Hi all,
I'm stumped and need some help. I have a CFMX7 application using J2EE session vars. A couple thousand members log into the application each day. Every few months over the last year and a half or so, we run into a problem where one user will suddenly be logged into another user's account. This has always been accidental. We've haven't experienced the problem in probably 6 months and all of the sudden we got 5 separate calls about it yesterday.
We've been investigating this for a while. From what we can tell, the sessions get swapped between members that happen to be accessing the site from the same network (we save IP addresses on the transactions). Sometimes the person recognizes the other user as a coworker or a neighbor in the same building. These problems usually occur from networks that would typically have proxy servers installed.
My guess is that the proxy servers are incorrectly caching cookies (we never pass the session token in the URL). From what I understand about proxy servers, we could correct this problem by using SSL (proxies can't or won't cache encrypted pages). We tried this and it seemed to be working, however, we had to abandon the solution because it was causing problems for users accessing the site from cell phones and PDAs (many of the pages on the site are very large and when encrypted cause huge delays for these users).
Cookies are set in the http response header. If my guess is right and the proxy servers are caching the cookies, my next plan of action is to append a large random number to every URL query string in the application. My thought is that even if the proxy caches the page, every request will have a different URL so the client will never be given a cached page.
What do you think? Anyone experience a similar problem? Am I on the right track? Is there a better way to solve this problem?
Thanks for your input.
--Sam
(Coincidently, our ISP was having problems yesterday and access to our site was up and down a few times. I can't reconcile this with the hijacked sessions but I figure I should mention it anyway.)
I'm stumped and need some help. I have a CFMX7 application using J2EE session vars. A couple thousand members log into the application each day. Every few months over the last year and a half or so, we run into a problem where one user will suddenly be logged into another user's account. This has always been accidental. We've haven't experienced the problem in probably 6 months and all of the sudden we got 5 separate calls about it yesterday.
We've been investigating this for a while. From what we can tell, the sessions get swapped between members that happen to be accessing the site from the same network (we save IP addresses on the transactions). Sometimes the person recognizes the other user as a coworker or a neighbor in the same building. These problems usually occur from networks that would typically have proxy servers installed.
My guess is that the proxy servers are incorrectly caching cookies (we never pass the session token in the URL). From what I understand about proxy servers, we could correct this problem by using SSL (proxies can't or won't cache encrypted pages). We tried this and it seemed to be working, however, we had to abandon the solution because it was causing problems for users accessing the site from cell phones and PDAs (many of the pages on the site are very large and when encrypted cause huge delays for these users).
Cookies are set in the http response header. If my guess is right and the proxy servers are caching the cookies, my next plan of action is to append a large random number to every URL query string in the application. My thought is that even if the proxy caches the page, every request will have a different URL so the client will never be given a cached page.
What do you think? Anyone experience a similar problem? Am I on the right track? Is there a better way to solve this problem?
Thanks for your input.
--Sam
(Coincidently, our ISP was having problems yesterday and access to our site was up and down a few times. I can't reconcile this with the hijacked sessions but I figure I should mention it anyway.)