[thelist] CF Session Variables
Susan Wallace
susanhw at webcastle.com
Tue Oct 2 09:20:46 CDT 2001
Raymond and Joshua,
Thanks for the help!
-*-*-*-*-*-*-*-*-*-*-*-
>Are you 100% sure that _every_ use of session vars is using locking?
-*-*-*-*-*-*-*-*-*-*-*-
I would not say 100% sure - because I have not looked at each page (yet) to
verify.
-*-*-*-*-*-*-*-*-*-*-*-*
>Are you properly using Read/Write locks where appropriate?
-*-*-*-*-*-*-*-*-*-*-*-*
I didn't write this application, but I have looked at the code and from
what I can tell, it looks correct. Here is one example of a lock:
<cflock name=#Session.SessionId# timeout="20" type="READONLY">
<cfset itemnumber = Session.Basket.CurrentRow>
<cfset Product_ID = Session.Basket.Product_ID>
</cflock>
That is one place that I suspected a problem.
-*-*-*-*-*-*-*-*-*-*-*-*
Joshua asked: >>Is the personal information stored only in memory or is it
stored in the
database somewhere before the point when people claim they can see it. If
it is *only* in session variables, then the only known way that people are
seeing other people peoples information is if they have stolen the session
by grabbing their tokens.<<
-*-*-*-*-*-*-*-*-*-*-*-*
The personal information is stored in the database only after they have
completed an order, and if they are a repeat customer, they have the
ability to login so that their information is read from the database (Name,
address, etc) so they don't have to fill out the forms again. I have
noticed that people don't usually take advantage of that. However, people
were complaining that items they did not order were showing up in their
cart, and then orders were being placed with other people's credit cards -
which are ONLY session variables.
In what instance does "Session Stealing" occur?
-*-*-*-*-*-*-*-*-*-*-*-*
>>If personal information is in the database when people are claiming they can
see each other's data, then I would look for the user information stored in
the database under shopper id 0. <<
-*-*-*-*-*-*-*-*-*-*-*-*
At your suggestion, I looked for this, but all of the Customer information
is correct. There are no Customers with the ID of 0 (good eye!)
-*-*-*-*-*-*-*-*-*-*-*-*
>>The zero price might have been failing somewhere and actually causing a
memory leak which might blow away some or all sessions, thus resulting in
this problem. <<
-*-*-*-*-*-*-*-*-*-*-*-*
That's what I suspected but it just seemed odd to me... I will look into
the error handling and see if I can find anything.
-*-*-*-*-*-*-*-*-*-*-*-*
>Raymond asked: >>I'd like more info. What is your setup like. Cluster, one
>machine, Cf
>version, etc.<<
-*-*-*-*-*-*-*-*-*-*-*-*
This server is NT 4.0/SP6, IIS 4 (latest patch AFAIK) and CF 4.5.1
I don't know if it is in a Cluster, but I suspect that it is setup in the
most basic way possible.... I can get specifics about the server itself if
you think it would help.
I realize that I have a lot more to look into on my end here - I just
wanted to bounce this around and make sure I didn't miss something obvious.
Thanks for the help!
Susan Wallace
More information about the thelist
mailing list