RE: Session hijacking - help!

Wed, 27 Jun 2001 14:06:26 -0700 

This is probably a very rudimentary question but, do you have session variables locked?

Tim Bahlke

> -----Original Message-----
> From: Scott Weikert [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, June 27, 2001 4:13 PM
> To: CF-Talk
> Subject: Session hijacking - help!
> 
> 
> Hey gang,
> 
> I've got a really WEIRD thing going on... a true stumper.
> 
> Got a CF/SQL7 box. It's sitting on a client's internal LAN. 
> Hence, their
> users on their LAN (and they're nationwide - I believe users 
> in the field
> dial in and/or have dedicated lines, I'm not 100% sure - not 
> my problem) hit
> this box pretty quick when they're using the app that's 
> running on it (it's
> a computer-based training app).
> 
> The app keeps track of users via session variables - tuck the 
> userID in a
> session var, etc. No sweat.
> 
> The thing is... occasionally, when there are multiple people 
> accessing the
> training app at the same time, sessions get hijacked. To wit:
> 
> Joe is in the training app. His 'session.userid' is 123.
> Mary comes along, logs in, starts using the app. Her userid is 456.
> At some point, Joe's computer all of a sudden thinks its 
> session.userid is
> 456 - Mary's.
> 
> Why?
> 
> On top of all this... this only happens INSIDE THEIR LAN. 
> Those of us on the
> outside (in our office, and in the office of the partner company who
> develops the content for the system) have NO problems like this.
> 
> I've put in some debug display code and would have the company's
> propellerheads go through the app, from within their LAN, and 
> boom - the
> output of the session.userid changes. The IP info for the 
> client boxes is
> fine - I was spitting that out with the rest of the info - and it went
> unchanged.
> 
> I understand that session info is stored in the server's RAM. I'm
> considering trying to swap over to a client variable-based method, and
> storing that info in the database.
> 
> Thoughts?
> --Scott
> 
> 
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at 
http://www.fusionauthority.com/bkinfo.cfm

Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

Reply via email to