This is probably a very rudimentary question but, do you have session variables locked?
Tim Bahlke
> -----Original Message-----
> From: Scott Weikert [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, June 27, 2001 4:13 PM
> To: CF-Talk
> Subject: Session hijacking - help!
>
>
> Hey gang,
>
> I've got a really WEIRD thing going on... a true stumper.
>
> Got a CF/SQL7 box. It's sitting on a client's internal LAN.
> Hence, their
> users on their LAN (and they're nationwide - I believe users
> in the field
> dial in and/or have dedicated lines, I'm not 100% sure - not
> my problem) hit
> this box pretty quick when they're using the app that's
> running on it (it's
> a computer-based training app).
>
> The app keeps track of users via session variables - tuck the
> userID in a
> session var, etc. No sweat.
>
> The thing is... occasionally, when there are multiple people
> accessing the
> training app at the same time, sessions get hijacked. To wit:
>
> Joe is in the training app. His 'session.userid' is 123.
> Mary comes along, logs in, starts using the app. Her userid is 456.
> At some point, Joe's computer all of a sudden thinks its
> session.userid is
> 456 - Mary's.
>
> Why?
>
> On top of all this... this only happens INSIDE THEIR LAN.
> Those of us on the
> outside (in our office, and in the office of the partner company who
> develops the content for the system) have NO problems like this.
>
> I've put in some debug display code and would have the company's
> propellerheads go through the app, from within their LAN, and
> boom - the
> output of the session.userid changes. The IP info for the
> client boxes is
> fine - I was spitting that out with the rest of the info - and it went
> unchanged.
>
> I understand that session info is stored in the server's RAM. I'm
> considering trying to swap over to a client variable-based method, and
> storing that info in the database.
>
> Thoughts?
> --Scott
>
>
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists