brand new cfid/cftoken with a UUID cftoken. This is guaranteed to be unique as the name implies.
If that is not your issue, check your login logic.