I ran into a very similar problem on a custom application. The application required logins and used per-session cookies to temporarily store the session id.
To 'clear' a users session id when a user logged out - just in case they didnt close the browser window - I thought I would simply set the CFTOKEN/CFID cookie values to ZERO - assuming that a zero value would be invalid - and that the user would close thier browser session prior to coming back to the site. This was certainly not the case. I ended up with the following scenario... 1) User A would logon, perform activites and logout (this action set their session id to APPLICATION_0_0) 2) User B would logon, perform activites and logout (this action also set their session id to APPLICATION_0_0) 3) User A would return to the site (having NOT CLOSED their browser session and still having valid cftoken & cfid cookies) the user would login and perform activites as usual... 4) User B returns to the site (having NOT CLOSED their browser session and still having valid cftoken & cfid cookies) and since their cftoken & cfid values match 'live' session varialbes for User A under the session id APPLICATION_0_0 - User B would not be requested a logon and would inherit all access / permissions and actions of User A This was my scenario that seems to match your stated case. The occurance of the problem seemed random and made it nearly impossible to trace at the time... (I feel compelled to mention it was my 1st application and describing me as newbie would have been a compliment ;-) At any rate - I would suggest the following... 1) insert test code in the application to output a)username b)remote addr ip 3)http agent and 4) session id for your IP address (so only you see it , not everyone) 2) load up IE and Netscape (or Firefox) the key being to have 2 different browsers with different cookies 3) step through the User A / B process above... at least you will be getting a print of key identifying information for both users/browsers and might be able to determine when sessions overlap and why... good luck -jon >Hi, > >An application we have uses session management for user login and >identification. The sessions seem to be over lapping. That is, users can >see data for others. One of the session variables set is "userpolicy" and >that's what determines what a user can see. I especially don't understand >this over lap because the problem is occurring with users at different >locations. > >Anyone run into this? > >Thanks! > >Jay ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:201720 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
