First time I’ve seen something like this in my 20 years of development.
I have seen a similar post on here but no solution.
User A and User B
Both users have their own usernames and passwords, totally different of course
User A logs in and sees himself as User B logged in
User B logs in and sees himself as User A logged in
Both logout (not at the same time) then log back in and all normal
An hour later same thing happens
There are 80 users and only happening to two of the same.
Changed their passwords and username made no difference.
Both users are in different locations.
Windows 2019 Datacenter and Lucee 5.4.4.38
Any suggestions please?
can you reproduce the problem yourself?
you can try bumping the log level for scope to info, to see session creation logs
are you sure there’s no urls with cfid in them, maybe do a seach of your access logs?
thanks, yes there are urls with CFID in them could that be the issue? This application has been running like that for close to 10 years and never had this problem.
it’s a potential cause
I’d add suggest adding some logging which records with cfid and userId and ip address
with 6.2 we added the ability to disable reading cfid from the url to avoid this potential problem
also, doing a sessionRotate() on login and onSessionstart() and a sessionInvalidate() on logout is a good idea, but some of that stuff that was a bit problematic prior to 6.2
I did a lot of work on improving session management with 6.2
Do all of the seesion management functions/tools now work with J2EE sessions as well? I recall having to roll my own using code like getPageContext().getSession()?.invalidate() and getPageContext().getRequest().changeSessionId() in the past?