Session Swapping

We’re experiencing session swapping in one of our coldbox applications – which is (obviously) very worrying. Our application stores very sensitive data – so this is becoming a very big problem for us.

The application is entirely in coldbox – which I thought implemented its own locking; all session, cookie data etc. is accessed via the SessionStorage and CookieStorage plugins, and everything seems to be var scoped properly (we ran var scoper to check this).

Tracking down why this is happening is proving to be very difficult.

Can anyone shed any light on where we should be looking, or what we can do to potentially resolve this?



I had this issue. It was was because I had vars scoped across an entire model rather than passing them in an out of the functions in the model. I inherited this code and had to rewrite it to prevent this from happening. Var scoper didn’t really help because it doesn’t understand the MVC/Coldbox framework. The problem didn’t happen to me until I moved from a 2.x to 3.x of Coldbox.

I’m not sure I fully understand what you mean. Could you give me an example?

In my case, I had a bean defined in the model rather than passing the bean into the function when it was called from the handler. So basically the bean was scoped to the model versus local to the function. Since my login function was in a model what I noticed right away when upgrading my coldbox was the the login display (welcome username) would change to the last users logged in just by refreshing the page.

I don’t know why this didn’t happen when in coldbox 2.x but started happening when I migrated to 3.x. I was new to coldbox at that time and once I understood var scoping and the framework I was able to create the bean in the handler and pass it into the function in the model and the problems went away.