Urgent Issue Session Persistence Problem


I’m having some VERY NASTY problems with session storage.

Our app persists an “activeUserID” to the session storage via sessionStorage.setVar(“activeUserID”, userID );

On subsequent requests the current userId is returned via sessionStorage.getVar(“activeUserID”)

At this point, we are having problems with a user getting the ‘activeUserID’ of another user. It is not stored/accessed via any other mechanism.

ColdFusion is somehow returning the wrong sessionID…. Here’s a log of what is happening….


I’m at a TOTAL loss here… any help would be greatly appreciated!

Is getAllStats a singleton?


getAllStats is a action in a handler which is being cached…

as far as I can see, the breakdown happens in the “SecurityService (singleton)” where it calls a wired-in “SessionStorage (coldbox:plugin:SessionStorage)” instance for the get/setvars


Yep, sorry, I mean stats not getAllStats which is clearly a function.

Out of interest, are these two users on the site at the same time?


I do believe they both have active sessions, but they aren’t interactive with the system simultaneously…


I had a similar issue with singletons and implicit getters/setters and concurrency. It sometimes returned the wrong user object when both people were logged in a the same time.

Seeing as I wasn’t using ORM, I reverted to returning a query instead of using getters and object persistence in that way.

What I’d recommend to test is to use something like http://www.musatcha.com/software/NewChromeSession/ for chrome, which allows you to login on multiple chrome instances with different sessions/cookies.

Open up 10 chrome instances and login all at the same time. If you can replicate it, then it’s likely you’re seeing a similar issue to the one I had….


Thanks for the help Tom.

The entire issue seemingly can be isolated to the SessionStorage.getVar()/setVar()…. two back to back requests with the same user and it returns different values (and, if you see in the logs, the session ids change)

Soo annoyingly stuck on this… i’d feel better if this weren’t in production and I didn’t have users emailing me asking why they are logged in as the wrong users… FML.


So getUserSession – what’s that? A model or handler?

If you just do <cfset logger.debug(“directRequest: #getPlugin(‘SessionStorage’).getVar(‘UserID’)#”)> - what goes into the log then? (provided logger is an alias of logbox injected of course)….


Has any one come up with a solution for this? I am having this issue also…



My problem ended up being that an overly-agressive caching proxy was sending the same session headers/cookies for all users behind their proxy. Not to be too specific, but the affected users were all from a BIG software company based in Redmond, WA :slight_smile:

They adjusted their proxy and we added some very specific do-not-cache headers to some of the relevant sections of our site.

An easy solution to this is also to put the site behind SSL… which would ensure this wouldn’t occur.