Hi, I recently upgraded my server to 6.2.1.122 and some very alarming things started happening.
I am getting constant reports of users being logged in as one user, and then loading the next page of my application as they browse and are suddenly logged in as someone else.
This never happened before 6.2.1.122 and no code change to my authentication has been made recently.
Its extremely alarming and it looks like its a session leakage bug of some sort.
I am reverting back to what I was on before and will report back if the bug does or does not go away.
I’ve reverted back to 6.2.0.321 and for the past 12 hours no reports of session leakage.
Is nobody else concerned this is a catastrophic bug for 6.2.1.122.
I wish I could provide a proof of concept but this was a real ghost in the machine situation I could not duplicate reliably. Just got reports from customers complaining about being logged in as other users unintentionally as they browse the website.
I am not able to provide a proof of concept. It was happening at random in prod and it would be very time consuming for me to create a test environment that I could use to try and reproduce it.
However, this was very real and it went away when I reverted back to 6.2.0.321.
Now I am scared to upgrade to future releases until we can figure this out.
One thing I should note is this is a legacy application using application.cfm rather than application.cfc.
Not sure if that would matter.
Let me know if you guys think of any other configuration information that would be helpful.