Session information leakage.

Skip to first unread message

Josue Balandrano

Oct 25, 2013, 3:04:35 PM10/25/13
    Hello forum.
I've been noticing an issue with the login implementation that I am using for a webapp. The basic explanation of the workflow is the following: 
    - User access the app's url.
    - The main event has a type of "secure". This Event Type defines a broadcast message of "CheckIfLoggedIn". This message is linked to a controller's function called "isLoggedIn"
    - The controller's function basically checks if session.isLoggedIn is true, if it is not then it will redirect the user to the login form.
    - The form will call an event called "logMeIn". 
    - The event will call a controller's function, which will check the user/pass against a specific sql table, if it is true then it will set session.user = #username# and session.isLoggedIn = "true", all of this inside a <cflogin> tag.
    - Redirect user to the main view.

Now, this is working correctly with timeouts and the whole 9 yards. The issue is that if two, or more, users submit their credentials within a small window of time, then both users will end up with the same value on session.user. 
e.g. If a user logs in with the username jdoe and pass jdoe123 by hitting submit on the login form, and 500 milliseconds or maybe an entire second after, another user with username janed and password janed123 submits the login form. Then both users will login correctly (because both user/pass tuples are correct) but if the variable session.user is printed in both sessions it will be jdoe, or janed. The value that gets leaked changes, but both sessions will have the same username value. If one of this users inputs an incorrect username/password tuple then the algorithm will not allow that user to login, this only happens when both credentials are valid.

The only workaround to this issue, that we've been able to use, is to set the "reload" config value to "true" that way the framework gets reloaded every time it's accessed. 

Any ideas on how to further debug this issue or fix it?

Thank you.

Jim Priest

Oct 26, 2013, 8:37:51 AM10/26/13
Are you wrapping when you write the session.isLoggedIn with cflock?

Dan Wilson

Oct 26, 2013, 11:47:51 AM10/26/13

This sounds like scope leakage.

I'm guessing you are setting some variable in your controller to a non var scoped value.

Put the controller code on Pastebin and email me the link.

Model-Glue Sites:
Home Page:
Bug Tracker:
You received this message because you are subscribed to the Google
Groups "model-glue" group.
To post to this group, send email to
To unsubscribe from this group, send email to
For more options, visit this group at
You received this message because you are subscribed to the Google Groups "model-glue" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
For more options, visit

Josue Balandrano

Oct 28, 2013, 9:56:01 AM10/28/13
This is interesting. I am going to try this. Thank you.
Reply all
Reply to author
0 new messages