Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Session IDs switching between users... Not a fix, but a way to catch.

Session Management

Session IDs switching between users... Not a fix, but a way to catch.

by  webmigit  Posted    (Edited  )
(This FAQ goes hand in hand with my other FAQ concerning session variables: faq232-1926)

This is a common problem for cold fusion developers:

Every once in a while when two users simultaneously access the same page session IDs are swapped, cflocking does not seem to fully prevent this..

Joe (SessionID 1) --> page1.cfm
Jon (SessionID 2) --> page1.cfm

If they simultaneously access the same page, Joe may get ID 2 and Jon, ID 1.. of course causing an insecurity..

I'm not sure that there is a foolproof fix for this but there is a surefire way to catch it, two as matter of fact..

When creating session variables, load #cgi.remote_addr# as session.addr..

Code: 
<CFLOCK scope="session" timeout="10">
 <CFSET session.addr=cgi.remote_addr>
 <CFSET sAddr=session.addr>
</CFLOCK>

On each page's execution match session.addr against cgi.remote_addr, if they are the same, page continues executing, if not, page halts, flashes to another page and the session is cleared.

Code: 
<CFIF cgi.remote_addr is not sAddr><CFLOCATION url="sessionerror.cfm"></CFIF>

The flaw is that cgi.variables are not always detectable.. so another method would be to assign a random number or some identifier (even just the username) to a cookie, do not store the password in the cookie since you won't need it for this step of authentication.. You can pretty much assume anyone using a user's computer knows that person's username so you're not hurting security by storing the username in a cookie...

The next step is pretty much the same as before.. On each page match the cookie to the session variable...

Code: 
<CFIF cookie.username is not session.username><CFLOCATION url="sessionerror.cfm"></CFIF>

Developers worry about users disabling cookies... This is not such a large issue since most sites use cookies.. There are two basic types of users on the Internet: Those who know so little about how the internet works to not even understand cookies and thus have no need to disable what they don't know exists, and those who develop or have at least some interest in dev of websites who know the importance of cookies to many websites and wouldn't dare disable them.

As for browsers that don't display cookies.. They are so old or just so rare that they're virtually unheard of.. A novice wouldn't know where to get one and wouldn't have been on the internet long enough to still have one and someone who knows about them wouldn't really want one.. As I said, little to no risk.
Register to add this FAQ to your archive
Register to rate this FAQ  : BAD 1 2 3 4 5 6 7 8 9 10 GOOD
Please Note: 1 is Bad, 10 is Good :-)

Part and Inventory Search

Back
Top