sessionInvalidate and sessionRotate do not work when sessionCluster=true

Have you created a bug report for this?

https://luceeserver.atlassian.net/projects/LDEV/issues/On Wednesday, March 11, 2015 at 5:08:49 PM UTC+1, Juan Aguilar wrote:

Possible bug (with PCI implications):

this.sessionType = “cfml”;
this.sessionCluster = true;
this.sessionStorage = “datasource_name”; // Using MySQL datasource to
store sessions

*sessionRotate() *creates a new session (I can see a record in the
datasource) but the current browsing session remains on the old session.
sessionInvalidate() doesn’t have any effect on the session.

If I set:

this.sessionCluster = false;

Then the functions work as expected. However, the release notes for
this.sessionCluster say:

this.sessionCluster=true:if set to true, railo uses the storage backend

for the session scope as master and Railo checks for changes in the storage
backend with every request, set to false (default), the storage is only
used as slave, railo only initially gets the data from the storage. Ignored
for storage type “memory”.Then both functions work as anticipated.

No problem in development but potentially a problem in production where I
can’t guarantee that sessions will be sticky.

There are a number of threads about issues with non-sticky sessions
(though not necessarily about these functions) but no definite resolution.
How sticky do my sessions need to be in order for this to not be an issue
(e.g. 60 load balancer timeout)?

From a security perspective, PCI requires session rotation after login
(See https://blog.anitian.com/pci-30-secure-authentication-requirement/)
but it seems to me that Lucee can’t support that in the scenario above.

https://luceeserver.atlassian.net/browse/LDEV-769On Monday, February 29, 2016 at 11:08:11 AM UTC+1, Jonathan van Zuijlekom wrote:

Have you created a bug report for this?

https://luceeserver.atlassian.net/projects/LDEV/issues/

On Wednesday, March 11, 2015 at 5:08:49 PM UTC+1, Juan Aguilar wrote:

Possible bug (with PCI implications):

this.sessionType = “cfml”;
this.sessionCluster = true;
this.sessionStorage = “datasource_name”; // Using MySQL datasource to
store sessions

*sessionRotate() *creates a new session (I can see a record in the
datasource) but the current browsing session remains on the old session.
sessionInvalidate() doesn’t have any effect on the session.

If I set:

this.sessionCluster = false;

Then the functions work as expected. However, the release notes for
this.sessionCluster say:

this.sessionCluster=true:if set to true, railo uses the storage backend

for the session scope as master and Railo checks for changes in the storage
backend with every request, set to false (default), the storage is only
used as slave, railo only initially gets the data from the storage. Ignored
for storage type “memory”.Then both functions work as anticipated.

No problem in development but potentially a problem in production where I
can’t guarantee that sessions will be sticky.

There are a number of threads about issues with non-sticky sessions
(though not necessarily about these functions) but no definite resolution.
How sticky do my sessions need to be in order for this to not be an issue
(e.g. 60 load balancer timeout)?

From a security perspective, PCI requires session rotation after login
(See https://blog.anitian.com/pci-30-secure-authentication-requirement/)
but it seems to me that Lucee can’t support that in the scenario above.