LDAP query returning incorrect info.

Report · Mar 06, 2012

Hello,

I have a question about using LDAP and the REMOTE_USER commands. Here's a little background. I'm developing a company intranet that uses these functions to determine user name and department. Then it displays content tailored to that user/ department.

In my application file I have:


<!--- User Logged In --->
<cfset application.username = Mid(REMOTE_USER, 15, 20)>

<cfinvoke component="#application.components#AD" method="get_logged_in" returnvariable="get_logged_in">
<cfquery name="my_dept" datasource="#application.dsn#">
   SELECT dept_name
   FROM departments
   WHERE ad_name = '#get_logged_in.department#'
</cfquery>
<cfset application.dept = #my_dept.dept_name#>

The username pulled from the REMOTE_USER function is used in the get_logged_in function, which is the ldap query. From that it pulls the department and the my_dept query maps that to a custom department table.

All this works fine, except...

Sometimes a user will be on the site, and it will be displaying the wrong user name, and hence, the wrong department. It is usually fixed by refreshing, which then usually gets the correct info. I'm not quite sure how to stop this from happening in the first place.

Any help appreciated!!

Report · Mar 06, 2012

It's because you're setting the user's name in the application scope, which is shared amongst all requests. It should be in the session scope, or something user-specific like that. Similarly with application.dept. Don't set user-specific stuff in aapplication-wide variables!

You should also parameterise your dynamic values in your query, instead of hard-coding them. This is just "as a matetr of course" advice, and not specifically to do with this issue.

--

Adam

Report · Mar 06, 2012

I agree with Adam, all the details particulars to users should go in Session scope. Also while setting the username in the Session. try to use CFLOCK;