• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0

Implementing Secure Session management

New Here ,
Nov 23, 2021 Nov 23, 2021

Copy link to clipboard

Copied

Recently our team decided to implement a secure session management. It is very similar to the guidelines mentioned in the article.

Session Management Guide CFML Documentation (cfdocs.org)

 

However, the hash stored in the cookie is not immediately updated. ie when CF reads from the cookie to verify it, it still holds the old value and logs the user out. It doesn't happen often but randomly. Especially when we there's multiple user actions in quick succession. Has any one implemented a solution similar to this? The code has been made thread safe by encapsulating in cflock block. Please advice.

Views

84

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Nov 23, 2021 Nov 23, 2021

Copy link to clipboard

Copied

LATEST

However, the hash stored in the cookie is not immediately updated. ie when CF reads from the cookie to verify it, it still holds the old value and logs the user out. It doesn't happen often but randomly. Especially when we there's multiple user actions in quick succession. Has any one implemented a solution similar to this? 


By @Ann Sam

 

I would guess that that is an isuue familiar to anyone who has developed an application relying heavily on cookies and sessions. Some common causes of the issue are:

  1.  Cookies persisting in memory when they are no longer valid. 
         You need the cooperation of the client (usually a browser) when you read or write a cookie.
         That might take a finite amount of time. So include code that checks the validity of the cookie just read or written.  
  2. Session not seamlessly maintained from one page request to the next.
         You should log the user out - and delete his or her cookies -  when a session ends or before a new session starts.
         You should check for session/cookie validity at the start of every request.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation