Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

session.sessionid gets shared, how do you implement cflock on this? 1

Status
Not open for further replies.
ntm0n

ntm0n

Programmer
Jun 22, 2001
30
US
We have an application that at times allows current users on the system to gain login rights from another person logging on to the application. Basically its grabbing someone elses login ID and security. We use the following code in the login file:

<CFLOCK Name=&quot;session.sessionid&quot; Type=&quot;Exclusive&quot; Timeout=&quot;10&quot;>
<CFSET Session.AdminUser = &quot;#CheckLogin.AdminID#&quot;>
<CFSET session.AccessLevel = &quot;#CheckLogin.AccessLevel#&quot;>
<CFSET session.AdminID = &quot;#CheckLogin.AdminID#&quot;>
<CFSET session.Email = &quot;#CheckLogin.Email#&quot;>
<CFSET session.OPFAC = &quot;#CheckLogin.OPFAC#&quot;>
<CFSET session.AOR = &quot;#CheckLogin.DETAOR#&quot;>
<CFSet session.AdminUserName = &quot;#checkLogin.Username#&quot;>
</CFLOCK>

Any ideas on how we can stop this from happening? Should this information be incorporated in the application.cfm file instead of a single login page? Thanks in advance!

 
Sort by date Sort by votes
the purpose of the cflock tag is that when used with exclusive type to &quot;lock&quot; some session or application variables, it does not mean that no other user will ever be able to access the same variable, it means that no other user cannot access it and change it while it is locked; once the processing is finished, the variable is free to be used by anyone that satisfy restrictions you have put on it;

your code looks fine and there is no error in it (at least not in this part);
maybe you should check all variables that you are using to set session variables (CheckLogin.DETAOR, checkLogin.Username...); make sure that all are clear after each use, so when next user logs in, does not get the variables with the values that previous user have used;

hope this will help to point you in the right direction...

Sylvano
dsylvano@hotmail.com
 
Upvote 0 Downvote
If you're using ColdFusion Server 4.5 or higher, I'd recommend changing Name=&quot;session.sessionid&quot; to SCOPE=&quot;SESSION&quot;.

<CFLOCK SCOPE=&quot;SESSION&quot; Type=&quot;Exclusive&quot; Timeout=&quot;10&quot;>
<CFSET SESSION.AdminUser = &quot;#CheckLogin.AdminID#&quot;>
<CFSET SESSION.AccessLevel = &quot;#CheckLogin.AccessLevel#&quot;>
<CFSET SESSION.AdminID = &quot;#CheckLogin.AdminID#&quot;>
<CFSET SESSION.Email = &quot;#CheckLogin.Email#&quot;>
<CFSET SESSION.OPFAC = &quot;#CheckLogin.OPFAC#&quot;>
<CFSET SESSION.AOR = &quot;#CheckLogin.DETAOR#&quot;>
<CFSET SESSION.AdminUserName = &quot;#checkLogin.Username#&quot;>
</CFLOCK>

The problem you may be having is, every time you try to READ the SESSION variables you need to use <CFLOCK>, not just when setting them.

[COLOR=666666]<!--- If the session doesn't exist, send them back to the login screen --->[/color]
<CFLOCK SCOPE=&quot;SESSION&quot; Type=&quot;Read&quot; Timeout=&quot;10&quot;>
<CFIF NOT IsDefined(&quot;Session.AdminUser&quot;)>
<CFLOCATION URL=&quot;login.cfm&quot;>
</CFIF>
</CFLOCK>

There are some techniques you can do so that you don't have to use <CFLOCK> all over the place, like putting it into a REQUEST scope.

[COLOR=666666]<!--- Include this in all files --->[/color]
<CFLOCK SCOPE=&quot;SESSION&quot; Type=&quot;Read&quot; Timeout=&quot;10&quot;>
<CFSET REQUEST.AdminUser = SESSION.AdminUser>
<CFSET REQUEST.AccessLevel = SESSION.AccessLevel>
<CFSET REQUEST.AdminID = SESSION.AdminID>
<CFSET REQUEST.Email = SESSION.Email>
<CFSET REQUEST.OPFAC = SESSION.OPFAC>
<CFSET REQUEST.AOR = SESSION.AOR>
<CFSET REQUEST.AdminUserName = SESSION.AdminUserName>
</CFLOCK>

Then you can script this way, without using <CFLOCK>:
[COLOR=666666]<!--- If the session doesn't exist, send them back to the login screen --->[/color]
<CFIF NOT IsDefined(&quot;REQUEST.AdminUser&quot;)>
<CFLOCATION URL=&quot;login.cfm&quot;>
</CFIF>

Here's a good white paper I'd recommend reading on the proper use of SERVER, APPLICATION, and SESSION scopes with <CFLOCK>.

- tleish
 
Upvote 0 Downvote
I just realized I put the incorrect syntax in the <CFLOCK> tag. TYPE=&quot;READ&quot; should be TYPE=&quot;READONLY&quot;. I just wanted to correct myself.

<CFLOCK SCOPE=&quot;SESSION&quot; TYPE=&quot;READONLY&quot; Timeout=&quot;10&quot;>
<CFSET REQUEST.AdminUser = SESSION.AdminUser>
<CFSET REQUEST.AccessLevel = SESSION.AccessLevel>
<CFSET REQUEST.AdminID = SESSION.AdminID>
<CFSET REQUEST.Email = SESSION.Email>
<CFSET REQUEST.OPFAC = SESSION.OPFAC>
<CFSET REQUEST.AOR = SESSION.AOR>
<CFSET REQUEST.AdminUserName = SESSION.AdminUserName>
</CFLOCK> - tleish
 
Upvote 0 Downvote
Gentleman, thanks for your help and tleish that article was very informative and cleared up my questions regarding locking. Hopefully this will clear up our problems as I think it will. Locking was only being used on the login page (I did not write the initial program and I'm fairly new to CF). Again thanks!

Gary
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

RosieGp
  • Locked
  • Question
How to read string of 0s and 1s 1
Replies
3
Views
716
LyndonOHRC
LyndonOHRC
FALCONSEYE
  • Locked
  • Question
Error: no known VMs. (check for corrupt jvm.cfg file) !!! How I Fixed It !!!
Replies
0
Views
791
FALCONSEYE
FALCONSEYE
Kjonnnn
  • Locked
  • Question
What is is called when you end a domain with a folder name.
Replies
2
Views
275
Kjonnnn
Kjonnnn
LonnieJohnson
  • Locked
  • Question
Downloading Dreamweaver
Replies
0
Views
289
LonnieJohnson
LonnieJohnson
lollieleaver
  • Locked
  • Question
Dreamweaver CS4 - how can I make an Access database downloadable from my site?
Replies
2
Views
249
lollieleaver
lollieleaver

Part and Inventory Search

Sponsor

Back
Top