Scott,
The only though I have is
1) Be sure that you are locking all your session variables.
2) Make certain that CFID and CFToken are not being included in the URL,
changed by the application or stuffed into the application scope in some
manner.
3) That there isn't a firewall or internal proxy running between the users
and the server.
Since they have "external" network users they may be using an extranet
company (like Sprint) that supplies their IP on a semi-private network. In
that case a proxy would be used and they may have put the server in a DMZ
between the internal Lan and the extranet.
I had a case just like that, the application was working fine then all of a
sudden one Monday everyone had the same session as the first person to log
in. They had moved the Server to the DMZ and both the internal and external
people were going through a proxy.
Best Regards,
Dennis Powers
UXB Internet
(203) 879-2844
http://www.uxbinfo.com/
-----Original Message-----
From: Scott Weikert [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, June 27, 2001 4:13 PM
To: CF-Talk
Subject: Session hijacking - help!
Hey gang,
I've got a really WEIRD thing going on... a true stumper.
Got a CF/SQL7 box. It's sitting on a client's internal LAN. Hence, their
users on their LAN (and they're nationwide - I believe users in the field
dial in and/or have dedicated lines, I'm not 100% sure - not my problem) hit
this box pretty quick when they're using the app that's running on it (it's
a computer-based training app).
The app keeps track of users via session variables - tuck the userID in a
session var, etc. No sweat.
The thing is... occasionally, when there are multiple people accessing the
training app at the same time, sessions get hijacked. To wit:
Joe is in the training app. His 'session.userid' is 123.
Mary comes along, logs in, starts using the app. Her userid is 456.
At some point, Joe's computer all of a sudden thinks its session.userid is
456 - Mary's.
Why?
On top of all this... this only happens INSIDE THEIR LAN. Those of us on the
outside (in our office, and in the office of the partner company who
develops the content for the system) have NO problems like this.
I've put in some debug display code and would have the company's
propellerheads go through the app, from within their LAN, and boom - the
output of the session.userid changes. The IP info for the client boxes is
fine - I was spitting that out with the rest of the info - and it went
unchanged.
I understand that session info is stored in the server's RAM. I'm
considering trying to swap over to a client variable-based method, and
storing that info in the database.
Thoughts?
--Scott
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
