Session Over lap in Coldbox

Hi All,

i am working on coldbox application. we are facing a strange problem.
if we open our aplliaction in two browsers, second browser sesion
values overriding first browser values

set a var in sessionstorage to maintain session:

i tried to access this var on cfm page. if second browser user id is
1010 then first browser is also showing the same

can any one plz help?

Define two browsers?

Firefox with new window, or firefox with new instance?

IE with with new window or IE with new instance?

Are you using CFID & CFToken in URL?

What else can you tell us to narrow this down. General rule of thumb is that
when a session is hijacked, it is hijacked because of the CFID & CFToken in
the URl, or you are actual opening a new window/tab without a new instance
of the browser.

Andrew Scott

In my experience (because I’ve coded the same kind of error before) the issue has to do with an incorrectly scoped object. In my case, a User object that gets populated after login. If you have incorrectly designated that object as a singleton (or perhaps by default it was created as a singleton), then the symptoms will be exactly as you described. I would do a walkthrough of your login process and verify the scopes of the objects you use to track specific user values. Make sense?

Doug Boude

Thanks for u r reply scott,

we are not using CFID&CFTOKEN in URL.

this problem occured when browse the application in two different
browsers(two new), same thing happen in Mozilla and IE.

i have used a vraiable in session scope, this was also overridden.

hey thanks for u reply,

this was happen with session variable also.
eg: session.test = cusID;

after accessing application in second browser, first browser showing
diff session variable. Both are different new browsers.

Output the cfid, ctoken, and (if applicable) jsessionID and find out if both browser windows are sharing the same session identifiers.

Depending on how your browsers are configured, multiple windows may be sharing cookies and therefore session data. This is kind of par for the course when it comes to web apps. For instance, only one person can be logged into facebook with IE on my computer regardless of how many windows I have open.

What is the use case that necessitates a different session per browser window?



Ok, there some things to take into consideration. First the name is Andrew.

Secondly as Brad has pointed out, even if you open a new instance (Windows
will always share the same session) it is going to depend on how it is
configured there is always a high chance that the session will be the same
as they all share the cookie information. Which is where the CFID&CFToken
are stored.

Secondly, are you locking your session writes? And more importantly is there
any reason you aren't using the sessionManagement plugin?

Because I am going to be my bottom dollar, you are NOT using the
sessionManagement plugin and you are not using locks around your session
writes. ColdFusion like most other languages can suffer from what we call
race conditions when using singleton code, and that means that if two
concurrent connections write and read the variable at the exact same time it
is possible that these can be corrupted, and is what we call race

It is something to take into consideration when you are looking at your
problem here.

Andrew Scott

here is the code..

getPlugin("sessionstorage").setVar("customerId",Struct_LoginResult.returnCustomerId) /

<cflock name="test01" type="exclusive" timeout='5'>
<cfset session.test = Struct_LoginResult.returnCustomerId />

I have opened second browser after sometime to first browser.

So why are you using sessionstorage for one and not the other?

How are you opening second browser? Is the browser IE or Firefox?

Andrew Scott

For testing only i have used session.test variable. you can ignore it.

i have tried both IE and FireFox, both behaviour is same.

i'd say that session is tied to the session which instantiated the
cfc, hence the problem

sorry , i did not understand can u plz eloberate?

Yeah but how are you opening a new browser?

Are you running via the icon, selecting new instance or using a new window?

Andrew Scott

the session scope in the object gets tied to the first session,
hence the problem you see in subsequent sessions, your
seeing the first session

yep, i am running via Icon. Its a new Instance.

So if you try running one session in IE and one in FireFox do you get the
same problem?

Andrew Scott

hmm, let me clear

i have open the my application in IE and logged in to it.. i am
publishing his customet id on screen which is from sessionstiarge
plugin. say customer id is 100.

Again i have open the applictaion in a new browser(click on IE icon),
logged in to system, now for this user customer id is 101.

now i moved to first browser and refresh the page, it is showing 101
as customerid.

i did nt try one IE and one FireFox. let me try.

Hey...i have tried one IE and one FireFox. It was nt repeated.

How come..? is this browser issue or frame work issue...?
can some one plz explain?

Then that tells you that the session is being hijacked by the other browser
window, we have said that even though you run the new version it is not
necessarily a clean new session... Have we not?

Now if this is a requirement of you then you need to look into why and how
this is happening, and I bet that both IE and new IE window as well as
FireFox and new FireFox window all share the same CFID&CFToken.

Andrew Scott

then how to resolve this..?...:frowning:

jsession id can resolve this?