Hello forum.
I've been noticing an issue with the login implementation that I am using
for a webapp. The basic explanation of the workflow is the following:
- User access the app's url.
- The main event has a type of "secure". This Event Type defines a
broadcast message of "CheckIfLoggedIn". This message is linked to a
controller's function called "isLoggedIn"
- The controller's function basically checks if session.isLoggedIn is
true, if it is not then it will redirect the user to the login form.
- The form will call an event called "logMeIn".
- The event will call a controller's function, which will check the
user/pass against a specific sql table, if it is true then it will set
session.user = #username# and session.isLoggedIn = "true", all of this
inside a <cflogin> tag.
- Redirect user to the main view.
Now, this is working correctly with timeouts and the whole 9 yards. The
issue is that if two, or more, users submit their credentials within a
small window of time, then both users will end up with the same value on
session.user.
e.g. If a user logs in with the username jdoe and pass jdoe123 by hitting
submit on the login form, and 500 milliseconds or maybe an entire second
after, another user with username janed and password janed123 submits the
login form. Then both users will login correctly (because both user/pass
tuples are correct) but if the variable session.user is printed in both
sessions it will be jdoe, or janed. The value that gets leaked changes, but
both sessions will have the same username value. If one of this users
inputs an incorrect username/password tuple then the algorithm will not
allow that user to login, this only happens when both credentials are valid.
The only workaround to this issue, that we've been able to use, is to set
the "reload" config value to "true" that way the framework gets reloaded
every time it's accessed.
Any ideas on how to further debug this issue or fix it?
Thank you.
--
--
Model-Glue Sites:
Home Page: http://www.model-glue.com
Documentation: http://docs.model-glue.com
Bug Tracker: http://bugs.model-glue.com
Blog: http://www.model-glue.com/blog
You received this message because you are subscribed to the Google
Groups "model-glue" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/model-glue?hl=en
---
You received this message because you are subscribed to the Google Groups
"model-glue" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
