Implementing Secure Session management

Question

Recently our team decided to implement a secure session management. It is very similar to the guidelines mentioned in the article.

Session Management Guide CFML Documentation (cfdocs.org)

However, the hash stored in the cookie is not immediately updated. ie when CF reads from the cookie to verify it, it still holds the old value and logs the user out. It doesn't happen often but randomly. Especially when we there's multiple user actions in quick succession. Has any one implemented a solution similar to this? The code has been made thread safe by encapsulating in cflock block. Please advice.

BKBK · Answer

However, the hash stored in the cookie is not immediately updated. ie when CF reads from the cookie to verify it, it still holds the old value and logs the user out. It doesn't happen often but randomly. Especially when we there's multiple user actions in quick succession. Has any one implemented a solution similar to this?

By @Ann Sam

I would guess that that is an isuue familiar to anyone who has developed an application relying heavily on cookies and sessions. Some common causes of the issue are:

Cookies persisting in memory when they are no longer valid.
You need the cooperation of the client (usually a browser) when you read or write a cookie.
That might take a finite amount of time. So include code that checks the validity of the cookie just read or written.
Session not seamlessly maintained from one page request to the next.
You should log the user out - and delete his or her cookies - when a session ends or before a new session starts.
You should check for session/cookie validity at the start of every request.

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded