Session Over lap in Coldbox

Communities ColdBox HMVC
21

No, you need to understand how Browsers start new sessions/instances.

Regards,
Andrew Scott
http://www.andyscott.id.au/

22

try not using cookies

23

That is not an ideal solution, because that would mean you need to pass
through the URL and that is a security risk.

Regards,
Andrew Scott
http://www.andyscott.id.au/

24

I believe that the scoping issue is with whatever does the Struct_LoginResult.returnCustomerId.

Otherwise, yes, your browsers are sharring data. The best thing to do is to make things simple.

Just do this

<cfset
getPlugin("sessionstorage").setVar("customerId",url.test) /

<cflock name="test01" type="exclusive" timeout='5'>
<cfset session.test = url.test/>
</cflock>

and see what happens. Use two different URL variables in the different browsers, dump the session, and see that they change.

Report your results,

Curt Gratz
Computer Know How

25

if the object containing the session-setting code itself isn’t scoped properly, then the symptoms will be exactly as you described…first browser sees an id of 100, then when the second browser is opened and a different person logs in, both browsers see the id of the second person. I’m thinking that you have tunnel vision on the session variables when in fact it’s the object itself that is improperly scoped. Coldbox doesn’t have a bug that allows session overlap, nor do browsers; when this occurs, it is because the code isn’t written properly, 99.999% of the time.

Have you reviewed the entire login process to ensure that your user object is NOT a singleton? Are you using Coldbox’s built in model injection/dependency or Coldspring, or Lightwire to manage your objects? Coldspring for instance, by default, will create your object’s as Singletons unless you explicitly tell it not to.

Anyway, just felt the need to re-interject this into the thread. :slight_smile:

Doug B

26

As validation of what I’m saying, output the CFID and CFTOKEN values in both browsers. I’ll bet money that they are indeed unique, despite the fact that your userid is the same. This means that each browser IS seeing it’s own private session, and the values are being overriden in both sessions because the object containing the code that sets that value is a singleton. Making any sense?