Hi there,
We are about to finish our migration from ACF to Lucee. But we encountered a very peculiar but serious security issue.
The scenario was that the 2 users working remotely attempted to login at the same time 10ms apart. And both of them got same session with one user details. We have never had this issue before in ACF. Has anyone encountered this issue before? Please advise.
This is a huge impediment for us that prevent us from moving to the next step. We are planning to lock the login process, however that shouldn’t affect the performance.
Don’t forget to tell us about your stack!
OS: Windows Server 2022 (10.0) 64bit Java Version: 11.0.17 (Eclipse Adoptium) 64bit Tomcat Version: Apache Tomcat/9.0.68 Lucee Version: Lucee 5.4.1.8
The instances I’ve seen this happen with any concurrent action (not just login) would be a race condition - generally caused by a var / scoping issue (code uses the same variable across requests).
Without more information (code) it’s difficult to speculate. I’m making a guess based on my own experiences of “weird bugs” like this.
Perhaps you could post a simple CFC without your proprietary business logic?
I know some use localmode=true on functions so the following suggestion wouldn’t be as tedious
I tend not to write functions with this and therefore MUST be explicit.
As a general guideline, define variables inside your function with: var login = doThumbthing() or local.login = doThumbthing()
CFLint, varscoper, or another similar tool can also help reveal where you may have an oversight.
Thanks everyone for the suggestion. It was not reproducible at all. But we couln’t ignore that as one off incident. As everyone suggested, it could’ve been a bug. We noticed there’s a section of code which didn’t have exclusive lock and I’m not sure whether it’s solved it. Also we have another comprehensive session management solution we have implemented based on cfdocs, and it’s in testing now. So hopefully that should prevent it.