User session mixed

akos · July 25, 2025, 9:31am

First time I’ve seen something like this in my 20 years of development.
I have seen a similar post on here but no solution.
User A and User B
Both users have their own usernames and passwords, totally different of course
User A logs in and sees himself as User B logged in
User B logs in and sees himself as User A logged in
Both logout (not at the same time) then log back in and all normal
An hour later same thing happens
There are 80 users and only happening to two of the same.
Changed their passwords and username made no difference.
Both users are in different locations.
Windows 2019 Datacenter and Lucee 5.4.4.38
Any suggestions please?

Zackster · July 25, 2025, 11:34am

can you reproduce the problem yourself?

you can try bumping the log level for scope to info, to see session creation logs

are you sure there’s no urls with cfid in them, maybe do a seach of your access logs?

akos · July 25, 2025, 11:48am

thanks, yes there are urls with CFID in them could that be the issue? This application has been running like that for close to 10 years and never had this problem.

Zackster · July 25, 2025, 12:03pm

it’s a potential cause

I’d add suggest adding some logging which records with cfid and userId and ip address

with 6.2 we added the ability to disable reading cfid from the url to avoid this potential problem

also, doing a sessionRotate() on login and onSessionstart() and a sessionInvalidate() on logout is a good idea, but some of that stuff that was a bit problematic prior to 6.2

I did a lot of work on improving session management with 6.2

https://luceeserver.atlassian.net/browse/LDEV-5290

Leftbower · July 25, 2025, 5:51pm

Do all of the seesion management functions/tools now work with J2EE sessions as well? I recall having to roll my own using code like getPageContext().getSession()?.invalidate() and getPageContext().getRequest().changeSessionId() in the past?

BK_BK · August 10, 2025, 11:52am

Curious problem. My initial thoughts: is there perhaps a change or an error in how the login details of A and B are stored?
A test I would do: verify what happens when the issue occurs and just one of the users logs out.

akos · August 10, 2025, 1:22pm

Thanks for all your messages, I thought I give an update on this.
This seemed to have cured the problem.
After successfully login the user in we added:
<cfset structClear(session)>
<cfset sessionRotate()>

and then setting all the session variables

Thanks again