RE: Session Swapping incident - proxy servers
Dimo, Our problem like yours is very isolated, happening to the same people, every once in a while. Unfortunately this every once in a while, was once too much. It was actually Dan Allison who helped to confirm this for us (thanks Dan!!). We had a suspicion that it might have been the proxy servers, but were unsure why. Dan helped to explain this, and provide a solution! This is what he wrote: We had the same issue with session swapping about a 1 year and a half ago. It has nothing to do with your locking of variables, those looked fine. It actually is a proxy server issue. You've probably seen that all the session swapping occurs within a single company. User from different companies are not seeing each others data. That's because the proxy servers are caching the pages for speed. I'm happy to tell you that it is an easy fix. All you have to do is create a new client or session variable for each user that is a random number and then append that variable to your links. You should append it to all of your links if possible, but if you can't do that right away you should append it to the pages that load after a user logs in. Here's an example index.cfm?ControlNumber=86483682The rest of your URL vars We have a site that uses frames and after a user logs in they go to the frameset. I just appended the variable to the frame calls and it solved my swapping issues. We then re-built our site and appended the variable to all the links in the site. There were quite a few but we have not had a session swapping incident since. HTH, Chris. -Original Message- From: Dimo Michailov [mailto:[EMAIL PROTECTED]] Sent: 31 January 2002 21:43 To: CF-Talk Subject: Re: Session Swapping incident Chris: I just stumbled upon your thread about identities sharing. We have *EXACTLY* the same problem here, we run a CF-based forum application for maybe 1000-2000 users that are usually within the same company network and we have occasionally reports for mixed identities. Usually they happen when people post a message to a thread - they click POST, it is stored correctly in the DB but as soon as the next page loads they seem to be a different user that is using the system as the same time. We have all the things you mentioned in place - session variables strictly locked, etc. but never figured it out. Of course, the incidence of these problems is not that high and the priority is still relatively low. What makes you think that proxies/firewalls are the reason this might be happening? Can you share more information on what you've discovered so far? Let me know if I can help with something in resolving this. Thanks, Dimo Chris Bohill wrote: Thanks to everyone who gave their views and advice regarding this problem I posted yesterday. The more we investigate, the more we feel that is down to the proxy settings of the problem users below. Has anyone else had bad experiences with proxies/firewalls and session variables swapping? Thanks again Chris. -Original Message- From: Chris Bohill Sent: 28 January 2002 15:04 To: CF-Talk Subject: Session Swapping incident We are developing an web based application, and have recently been experiencing a number of Session swapping incidents. On two occasions a user has been navigating the system, only to Swap sessions with another user, who (we are not 100% sure) may also be viewing the site at the same time. Because a lot of the site is user-profile based, the user can tell straight away that they have Swapped. The user in question returned to the welcome page, but another users name and details were there. This other user was in the same building but different floors, so they may have been on the same network. For this to happen is pretty awkward, as much of the data is of a sensitive nature, but we feel we have done as much as we can to reduce the chance of this happening. We have locked all session variables and only refer to them as local variables on pages that need them. see below: cflock timeout=10 type=READONLY scope=SESSION cfset Variables.VarOne= session.VarOne cfset Variables.VarTwo= session.VarTwo /cflock When writing to a Session Variable we again use cflock, with type set to Exclusive. All Session variables are locked when created on the Application page, and are set to Exclusive. When the user logs out of the system we use the following code to kill all the session variables: cflock timeout=20 throwontimeout=No type=EXCLUSIVE scope=SESSION CFCOOKIE NAME=CFID VALUE= expires=NOW CFCOOKIE NAME=CFTOKEN VALUE= expires=NOW cfscript StructDelete(Session, VarOne); StructDelete(Session, VarTwo); StructClear(Session); /cfscript /cflock Are there known issues with session variables or is there something vital that we are missing? Is there something we should be doing on the Administrator to protect session swapping
Re: Session Swapping incident
Chris: I just stumbled upon your thread about identities sharing. We have *EXACTLY* the same problem here, we run a CF-based forum application for maybe 1000-2000 users that are usually within the same company network and we have occasionally reports for mixed identities. Usually they happen when people post a message to a thread - they click POST, it is stored correctly in the DB but as soon as the next page loads they seem to be a different user that is using the system as the same time. We have all the things you mentioned in place - session variables strictly locked, etc. but never figured it out. Of course, the incidence of these problems is not that high and the priority is still relatively low. What makes you think that proxies/firewalls are the reason this might be happening? Can you share more information on what you've discovered so far? Let me know if I can help with something in resolving this. Thanks, Dimo Chris Bohill wrote: Thanks to everyone who gave their views and advice regarding this problem I posted yesterday. The more we investigate, the more we feel that is down to the proxy settings of the problem users below. Has anyone else had bad experiences with proxies/firewalls and session variables swapping? Thanks again Chris. -Original Message- From: Chris Bohill Sent: 28 January 2002 15:04 To: CF-Talk Subject: Session Swapping incident We are developing an web based application, and have recently been experiencing a number of Session swapping incidents. On two occasions a user has been navigating the system, only to Swap sessions with another user, who (we are not 100% sure) may also be viewing the site at the same time. Because a lot of the site is user-profile based, the user can tell straight away that they have Swapped. The user in question returned to the welcome page, but another users name and details were there. This other user was in the same building but different floors, so they may have been on the same network. For this to happen is pretty awkward, as much of the data is of a sensitive nature, but we feel we have done as much as we can to reduce the chance of this happening. We have locked all session variables and only refer to them as local variables on pages that need them. see below: cflock timeout=10 type=READONLY scope=SESSION cfset Variables.VarOne= session.VarOne cfset Variables.VarTwo= session.VarTwo /cflock When writing to a Session Variable we again use cflock, with type set to Exclusive. All Session variables are locked when created on the Application page, and are set to Exclusive. When the user logs out of the system we use the following code to kill all the session variables: cflock timeout=20 throwontimeout=No type=EXCLUSIVE scope=SESSION CFCOOKIE NAME=CFID VALUE= expires=NOW CFCOOKIE NAME=CFTOKEN VALUE= expires=NOW cfscript StructDelete(Session, VarOne); StructDelete(Session, VarTwo); StructClear(Session); /cfscript /cflock Are there known issues with session variables or is there something vital that we are missing? Is there something we should be doing on the Administrator to protect session swapping? For this to happen, even once is not acceptable to our client, so it is essential that we resolve this issue. Speed is an important issue with this application so using single thread sessions would not be a straightforward solution for us. Any responses would be greatly appreciated. Thanks, __ Dedicated Windows 2000 Server PIII 800 / 256 MB RAM / 40 GB HD / 20 GB MO/XFER Instant Activation · $99/Month · Free Setup http://www.pennyhost.com/redirect.cfm?adcode=coldfusiona FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Session Swapping incident
Hi, Yes we had all kinds of problems. Once we ditched client variables and cookies, moved to using (locked) session variables only (URL token passing) the problems went away. We were sure that some proxies were not permitting the creation of unique sessions. Don't really know the reason why, but it was nice when the problem went away :) andy Has anyone else had bad experiences with proxies/firewalls and session variables swapping? Thanks again Chris. __ Dedicated Windows 2000 Server PIII 800 / 256 MB RAM / 40 GB HD / 20 GB MO/XFER Instant Activation · $99/Month · Free Setup http://www.pennyhost.com/redirect.cfm?adcode=coldfusiona FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Session Swapping incident
Thanks to everyone who gave their views and advice regarding this problem I posted yesterday. The more we investigate, the more we feel that is down to the proxy settings of the problem users below. Has anyone else had bad experiences with proxies/firewalls and session variables swapping? Thanks again Chris. -Original Message- From: Chris Bohill Sent: 28 January 2002 15:04 To: CF-Talk Subject: Session Swapping incident We are developing an web based application, and have recently been experiencing a number of Session swapping incidents. On two occasions a user has been navigating the system, only to Swap sessions with another user, who (we are not 100% sure) may also be viewing the site at the same time. Because a lot of the site is user-profile based, the user can tell straight away that they have Swapped. The user in question returned to the welcome page, but another users name and details were there. This other user was in the same building but different floors, so they may have been on the same network. For this to happen is pretty awkward, as much of the data is of a sensitive nature, but we feel we have done as much as we can to reduce the chance of this happening. We have locked all session variables and only refer to them as local variables on pages that need them. see below: cflock timeout=10 type=READONLY scope=SESSION cfset Variables.VarOne= session.VarOne cfset Variables.VarTwo= session.VarTwo /cflock When writing to a Session Variable we again use cflock, with type set to Exclusive. All Session variables are locked when created on the Application page, and are set to Exclusive. When the user logs out of the system we use the following code to kill all the session variables: cflock timeout=20 throwontimeout=No type=EXCLUSIVE scope=SESSION CFCOOKIE NAME=CFID VALUE= expires=NOW CFCOOKIE NAME=CFTOKEN VALUE= expires=NOW cfscript StructDelete(Session, VarOne); StructDelete(Session, VarTwo); StructClear(Session); /cfscript /cflock Are there known issues with session variables or is there something vital that we are missing? Is there something we should be doing on the Administrator to protect session swapping? For this to happen, even once is not acceptable to our client, so it is essential that we resolve this issue. Speed is an important issue with this application so using single thread sessions would not be a straightforward solution for us. Any responses would be greatly appreciated. Thanks, __ Why Share? Dedicated Win 2000 Server · PIII 800 / 256 MB RAM / 40 GB HD / 20 GB MO/XFER Instant Activation · $99/Month · Free Setup http://www.pennyhost.com/redirect.cfm?adcode=coldfusionc FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Session Swapping incident
We are developing an web based application, and have recently been experiencing a number of Session swapping incidents. On two occasions a user has been navigating the system, only to Swap sessions with another user, who (we are not 100% sure) may also be viewing the site at the same time. Because a lot of the site is user-profile based, the user can tell straight away that they have Swapped. The user in question returned to the welcome page, but another users name and details were there. This other user was in the same building but different floors, so they may have been on the same network. For this to happen is pretty awkward, as much of the data is of a sensitive nature, but we feel we have done as much as we can to reduce the chance of this happening. We have locked all session variables and only refer to them as local variables on pages that need them. see below: cflock timeout=10 type=READONLY scope=SESSION cfset Variables.VarOne= session.VarOne cfset Variables.VarTwo= session.VarTwo /cflock When writing to a Session Variable we again use cflock, with type set to Exclusive. All Session variables are locked when created on the Application page, and are set to Exclusive. When the user logs out of the system we use the following code to kill all the session variables: cflock timeout=20 throwontimeout=No type=EXCLUSIVE scope=SESSION CFCOOKIE NAME=CFID VALUE= expires=NOW CFCOOKIE NAME=CFTOKEN VALUE= expires=NOW cfscript StructDelete(Session, VarOne); StructDelete(Session, VarTwo); StructClear(Session); /cfscript /cflock Are there known issues with session variables or is there something vital that we are missing? Is there something we should be doing on the Administrator to protect session swapping? For this to happen, even once is not acceptable to our client, so it is essential that we resolve this issue. Speed is an important issue with this application so using single thread sessions would not be a straightforward solution for us. Any responses would be greatly appreciated. Thanks, __ Dedicated Windows 2000 Server PIII 800 / 256 MB RAM / 40 GB HD / 20 GB MO/XFER Instant Activation · $99/Month · Free Setup http://www.pennyhost.com/redirect.cfm?adcode=coldfusiona FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Session Swapping incident
Is the application running in a clustered environment? Session variables aren't well suited for that. EC -Original Message- From: Chris Bohill [mailto:[EMAIL PROTECTED]] Sent: Monday, January 28, 2002 10:04 AM To: CF-Talk Subject: Session Swapping incident We are developing an web based application, and have recently been experiencing a number of Session swapping incidents. On two occasions a user has been navigating the system, only to Swap sessions with another user, who (we are not 100% sure) may also be viewing the site at the same time. Because a lot of the site is user-profile based, the user can tell straight away that they have Swapped. The user in question returned to the welcome page, but another users name and details were there. This other user was in the same building but different floors, so they may have been on the same network. For this to happen is pretty awkward, as much of the data is of a sensitive nature, but we feel we have done as much as we can to reduce the chance of this happening. We have locked all session variables and only refer to them as local variables on pages that need them. see below: cflock timeout=10 type=READONLY scope=SESSION cfset Variables.VarOne= session.VarOne cfset Variables.VarTwo= session.VarTwo /cflock When writing to a Session Variable we again use cflock, with type set to Exclusive. All Session variables are locked when created on the Application page, and are set to Exclusive. When the user logs out of the system we use the following code to kill all the session variables: cflock timeout=20 throwontimeout=No type=EXCLUSIVE scope=SESSION CFCOOKIE NAME=CFID VALUE= expires=NOW CFCOOKIE NAME=CFTOKEN VALUE= expires=NOW cfscript StructDelete(Session, VarOne); StructDelete(Session, VarTwo); StructClear(Session); /cfscript /cflock Are there known issues with session variables or is there something vital that we are missing? Is there something we should be doing on the Administrator to protect session swapping? For this to happen, even once is not acceptable to our client, so it is essential that we resolve this issue. Speed is an important issue with this application so using single thread sessions would not be a straightforward solution for us. Any responses would be greatly appreciated. Thanks, __ Get Your Own Dedicated Windows 2000 Server PIII 800 / 256 MB RAM / 40 GB HD / 20 GB MO/XFER Instant Activation · $99/Month · Free Setup http://www.pennyhost.com/redirect.cfm?adcode=coldfusionb FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Session Swapping incident
No, the application is only stored on one server. -Original Message- From: Carlisle, Eric [mailto:[EMAIL PROTECTED]] Sent: 28 January 2002 15:20 To: CF-Talk Subject: RE: Session Swapping incident Is the application running in a clustered environment? Session variables aren't well suited for that. EC -Original Message- From: Chris Bohill [mailto:[EMAIL PROTECTED]] Sent: Monday, January 28, 2002 10:04 AM To: CF-Talk Subject: Session Swapping incident We are developing an web based application, and have recently been experiencing a number of Session swapping incidents. On two occasions a user has been navigating the system, only to Swap sessions with another user, who (we are not 100% sure) may also be viewing the site at the same time. Because a lot of the site is user-profile based, the user can tell straight away that they have Swapped. The user in question returned to the welcome page, but another users name and details were there. This other user was in the same building but different floors, so they may have been on the same network. For this to happen is pretty awkward, as much of the data is of a sensitive nature, but we feel we have done as much as we can to reduce the chance of this happening. We have locked all session variables and only refer to them as local variables on pages that need them. see below: cflock timeout=10 type=READONLY scope=SESSION cfset Variables.VarOne= session.VarOne cfset Variables.VarTwo= session.VarTwo /cflock When writing to a Session Variable we again use cflock, with type set to Exclusive. All Session variables are locked when created on the Application page, and are set to Exclusive. When the user logs out of the system we use the following code to kill all the session variables: cflock timeout=20 throwontimeout=No type=EXCLUSIVE scope=SESSION CFCOOKIE NAME=CFID VALUE= expires=NOW CFCOOKIE NAME=CFTOKEN VALUE= expires=NOW cfscript StructDelete(Session, VarOne); StructDelete(Session, VarTwo); StructClear(Session); /cfscript /cflock Are there known issues with session variables or is there something vital that we are missing? Is there something we should be doing on the Administrator to protect session swapping? For this to happen, even once is not acceptable to our client, so it is essential that we resolve this issue. Speed is an important issue with this application so using single thread sessions would not be a straightforward solution for us. Any responses would be greatly appreciated. Thanks, __ Dedicated Windows 2000 Server PIII 800 / 256 MB RAM / 40 GB HD / 20 GB MO/XFER Instant Activation · $99/Month · Free Setup http://www.pennyhost.com/redirect.cfm?adcode=coldfusiona FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Session Swapping incident
This is interesting. I had a nightmare with Session variables where I was adamant that I had locked properly but was still getting session variables expiring or swapping of sessions...for this reason I always use client variables -Original Message- From: Chris Bohill [mailto:[EMAIL PROTECTED]] Sent: 28 January 2002 15:04 To: CF-Talk Subject: Session Swapping incident We are developing an web based application, and have recently been experiencing a number of Session swapping incidents. On two occasions a user has been navigating the system, only to Swap sessions with another user, who (we are not 100% sure) may also be viewing the site at the same time. Because a lot of the site is user-profile based, the user can tell straight away that they have Swapped. The user in question returned to the welcome page, but another users name and details were there. This other user was in the same building but different floors, so they may have been on the same network. For this to happen is pretty awkward, as much of the data is of a sensitive nature, but we feel we have done as much as we can to reduce the chance of this happening. We have locked all session variables and only refer to them as local variables on pages that need them. see below: cflock timeout=10 type=READONLY scope=SESSION cfset Variables.VarOne= session.VarOne cfset Variables.VarTwo= session.VarTwo /cflock When writing to a Session Variable we again use cflock, with type set to Exclusive. All Session variables are locked when created on the Application page, and are set to Exclusive. When the user logs out of the system we use the following code to kill all the session variables: cflock timeout=20 throwontimeout=No type=EXCLUSIVE scope=SESSION CFCOOKIE NAME=CFID VALUE= expires=NOW CFCOOKIE NAME=CFTOKEN VALUE= expires=NOW cfscript StructDelete(Session, VarOne); StructDelete(Session, VarTwo); StructClear(Session); /cfscript /cflock Are there known issues with session variables or is there something vital that we are missing? Is there something we should be doing on the Administrator to protect session swapping? For this to happen, even once is not acceptable to our client, so it is essential that we resolve this issue. Speed is an important issue with this application so using single thread sessions would not be a straightforward solution for us. Any responses would be greatly appreciated. Thanks, __ Dedicated Windows 2000 Server PIII 800 / 256 MB RAM / 40 GB HD / 20 GB MO/XFER Instant Activation · $99/Month · Free Setup http://www.pennyhost.com/redirect.cfm?adcode=coldfusiona FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Session Swapping incident
While locking is a good thing, I don't think the fact that your locks are clean (or not) necessarily has anything to do with session swapping, and I doubt that single-threading sessions would help. I would expect session swapping to happen if a browser started submitting requests with the wrong CFID/CFTOKEN combo; obviously it is possible the CF loses track of which data goes with which session, but that seems unlikely (I'd think we'd have a deafening chorus of complaints). These are some of the things I would pursue: 1) is the user starting their session with the 'right' info and then suddenly getting 'wrong' info? Perhaps the initial retrieval of user profile data is doing something wrong. 2) Do you have, or can you start to collect, logs that track form fields url vars cookies for every page request (perhaps just for the network that the user is in)? (I have some code to do this at the CF level if needed) 3) Can you get the user to report exactly where he was in the application when the problem appeared such that you can correlate it with your logs? Then, can you see what's happening to the CFID/CFTOKEN values sent to your server at that point? If this happens to users on one particular network, but not other people, I would wonder about proxies/firewalls at that site. -Original Message- From: Andy Ewings [mailto:[EMAIL PROTECTED]] Sent: Monday, January 28, 2002 10:26 AM To: CF-Talk Subject: RE: Session Swapping incident This is interesting. I had a nightmare with Session variables where I was adamant that I had locked properly but was still getting session variables expiring or swapping of sessions...for this reason I always use client variables -Original Message- From: Chris Bohill [mailto:[EMAIL PROTECTED]] Sent: 28 January 2002 15:04 To: CF-Talk Subject: Session Swapping incident We are developing an web based application, and have recently been experiencing a number of Session swapping incidents. On two occasions a user has been navigating the system, only to Swap sessions with another user, who (we are not 100% sure) may also be viewing the site at the same time. Because a lot of the site is user-profile based, the user can tell straight away that they have Swapped. The user in question returned to the welcome page, but another users name and details were there. This other user was in the same building but different floors, so they may have been on the same network. For this to happen is pretty awkward, as much of the data is of a sensitive nature, but we feel we have done as much as we can to reduce the chance of this happening. We have locked all session variables and only refer to them as local variables on pages that need them. see below: cflock timeout=10 type=READONLY scope=SESSION cfset Variables.VarOne= session.VarOne cfset Variables.VarTwo= session.VarTwo /cflock When writing to a Session Variable we again use cflock, with type set to Exclusive. All Session variables are locked when created on the Application page, and are set to Exclusive. When the user logs out of the system we use the following code to kill all the session variables: cflock timeout=20 throwontimeout=No type=EXCLUSIVE scope=SESSION CFCOOKIE NAME=CFID VALUE= expires=NOW CFCOOKIE NAME=CFTOKEN VALUE= expires=NOW cfscript StructDelete(Session, VarOne); StructDelete(Session, VarTwo); StructClear(Session); /cfscript /cflock Are there known issues with session variables or is there something vital that we are missing? Is there something we should be doing on the Administrator to protect session swapping? For this to happen, even once is not acceptable to our client, so it is essential that we resolve this issue. Speed is an important issue with this application so using single thread sessions would not be a straightforward solution for us. Any responses would be greatly appreciated. Thanks, __ Get Your Own Dedicated Windows 2000 Server PIII 800 / 256 MB RAM / 40 GB HD / 20 GB MO/XFER Instant Activation · $99/Month · Free Setup http://www.pennyhost.com/redirect.cfm?adcode=coldfusionb FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Session Swapping incident
At 03:04 PM 01/28/2002 +, you wrote: We have locked all session variables and only refer to them as local variables on pages that need them. see below: cflock timeout=10 type=READONLY scope=SESSION cfset Variables.VarOne= session.VarOne cfset Variables.VarTwo= session.VarTwo /cflock I see nothing wrong there, although if there are only two session variables, it is probably overkill. Just use cflock when you access the session variables. If there are lots of session variables and you want to avoid using the cflock tag. Try using duplicate: cflock timeout=10 type=READONLY scope=SESSION cfset variables.tempsession = Duplicate(session) /cflock When writing to a Session Variable we again use cflock, with type set to Exclusive. All Session variables are locked when created on the Application page, and are set to Exclusive. That should also be correct. When the user logs out of the system we use the following code to kill all the session variables: cflock timeout=20 throwontimeout=No type=EXCLUSIVE scope=SESSION CFCOOKIE NAME=CFID VALUE= expires=NOW CFCOOKIE NAME=CFTOKEN VALUE= expires=NOW cfscript StructDelete(Session, VarOne); StructDelete(Session, VarTwo); StructClear(Session); /cfscript /cflock You might want to expire the cookie values after clearing the session. You may also want to add something like this: StructDelete(Session, VarOne); StructDelete(Session, VarTwo); StructDelete(Session, cfid); StructDelete(Session, cftoken); StructDelete(Session, urltoken); StructDelete(Session, sessionD); Although, the StructClear function should handle that without any of the specific StructDelete functions. I believe when you use cfcookie to expire a cookie using 'now' it doesn't expire until the session is closed. I expect it can get confused if the cookies still exist, with empty values. Are there known issues with session variables or is there something vital that we are missing? None that I know of, so I find this behavior very odd. I have experienced places where a user is automatically signed back in after they are signed out because of Application.cfm code, however that should not be the reason for session swapping. For this to happen, even once is not acceptable to our client, so it is essential that we resolve this issue. Speed is an important issue with this application so using single thread sessions would not be a straightforward solution for us. You may want to investigate the use of client variables, although if speed is an important issue, accessing session variables is definitely faster than client variables; but you could set up all your 'session' variables as a structure and serialize the structure using WDDX for storage in a client variable. Then you only have to 'load' it once, in the application.cfm, and you can use it throughout without worrying about locks. -- Jeffry Houser | mailto:[EMAIL PROTECTED] AIM: Reboog711 | ICQ: 5246969 | Fax / Phone: 860-223-7946 -- DotComIt: Database Driven Web Data My Book: Instant ColdFusion 5 | http://www.instantcoldfusion.com My New Book: ColdFusion: A Beginner's Guide February 2002 -- Far Cry Fly, Alternative Folk Rock http://www.farcryfly.com | http://www.mp3.com/FarCryFly __ Dedicated Windows 2000 Server PIII 800 / 256 MB RAM / 40 GB HD / 20 GB MO/XFER Instant Activation · $99/Month · Free Setup http://www.pennyhost.com/redirect.cfm?adcode=coldfusiona FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Session Swapping incident
in the words of our immortal Jedi Master on another list.. Repeat after me - if I _type_ session, application, or server, I should __ Dedicated Windows 2000 Server PIII 800 / 256 MB RAM / 40 GB HD / 20 GB MO/XFER Instant Activation · $99/Month · Free Setup http://www.pennyhost.com/redirect.cfm?adcode=coldfusiona FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Session Swapping incident
The obvious answer is Lock, although if it's something different I'm lost. Was the following message hit by the line monster? The original poster specified that he was locking, and based on his description he was locking properly. At 04:21 PM 01/28/2002 +, you wrote: in the words of our immortal Jedi Master on another list.. Repeat after me - if I _type_ session, application, or server, I should __ Get Your Own Dedicated Windows 2000 Server PIII 800 / 256 MB RAM / 40 GB HD / 20 GB MO/XFER Instant Activation · $99/Month · Free Setup http://www.pennyhost.com/redirect.cfm?adcode=coldfusionb FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Session Swapping incident
Doh Repeat after me - if I _type_ session, application, or server, I should type lock. You suggested that it may be overkill to lock - he's saying it should always be the case... N __ Why Share? Dedicated Win 2000 Server · PIII 800 / 256 MB RAM / 40 GB HD / 20 GB MO/XFER Instant Activation · $99/Month · Free Setup http://www.pennyhost.com/redirect.cfm?adcode=coldfusionc FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Session Swapping incident
First off, I find sessions locking to be the most annoying thing in the world and thus use databased client vars. If you think theres even a slight chance of moving to a clusterd environment, then this is the time to switch. It ends up with cleaner code so you might want to try it anyway. Theres not even a minimal performance gain especially when two people are looking up the same values. Secondly, This can be a logic problem in coldfusion that might cause this so beware of that and find a way to test your code to the point where you are completely certain. (if your completely certain now, then test it again in a different fashion) Thirdly, the two clients were in the same office on your network on somewhere else behind a firewall? Firewalls sometimes mess with cookies. So, are you appending the cfid and token to each link or relying on cookies? However note that appending it to the url makes it easy for a user to switch the numbers and try and session hop. Not that opening the cookie is that hard either. I've been tinkering with tracking that info in two places (cookie and encrypted url) and comparing the values at each http request. You might want to try something like this to ensure that the tracking info cant be messed with. DRE -Original Message- From: Jeffry Houser [mailto:[EMAIL PROTECTED]] Sent: Monday, January 28, 2002 9:29 AM To: CF-Talk Subject: RE: Session Swapping incident The obvious answer is Lock, although if it's something different I'm lost. Was the following message hit by the line monster? The original poster specified that he was locking, and based on his description he was locking properly. At 04:21 PM 01/28/2002 +, you wrote: in the words of our immortal Jedi Master on another list.. Repeat after me - if I _type_ session, application, or server, I should __ Get Your Own Dedicated Windows 2000 Server PIII 800 / 256 MB RAM / 40 GB HD / 20 GB MO/XFER Instant Activation · $99/Month · Free Setup http://www.pennyhost.com/redirect.cfm?adcode=coldfusionb FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Session Swapping incident
I was either unclear or you misunderstood what I originally intended. I meant that if there are only two session variables it may be overkill to copy them into variables scope to avoid locking within the page. At 04:31 PM 01/28/2002 +, you wrote: Doh Repeat after me - if I _type_ session, application, or server, I should type lock. You suggested that it may be overkill to lock - he's saying it should always be the case... N __ Dedicated Windows 2000 Server PIII 800 / 256 MB RAM / 40 GB HD / 20 GB MO/XFER Instant Activation · $99/Month · Free Setup http://www.pennyhost.com/redirect.cfm?adcode=coldfusiona FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Session Swapping incident
ahh! :-) __ Get Your Own Dedicated Windows 2000 Server PIII 800 / 256 MB RAM / 40 GB HD / 20 GB MO/XFER Instant Activation · $99/Month · Free Setup http://www.pennyhost.com/redirect.cfm?adcode=coldfusionb FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists