I've been noticing an issue with the login implementation that I am using for a webapp. The basic explanation of the workflow is the following:
- User access the app's url.
- The main event has a type of "secure". This Event Type defines a broadcast message of "CheckIfLoggedIn". This message is linked to a controller's function called "isLoggedIn"
- The controller's function basically checks if session.isLoggedIn is true, if it is not then it will redirect the user to the login form.
- The form will call an event called "logMeIn".
- The event will call a controller's function, which will check the user/pass against a specific sql table, if it is true then it will set session.user = #username# and session.isLoggedIn = "true", all of this inside a <cflogin> tag.
- Redirect user to the main view.
Now, this is working correctly with timeouts and the whole 9 yards. The issue is that if two, or more, users submit their credentials within a small window of time, then both users will end up with the same value on session.user.
e.g. If a user logs in with the username jdoe and pass jdoe123 by hitting submit on the login form, and 500 milliseconds or maybe an entire second after, another user with username janed and password janed123 submits the login form. Then both users will login correctly (because both user/pass tuples are correct) but if the variable session.user is printed in both sessions it will be jdoe, or janed. The value that gets leaked changes, but both sessions will have the same username value. If one of this users inputs an incorrect username/password tuple then the algorithm will not allow that user to login, this only happens when both credentials are valid.
The only workaround to this issue, that we've been able to use, is to set the "reload" config value to "true" that way the framework gets reloaded every time it's accessed.
Any ideas on how to further debug this issue or fix it?