Contact US

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

Session Management

Session IDs switching between users... Not a fix, but a way to catch. by webmigit
Posted: 12 Oct 02

(This FAQ goes hand in hand with my other FAQ concerning session variables: FAQ232-1926)

This is a common problem for cold fusion developers:

Every once in a while when two users simultaneously access the same page session IDs are swapped, cflocking does not seem to fully prevent this..

Joe (SessionID 1) --> page1.cfm
Jon (SessionID 2) --> page1.cfm

If they simultaneously access the same page, Joe may get ID 2 and Jon, ID 1.. of course causing an insecurity..

I'm not sure that there is a foolproof fix for this but there is a surefire way to catch it, two as matter of fact..

When creating session variables, load #cgi.remote_addr# as session.addr..

<CFLOCK scope="session" timeout="10">
 <CFSET session.addr=cgi.remote_addr>
 <CFSET sAddr=session.addr>

On each page's execution match session.addr against cgi.remote_addr, if they are the same, page continues executing, if not, page halts, flashes to another page and the session is cleared.

<CFIF cgi.remote_addr is not sAddr><CFLOCATION url="sessionerror.cfm"></CFIF>

The flaw is that cgi.variables are not always detectable.. so another method would be to assign a random number or some identifier (even just the username) to a cookie, do not store the password in the cookie since you won't need it for this step of authentication.. You can pretty much assume anyone using a user's computer knows that person's username so you're not hurting security by storing the username in a cookie...

The next step is pretty much the same as before.. On each page match the cookie to the session variable...

<CFIF cookie.username is not session.username><CFLOCATION url="sessionerror.cfm"></CFIF>

Developers worry about users disabling cookies... This is not such a large issue since most sites use cookies.. There are two basic types of users on the Internet: Those who know so little about how the internet works to not even understand cookies and thus have no need to disable what they don't know exists, and those who develop or have at least some interest in dev of websites who know the importance of cookies to many websites and wouldn't dare disable them.

As for browsers that don't display cookies.. They are so old or just so rare that they're virtually unheard of.. A novice wouldn't know where to get one and wouldn't have been on the internet long enough to still have one and someone who knows about them wouldn't really want one.. As I said, little to no risk.

Back to Adobe FAQ Index
Back to Adobe Forum

My Archive

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close