What does CF do when a second user attempts a doublelogin?

[BKBK]

One user is logged in. What does the Coldfusion server
do when a second user attempts to login, using the first user's
login credentials? Please give as much technical detail as you can.

[MikerRoo]

Technically, CF logs her in.

Users can log in for as many sessions as your server can handle.

It's a good thing!

[BKBK]

>... Users
Thanks. However, I meant 'one user' with multiple sessions, simultaneously.
Such sessions would, of course, contain identical session keys that come
in from cfloginuser, by virtue of loginStorage="session". The security
implications are enormous.

[MikerRoo]

I, too, was referring to one user with multiple sessions. There is no harm in
this, whatsoever, and we see it all the time here.

The login information from one session does not cross pollinate to another.

In fact the only issue is with poorly designed sites -- that track the wrong
info by session -- when the user has more than one window sharing the same
session. Then you see state pollution and the user is angry -- but there are
no security problems.

In fact, unless you can forbid the use of IE (which is a great idea, but the
boss is a slow learner), you probably can't limit the user to just one session.
Or, if you do, you'll lose customers or have coworkers demanding your head
(justifiably).

If you really want that much control, just buy ankle bracelets and be done
with it.
:heart;

[BKBK]

>... login information from one session does not cross pollinate to another

>... there are no security problems

I don't think this is correct. You ignore the issue of identical login
credentials,
which is actually the main motivation behind my post. Assume that this forum
is on the same server as Macromedia Sales. If, while you're logged in at this
forum, typing away, someone else simultaneously buys CFMX7, using your
login information. Are you saying there are no security problems there? Then
you go for that appointment with your bank manager. He proceeds to explain
to you how the new e-banking services work. Finally, he logs you in for a
demo.
During the demo someone logs into your account [N.B.: identical login
credentials].
You still see no security problems?

[Neculai Macarie]

> >... login information from one session does not cross pollinate to
another

> >... there are no security problems

> I don't think this is correct. You ignore the issue of identical login
> credentials,
> which is actually the main motivation behind my post. Assume that this

forum

> is on the same server as Macromedia Sales. If, while you're logged in at

this

> forum, typing away, someone else simultaneously buys CFMX7,

That someone else would have to have control of your cookies, which usually
means that he's on the same psyhical computer as you are.

using your

> login information. Are you saying there are no security problems there?

Then

> you go for that appointment with your bank manager. He proceeds to

explain

> to you how the new e-banking services work. Finally, he logs you in for a
> demo.
> During the demo someone logs into your account [N.B.: identical login
> credentials].
> You still see no security problems?

I don't see a security issue... he must access the account from your
computer, it would not work if he goes to another computer and tries to log
in...

--
<mack />