Dimo, Our problem like yours is very isolated, happening to the same people, every once in a while. Unfortunately this "every once in a while", was once too much.
It was actually Dan Allison who helped to confirm this for us (thanks Dan!!). We had a suspicion that it might have been the proxy servers, but were unsure why. Dan helped to explain this, and provide a solution! This is what he wrote: We had the same issue with session swapping about a 1 year and a half ago. It has nothing to do with your locking of variables, those looked fine. It actually is a proxy server issue. You've probably seen that all the session swapping occurs within a single company. User from different companies are not seeing each others data. That's because the proxy servers are caching the pages for speed. I'm happy to tell you that it is an easy fix. All you have to do is create a new client or session variable for each user that is a random number and then append that variable to your links. You should append it to all of your links if possible, but if you can't do that right away you should append it to the pages that load after a user logs in. Here's an example index.cfm?ControlNumber=86483682&The rest of your URL vars We have a site that uses frames and after a user logs in they go to the frameset. I just appended the variable to the frame calls and it solved my swapping issues. We then re-built our site and appended the variable to all the links in the site. There were quite a few but we have not had a session swapping incident since. HTH, Chris. -----Original Message----- From: Dimo Michailov [mailto:[EMAIL PROTECTED]] Sent: 31 January 2002 21:43 To: CF-Talk Subject: Re: Session Swapping" incident Chris: I just stumbled upon your thread about "identities" sharing. We have *EXACTLY* the same problem here, we run a CF-based forum application for maybe 1000-2000 users that are usually within the same company network and we have occasionally reports for mixed identities. Usually they happen when people post a message to a thread - they click "POST", it is stored correctly in the DB but as soon as the next page loads they seem to be a different user that is using the system as the same time. We have all the things you mentioned in place - session variables strictly locked, etc. but never figured it out. Of course, the incidence of these problems is not that high and the priority is still relatively low. What makes you think that proxies/firewalls are the reason this might be happening? Can you share more information on what you've discovered so far? Let me know if I can help with something in resolving this. Thanks, Dimo Chris Bohill wrote: > Thanks to everyone who gave their views and advice regarding this > problem I posted yesterday. The more we investigate, the more we feel > that is down to the proxy settings of the problem users below. > > Has anyone else had bad experiences with proxies/firewalls and session > variables swapping? > > Thanks again > > Chris. > > -----Original Message----- > From: Chris Bohill > Sent: 28 January 2002 15:04 > To: CF-Talk > Subject: Session Swapping" incident > > > We are developing an web based application, and have recently been > experiencing a number of "Session swapping" incidents. On two occasions > a user has been navigating the system, only to "Swap" sessions with > another user, who (we are not 100% sure) may also be viewing the site at > > the same time. > > Because a lot of the site is user-profile based, the user can tell > straight away that they have "Swapped". The user in question returned to > > the welcome page, but another users name and details were there. This > other user was in the same building but different floors, so they may > have been on the same network. > > For this to happen is pretty awkward, as much of the data is of a > sensitive nature, but we feel we have done as much as we can to reduce > the chance of this happening. > > We have locked all session variables and only refer to them as local > variables on pages that need them. see below: > > <cflock timeout="10" type="READONLY" scope="SESSION"> > <cfset Variables.VarOne= session.VarOne> > <cfset Variables.VarTwo= session.VarTwo> > </cflock> > > When writing to a Session Variable we again use cflock, with type set to > > "Exclusive". > > All Session variables are locked when created on the Application page, > and are set to "Exclusive". > > When the user logs out of the system we use the following code to kill > all the session variables: > > <cflock timeout="20" throwontimeout="No" type="EXCLUSIVE" > scope="SESSION"> > <CFCOOKIE NAME="CFID" VALUE="" expires="NOW"> > <CFCOOKIE NAME="CFTOKEN" VALUE="" expires="NOW"> > > <cfscript> > StructDelete(Session, "VarOne"); > StructDelete(Session, "VarTwo"); > StructClear(Session); > </cfscript> > </cflock> > > Are there known issues with session variables or is there something > vital that we are missing? > Is there something we should be doing on the Administrator to protect > "session swapping"? > > For this to happen, even once is not acceptable to our client, so it is > essential that we resolve this issue. Speed is an important issue with > this application so using single thread sessions would not be a > straightforward solution for us. > > Any responses would be greatly appreciated. > > Thanks, > > > ______________________________________________________________________ Get Your Own Dedicated Windows 2000 Server PIII 800 / 256 MB RAM / 40 GB HD / 20 GB MO/XFER Instant Activation · $99/Month · Free Setup http://www.pennyhost.com/redirect.cfm?adcode=coldfusionb FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
