Skip to first unread message
Juan Aguilar
Mar 11, 2015, 12:08:49 PM3/11/15
to lu...@googlegroups.com
Possible bug (with PCI implications):
this.sessionType = "cfml";
this.sessionCluster = true;
this.sessionStorage = "datasource_name"; // Using MySQL datasource to store sessionssessionRotate() creates a new session (I can see a record in the datasource) but the current browsing session remains on the old session.
sessionInvalidate() doesn't have any effect on the session.
If I set:
this.sessionCluster = false;Then the functions work as expected. However, the release notes for this.sessionCluster say:
this.sessionCluster=true:if set to true, railo uses the storage backend for the session scope as master and Railo checks for changes in the storage backend with every request, set to false (default), the storage is only used as slave, railo only initially gets the data from the storage. Ignored for storage type “memory”.Then both functions work as anticipated.
No problem in development but potentially a problem in production where I can't guarantee that sessions will be sticky.
There are a number of threads about issues with non-sticky sessions (though not necessarily about these functions) but no definite resolution. How sticky do my sessions need to be in order for this to not be an issue (e.g. 60 load balancer timeout)?
From a security perspective, PCI requires session rotation after login (See https://blog.anitian.com/pci-30-secure-authentication-requirement/) but it seems to me that Lucee can't support that in the scenario above.
Jonathan van Zuijlekom
Feb 29, 2016, 5:08:11 AM2/29/16
to Lucee
Have you created a bug report for this?
Jonathan van Zuijlekom
Mar 1, 2016, 12:22:22 PM3/1/16
to Lucee
Reply all
Reply to author
Forward
0 new messages