We had this issue as well on CF8 with our control panel. A little background, we experienced the same issue under CF7, so we did 2 things. Upgraded to 8 and put in some code fixes to ensure the cfid/cftoken cookie were for the proper account. The latter was really hacked by whomever and pretty messy. At some point someone cleaned it up and removed without any reports of it occuring again. Some time later we started experiencing the issue again. By some time later, I mean maybe two years (best guess as I was out of the development group for a while and wasn't up to date with all issues). We took the code back over and started hearing issues a couple of months later.
Best I could figure at the time was maybe operations had done a CF patch that may or may have not caused it happen again with 8. Either way, I couldn't reproduce it; but could see it in our site logging exactly where things were switching for sessions for some users. This would occur at least two to three times a day, and there really seemed to be no logical reason or commonality (going by logs). First thing we did was implement a cleaner fix of what we had done before, by tracking the IP associated with a session ID and if it didn't match, clear all cookies and ensure a new session ID was created. When I say session ID, I mean cookies for cfid and cftoken, and jsessionid, when we moved to that. We also instituted logging and alerting so we would be notified immediatley when this occured to see the frequency, and to double check the logs to ensure user sessions were clearing as expected and forcing a new login. Further, the site was using a rather large set of client variables, and we deduced the possibility that client variable extraction from the database (inside CF) was perhaps not thread safe, and a module on the site using client variables may have been the cause. So we drastically reduced the data size of the client scope as a result. By that time, next step was to go to 9.0.1. Since that upgrade we have not logged any occurences, where as on 8+ we still saw log entries where things still occured. With 8, we had done all patches, etc. Even went so far as to try different jvm versions, to no avail. With all the code fixes and resulting upgrades to 9 and patches, I can't say 100% what the issue was. Other than it's not happening now. Best suggestion would be upgrade to 9.0.1, seems very stable, and look at anything funny in code with sessions or client variables and simplify them as much as possible. Apologies a bit long in the tooth, but at least it's not spam :-) Byron Mann Lead Engineer and Architect Hostmysite.com On Mar 11, 2012 12:19 AM, "Richard Steele" <[email protected]> wrote: > > We offer a template-based, self-administered solution for hosting websites > and have a CF8 Enterprise server with two load-balanced. Yesterday, for the > first time in 6 years of offering hosting services, we had a bizarre user > login problem event. A user logged into to administer their hosted site > using their normal credentials and another user's administration came up!! > I then tried logging into their administrative backend and the same thing > happened to me. I then logged out and tried yet another user's credentials > and that worked fine, but when I logged out of their administrative backend > I was taken to that other user's site's administration (the one that was > the wrong one in the first example) instead of to the hosting site's home > page. > > I thought we might have been hacked, but no login files' date times had > changed. The application.cfm had not changed either. > > I restarted both instances of CF server and all is back to normal. > > I'm completely baffeled and concerned. What in the world could cause this > that a CF service restart would fix? > Thanks in advance. > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350389 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
