While locking is a good thing, I don't think the fact that your locks are
clean (or not) necessarily has anything to do with session swapping, and I
doubt that single-threading sessions would help. I would expect session
swapping to happen if a browser started submitting requests with the wrong
CFID/CFTOKEN combo; obviously it is possible the CF loses track of which
data goes with which session, but that seems unlikely (I'd think we'd have a
deafening chorus of complaints). These are some of the things I would
pursue:
1) is the user starting their session with the 'right' info and then
suddenly getting 'wrong' info? Perhaps the initial retrieval of user
profile data is doing something wrong.
2) Do you have, or can you start to collect, logs that track
form fields
url vars
cookies
for every page request (perhaps just for the network that the user is in)?
(I have some code to do this at the CF level if needed)
3) Can you get the user to report exactly where he was in the application
when the problem appeared such that you can correlate it with your logs?
Then, can you see what's happening to the CFID/CFTOKEN values sent to your
server at that point?
If this happens to users on one particular network, but not other people, I
would wonder about proxies/firewalls at that site.
> -----Original Message-----
> From: Andy Ewings [mailto:[EMAIL PROTECTED]]
> Sent: Monday, January 28, 2002 10:26 AM
> To: CF-Talk
> Subject: RE: Session Swapping" incident
>
>
> This is interesting. I had a nightmare with Session
> variables where I
> was
> adamant that I had locked properly but was still getting session
> variables
> expiring or swapping of sessions...for this reason I always use client
> variables....
>
> -----Original Message-----
> From: Chris Bohill [mailto:[EMAIL PROTECTED]]
> Sent: 28 January 2002 15:04
> To: CF-Talk
> Subject: Session Swapping" incident
>
>
> We are developing an web based application, and have recently been
> experiencing a number of "Session swapping" incidents. On two
> occasions
>
> a user has been navigating the system, only to "Swap" sessions with
> another user, who (we are not 100% sure) may also be viewing the site
> at
> the same time.
>
> Because a lot of the site is user-profile based, the user can tell
> straight away that they have "Swapped". The user in question returned
> to
> the welcome page, but another users name and details were there. This
> other user was in the same building but different floors, so they may
> have been on the same network.
>
> For this to happen is pretty awkward, as much of the data is of a
> sensitive nature, but we feel we have done as much as we can
> to reduce
> the chance of this happening.
>
> We have locked all session variables and only refer to them as local
> variables on pages that need them. see below:
>
> <cflock timeout="10" type="READONLY" scope="SESSION">
> <cfset Variables.VarOne= session.VarOne>
> <cfset Variables.VarTwo= session.VarTwo>
> </cflock>
>
> When writing to a Session Variable we again use cflock, with type set
> to
> "Exclusive".
>
> All Session variables are locked when created on the
> Application page,
> and are set to "Exclusive".
>
> When the user logs out of the system we use the following
> code to kill
> all the session variables:
>
> <cflock timeout="20" throwontimeout="No" type="EXCLUSIVE"
> scope="SESSION">
> <CFCOOKIE NAME="CFID" VALUE="" expires="NOW">
> <CFCOOKIE NAME="CFTOKEN" VALUE="" expires="NOW">
>
> <cfscript>
> StructDelete(Session, "VarOne");
> StructDelete(Session, "VarTwo");
> StructClear(Session);
> </cfscript>
> </cflock>
>
> Are there known issues with session variables or is there something
> vital that we are missing?
> Is there something we should be doing on the Administrator to protect
> "session swapping"?
>
> For this to happen, even once is not acceptable to our
> client, so it is
>
> essential that we resolve this issue. Speed is an important
> issue with
> this application so using single thread sessions would not be a
> straightforward solution for us.
>
> Any responses would be greatly appreciated.
>
> Thanks,
>
>
>
______________________________________________________________________
Get Your Own Dedicated Windows 2000 Server
PIII 800 / 256 MB RAM / 40 GB HD / 20 GB MO/XFER
Instant Activation � $99/Month � Free Setup
http://www.pennyhost.com/redirect.cfm?adcode=coldfusionb
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
