Is the application running in a clustered environment?
Session variables aren't well suited for that.
EC
-----Original Message-----
From: Chris Bohill [mailto:[EMAIL PROTECTED]]
Sent: Monday, January 28, 2002 10:04 AM
To: CF-Talk
Subject: Session Swapping" incident
We are developing an web based application, and have recently been
experiencing a number of "Session swapping" incidents. On two occasions
a user has been navigating the system, only to "Swap" sessions with
another user, who (we are not 100% sure) may also be viewing the site
at
the same time.
Because a lot of the site is user-profile based, the user can tell
straight away that they have "Swapped". The user in question returned
to
the welcome page, but another users name and details were there. This
other user was in the same building but different floors, so they may
have been on the same network.
For this to happen is pretty awkward, as much of the data is of a
sensitive nature, but we feel we have done as much as we can to reduce
the chance of this happening.
We have locked all session variables and only refer to them as local
variables on pages that need them. see below:
<cflock timeout="10" type="READONLY" scope="SESSION">
<cfset Variables.VarOne= session.VarOne>
<cfset Variables.VarTwo= session.VarTwo>
</cflock>
When writing to a Session Variable we again use cflock, with type set
to
"Exclusive".
All Session variables are locked when created on the Application page,
and are set to "Exclusive".
When the user logs out of the system we use the following code to kill
all the session variables:
<cflock timeout="20" throwontimeout="No" type="EXCLUSIVE"
scope="SESSION">
<CFCOOKIE NAME="CFID" VALUE="" expires="NOW">
<CFCOOKIE NAME="CFTOKEN" VALUE="" expires="NOW">
<cfscript>
StructDelete(Session, "VarOne");
StructDelete(Session, "VarTwo");
StructClear(Session);
</cfscript>
</cflock>
Are there known issues with session variables or is there something
vital that we are missing?
Is there something we should be doing on the Administrator to protect
"session swapping"?
For this to happen, even once is not acceptable to our client, so it is
essential that we resolve this issue. Speed is an important issue with
this application so using single thread sessions would not be a
straightforward solution for us.
Any responses would be greatly appreciated.
Thanks,
______________________________________________________________________
Get Your Own Dedicated Windows 2000 Server
PIII 800 / 256 MB RAM / 40 GB HD / 20 GB MO/XFER
Instant Activation · $99/Month · Free Setup
http://www.pennyhost.com/redirect.cfm?adcode=coldfusionb
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
