i am working on coldbox application. we are facing a strange problem.
if we open our aplliaction in two browsers, second browser sesion
values overriding first browser values
Eg:
set a var in sessionstorage to maintain session:
getPlugin('sessionstoarge').setVar('userid',userid);
i tried to access this var on cfm page. if second browser user id is
1010 then first browser is also showing the same
Firefox with new window, or firefox with new instance?
IE with with new window or IE with new instance?
Are you using CFID & CFToken in URL?
What else can you tell us to narrow this down. General rule of thumb is that
when a session is hijacked, it is hijacked because of the CFID & CFToken in
the URl, or you are actual opening a new window/tab without a new instance
of the browser.
In my experience (because I’ve coded the same kind of error before) the issue has to do with an incorrectly scoped object. In my case, a User object that gets populated after login. If you have incorrectly designated that object as a singleton (or perhaps by default it was created as a singleton), then the symptoms will be exactly as you described. I would do a walkthrough of your login process and verify the scopes of the objects you use to track specific user values. Make sense?
Output the cfid, ctoken, and (if applicable) jsessionID and find out if both browser windows are sharing the same session identifiers.
Depending on how your browsers are configured, multiple windows may be sharing cookies and therefore session data. This is kind of par for the course when it comes to web apps. For instance, only one person can be logged into facebook with IE on my computer regardless of how many windows I have open.
What is the use case that necessitates a different session per browser window?
Ok, there some things to take into consideration. First the name is Andrew.
Secondly as Brad has pointed out, even if you open a new instance (Windows
will always share the same session) it is going to depend on how it is
configured there is always a high chance that the session will be the same
as they all share the cookie information. Which is where the CFID&CFToken
are stored.
Secondly, are you locking your session writes? And more importantly is there
any reason you aren't using the sessionManagement plugin?
Because I am going to be my bottom dollar, you are NOT using the
sessionManagement plugin and you are not using locks around your session
writes. ColdFusion like most other languages can suffer from what we call
race conditions when using singleton code, and that means that if two
concurrent connections write and read the variable at the exact same time it
is possible that these can be corrupted, and is what we call race
conditions.
It is something to take into consideration when you are looking at your
problem here.
i have open the my application in IE and logged in to it.. i am
publishing his customet id on screen which is from sessionstiarge
plugin. say customer id is 100.
Again i have open the applictaion in a new browser(click on IE icon),
logged in to system, now for this user customer id is 101.
now i moved to first browser and refresh the page, it is showing 101
as customerid.
Then that tells you that the session is being hijacked by the other browser
window, we have said that even though you run the new version it is not
necessarily a clean new session... Have we not?
Now if this is a requirement of you then you need to look into why and how
this is happening, and I bet that both IE and new IE window as well as
FireFox and new FireFox window all share the same CFID&CFToken.