4 Replies Latest reply on Oct 10, 2006 10:15 AM by ksmith

    Session bleed CF 5

      I have recently taken over support for an older Cold Fusion site using 5.0. It has just start ed (past few weeks, been up for years) doing something odd. The code on the home page checks for session.uid and if it exists, gives you a personal info snippet, else you get the login box. Now if I log in and surf a little, the next person that logs in gets my session and credentials!! This morning, a vp logged in , saw something of note, told another vp to go look at it and voila, vp 2 was auto logged in as vp1. Very odd. Anyone seen this out there?
        • 1. Re: Session bleed CF 5
          Level 1
          Anyone???
          • 2. Re: Session bleed CF 5
            Level 7
            have you used exclusive locks when writing session variables when anyone
            logs in ?

            "mbowles" <webforumsuser@macromedia.com> wrote in message
            news:efdv4s$t5l$1@forums.macromedia.com...
            > I have recently taken over support for an older Cold Fusion site using
            5.0. It
            > has just start ed (past few weeks, been up for years) doing something odd.
            > The code on the home page checks for session.uid and if it exists, gives
            you a
            > personal info snippet, else you get the login box. Now if I log in and
            surf a
            > little, the next person that logs in gets my session and credentials!!
            This
            > morning, a vp logged in , saw something of note, told another vp to go
            look at
            > it and voila, vp 2 was auto logged in as vp1. Very odd. Anyone seen this
            out
            > there?
            >


            • 3. Re: Session bleed CF 5
              Level 1
              by using cflock tags around the code that captures the users cookie to created the session for autologin?
              • 4. Re: Session bleed CF 5
                ksmith Level 1
                I would start by creating a test page that dumps cookie.cfid and cookie.cftoken. Are users getting the same values? If so, try using UUID as token. That is controlled by a setting in coldfusion administrator's settings page.

                If that is a solution, you could even test the length of a user's cookie.cftoken. If it is less than the UUID length, you could use cfcookie to delete the cfid and cftoken. Next page hit would create a brand new cfid/cftoken with a UUID cftoken. This is guaranteed to be unique as the name implies.

                If that is not your issue, check your login logic.