We are about to finish our migration from ACF to Lucee. But we encountered a very peculiar but serious security issue.
The scenario was that the 2 users working remotely attempted to login at the same time 10ms apart. And both of them got same session with one user details. We have never had this issue before in ACF. Has anyone encountered this issue before? Please advise.
This is a huge impediment for us that prevent us from moving to the next step. We are planning to lock the login process, however that shouldn’t affect the performance.
Don’t forget to tell us about your stack!
OS: Windows Server 2022 (10.0) 64bit
Java Version: 11.0.17 (Eclipse Adoptium) 64bit
Tomcat Version: Apache Tomcat/9.0.68
Lucee Version: Lucee 188.8.131.52
The instances I’ve seen this happen with any concurrent action (not just login) would be a race condition - generally caused by a var / scoping issue (code uses the same variable across requests).
Without more information (code) it’s difficult to speculate. I’m making a guess based on my own experiences of “weird bugs” like this.
Perhaps you could post a simple CFC without your proprietary business logic?
I know some use
localmode=true on functions so the following suggestion wouldn’t be as tedious
- I tend not to write functions with this and therefore MUST be explicit.
As a general guideline, define variables inside your function with:
var login = doThumbthing() or
local.login = doThumbthing()
CFLint, varscoper, or another similar tool can also help reveal where you may have an oversight.
Perhaps a bug? Not very likely. Sessions are widely used for login. So we would have seen many such issues.
I agree with @Phillyun . It is more likely that your code uses a non-session shared variable. Could you share the code?
In any case, session-scoped locks may indeed be a solution for the time being.
Thanks everyone for the suggestion. It was not reproducible at all. But we couln’t ignore that as one off incident. As everyone suggested, it could’ve been a bug. We noticed there’s a section of code which didn’t have exclusive lock and I’m not sure whether it’s solved it. Also we have another comprehensive session management solution we have implemented based on cfdocs, and it’s in testing now. So hopefully that should prevent it.
It’s also good to know, it’s not a lucee issue, otherwise as everyone has mentioned it would’ve been widely reported.