Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Suddenly logged in as someone else

Status
Not open for further replies.
drizzage

drizzage

Technical User
May 4, 2004
14
US
My site has a common Aplication.cfm tag that checks the log-in status of each user. It saves the ID and token of each user in a cookie, or passes this information through the URL if cookies are not turned on. I think this is how it's usually done. Here is my application management tag:

<CFAPPLICATION name="UserLogin"
SETCLIENTCOOKIES="yes"
SESSIONTIMEOUT="#CreateTimespan(0,0,30,0)#"
SESSIONMANAGEMENT="yes">

I have my own log in for the site, and today have noticed several times that I was mysteriously logged in as someone else. I have to keep logging back in with my own password, and within 15 minutes or so, my log-in state has changed back to this other user again. It's always the same user. I don't know if this is a server glitch, or if someone is hacking. The site's been running for about a year, and I've never experienced this before. Does anyone have any idea how this could be happening?
 
Sort by date Sort by votes
Could be a bunch of things.

1) session variables crossing (possible but not likely)
2) you could have hard coded a certian user in a url somewhere, so when that code is run it sets everyone to the one user.
3) your cookies aren't being set/read properly...
...
...
...
best thing to do is notice exactly when it's happening. certian pages, certian pages that use teh same code... etc...

Beware of programmers who carry screwdrivers.
 
Upvote 0 Downvote
What is your login script code like? Are you wrapping your conditonal statements with cflock??

I usually do this with my login script:
Code: 
<cfquery name="IsValidLogin" datasource="dBName">
  SELECT *
  FROM Table1
  WHERE user_name = '#form.user_name#' AND password = '#form.password#'
</cfquery>

<cfif IsValidLogin.RecordCount EQ 0>
  [b]<cflock scope="SESSION" type="EXCLUSIVE" timeout="2">[/b]
    <cfset SESSION.LOGGEDIN = "false">
    <cfset SESSION.USER="">
  [b]</cflock>[/b]
<cflocation url="no_login.cfm?action=fail">

<cfelseif form.user_name EQ 'someName'>
  [b]<cflock scope="SESSION" type="EXCLUSIVE" timeout="2">[/b]
    <cfset SESSION.LOGGEDIN = "true">
    <cfset SESSION.USER="#form.user_name#">
  [b]</cflock>[/b]
    <cfoutput><cflocation url="Admin.cfm"></cfoutput>

<cfelse>
  [b]<cflock scope="SESSION" type="EXCLUSIVE" timeout="2">[/b]
    <cfset SESSION.LOGGEDIN = "true">
    <cfset SESSION.USER="#form.user_name#">
  [b]</cflock>[/b]
<cfoutput><cflocation url="user.cfm?user_name=#IsValidLogin.user_name#"></cfoutput>
</cfif>

Notice the bold statements?? the cflock ensures the integrity of shared data so if two users at the same time logged in they won't cross paths.

Take a look at faq232-3469


____________________________________
Just Imagine.
 
Upvote 0 Downvote
I had this happen to me one time. It seems that someone else's computer had a cookie for my site with the same ID and Token of my login. So, every time they logged in, their session would eventually turn into "mine". Of course, this was an extremely unusual case because the computer in question was a ghost of my computer. Anyway, you (and your user) should delete all of your cookies from your browser, and put this snip of code in your application.cfm
Code: 
<!--- This section of code will expire a Session when the browser closes, and delete the cookies. --->
<cfif isdefined("cookie.CFID") and isdefined("cookie.CFTOKEN") >
    <cfset tempCFID = cookie.CFID >
    <cfset tempCFTOKEN = cookie.cftoken >
    <cfcookie name="CFID"  value="#tempCFID#" >
    <cfcookie name="CFTOKEN"  value="#tempCFTOKEN#" >
</cfif>



Hope This Helps!

ECAR
ECAR Technologies, LLC

"My work is a game, a very serious game." - M.C. Escher
 
Upvote 0 Downvote
Thank you GUJUm0deL for the tip. My cflocks were not being set exclusively.

And thank you ECAR for the snip. Even though I don’t know exactly how it works, I will use it as well! I'm fairly new to this, and thought that as long as the cookies were only being written to RAM, they would automatically disappear when the browser closed. But I’ve noticed that many of my users retain the same ID and token between sessions. I guess this means that the cookies are persisting. I’d rather not have that happen.

Thanks again.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

mdvp
  • Locked
  • Question
Intermittent X-ref problem with figures in FM 12
Replies
0
Views
395
mdvp
mdvp
ccorry
  • Locked
  • Question
FrameMaker 2015 hyperlinks in book files don't work
Replies
0
Views
118
ccorry
ccorry
Mike Lewis
  • Locked
  • Question
Using Dreamweaver to maintain a site not created in Dreamweaver
Replies
2
Views
470
Mike Lewis
Mike Lewis
KDFischer
  • Locked
  • Question
Getting past Invalid cell in spreadsheet
Replies
0
Views
105
KDFischer
KDFischer
ElizaShteto
  • Locked
  • Question
Split One Page in two separate Pages in Framemaker 11
Replies
0
Views
109
ElizaShteto
ElizaShteto

Part and Inventory Search

Sponsor

Back
Top