Well, as far as the sessions getting mixed up I do not see how this is
happening unless they are sending links to eachother with their session vars
in the url. One thing to note, is that with structClear() you will be
killing all session vars and not just the user that logged out.
I would say that using temp variables would be the best way to go
IE <CFAPPLICATION NAME="SecureApp"
CLIENTMANAGEMENT="Yes"
SESSIONMANAGEMENT="Yes"
SETCLIENTCOOKIES="Yes"
SESSIONTIMEOUT="#createTimeSpan(0, 0, 60, 0)#">
<!--- Lock all session variables to assure security in the use of sessions
//--->
<CFLOCK scope="session" type="exclusive" timeout="10">
<!--- Define CFTOKEN && CFID as temporary variables,
this will alleviate the problem of security
in accessing another clients variables //--->
<CFIF isDefined('Cookie.CFID') AND isDefined('Cookie.CFTOKEN')>
<CFSET tempID = Cookie.CFID>
<CFSET tempToken = Cookie.CFTOKEN>
<CFCOOKIE NAME="CFID" value="#tempID#">
<CFCOOKIE NAME="CFTOKEN" value="#tempToken#">
</CFIF>
</CFLOCK>
Doug
----- Original Message -----
From: "Chris Bohill" <[EMAIL PROTECTED]>
To: "CF-Talk" <[EMAIL PROTECTED]>
Sent: Tuesday, November 13, 2001 9:21 AM
Subject: Having major problems with session variables
> Hi,
>
> Session Variables seem to be a hot topic at the minute, so I was
> wondering if anyone could shed some light or give some advice on the
> problem below.
>
> We have a multiple user web based application that is all user-profile
> based.
>
> User A is the site administrator with full access to the site.
>
> User B is a member of company 1, and he can only see his companies data
> on the site.
>
> User C is a member of company 2, and he can only see his companies data
> on the site.
>
> What we are experiencing is a swapping of user profiles. User B is
> logging in as himself and is happily navigation through the site,
> gaining access to their own data, until they start to see information
> which is supposed to only be relevant to User C.
>
> User A is sometimes logging in, and is getting restricted access to the
> site because he has somehow inherited the profile of another user (who
> has a lower access privilege).
>
> Somehow the profiles are being swapped while the users are in the
> system.
>
> We are using session variables for the profiling, and access privileges,
> but the somehow are getting mixed up.
>
>
> When we are calling session variables in a query on any individual page
> we have declared local variables corresponding to these at the top of
> the page, and referenced these throughout the rest of the page, see
> below,
>
>
> <cflock timeout="10" type="READONLY" scope="SESSION">
> <cfset Variables.chris = session.chris>
> </cflock>
>
> .........................
>
>
> <cfquery name="queryName" datasource="#mydsn#">
> Select *
> from table
> where user_id = #Variables.chris#
> </cfquery>
>
>
>
> We are also using StructClear() to kill the session variables when the
> user logs out.
>
> I do not know what else to do, as the problem is still persisting. Has
> anyone experienced this, or can they offer any advice or direction.
>
> Cheers,
>
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Get the mailserver that powers this list at http://www.coolfusion.com
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
