This sounds like scope leakage. I'm guessing you are setting some variable in your controller to a non var scoped value.
Put the controller code on Pastebin and email me the link. On Oct 25, 2013 12:06 PM, "Josue Balandrano" <[email protected]> wrote: > Hello forum. > I've been noticing an issue with the login implementation that I am using > for a webapp. The basic explanation of the workflow is the following: > - User access the app's url. > - The main event has a type of "secure". This Event Type defines a > broadcast message of "CheckIfLoggedIn". This message is linked to a > controller's function called "isLoggedIn" > - The controller's function basically checks if session.isLoggedIn is > true, if it is not then it will redirect the user to the login form. > - The form will call an event called "logMeIn". > - The event will call a controller's function, which will check the > user/pass against a specific sql table, if it is true then it will set > session.user = #username# and session.isLoggedIn = "true", all of this > inside a <cflogin> tag. > - Redirect user to the main view. > > Now, this is working correctly with timeouts and the whole 9 yards. The > issue is that if two, or more, users submit their credentials within a > small window of time, then both users will end up with the same value on > session.user. > e.g. If a user logs in with the username jdoe and pass jdoe123 by hitting > submit on the login form, and 500 milliseconds or maybe an entire second > after, another user with username janed and password janed123 submits the > login form. Then both users will login correctly (because both user/pass > tuples are correct) but if the variable session.user is printed in both > sessions it will be jdoe, or janed. The value that gets leaked changes, but > both sessions will have the same username value. If one of this users > inputs an incorrect username/password tuple then the algorithm will not > allow that user to login, this only happens when both credentials are valid. > > The only workaround to this issue, that we've been able to use, is to set > the "reload" config value to "true" that way the framework gets reloaded > every time it's accessed. > > Any ideas on how to further debug this issue or fix it? > > Thank you. > > -- > -- > Model-Glue Sites: > Home Page: http://www.model-glue.com > Documentation: http://docs.model-glue.com > Bug Tracker: http://bugs.model-glue.com > Blog: http://www.model-glue.com/blog > > You received this message because you are subscribed to the Google > Groups "model-glue" group. > To post to this group, send email to [email protected] > To unsubscribe from this group, send email to > [email protected] > For more options, visit this group at > http://groups.google.com/group/model-glue?hl=en > --- > You received this message because you are subscribed to the Google Groups > "model-glue" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > -- -- Model-Glue Sites: Home Page: http://www.model-glue.com Documentation: http://docs.model-glue.com Bug Tracker: http://bugs.model-glue.com Blog: http://www.model-glue.com/blog You received this message because you are subscribed to the Google Groups "model-glue" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/model-glue?hl=en --- You received this message because you are subscribed to the Google Groups "model-glue" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
