ColdFusion Session issue - multiple users behind one proxy IP -- cftoken and cfid seems to be shared

I have an application that uses coldfusion's session management (instead of the J2EE) session management.

We have one client, who has recently switched their company's traffic to us to come viaa proxy server in their network.

So, to our Coldfusion server, it appears that all traffic is coming from this one IP Address, for all of the accounts of this one company..

Of the session variables, Part 1 is kept in a cflock, and Part 2 is kept in editable session variables. I may be misundestanding, but we have done it this way as we modify some values as needed throughout the application's usage.

We are now running into an issue of this client having their session variables mixed up (?). We have one case where we set a timestamp.. and when it comes time to look it up, it's empty. From the looks of it this is happening because of another user on the same token.

My initial thoughts are to look into modifying our existing session开发者_JS百科 management to somehow generate a unique cftoken/cfid, or to start using jsession_ID, if this solves the problem at all.

I have done some basic research on this issue and couldn't find anything similar, so I thought I'd ask here.

Thanks!

I've run into similar problems on and off for years.

JSession cookies seem to help (no hard data on that) but one solution that I've implemented repoeatedly is using no-cache and cache expiry headers on every page.

http://www.bpurcell.org/blog/index.cfm?entry=1075&mode=entry gives some specifics on how to implement this.

In extreme cases, we've been forced to pass the token and cfid in the links/forms, but that is a PITA to implement, so I'd try the cache expiry/prevention soluiton first.

As far as I know, there are no "cons" in using J2EE session variables, unless you really need session to be active after user closes the browser. I think you should try and see how application behaves with it and see if that saves you trouble of refactoring.

To be sure that you are using all other settings try this:

<cfdump var="#APPLICATION.GetApplicationSettings()#" label="Application settings" />

If you have sessionmanagement and client cookies turned on, everything is fine, so try j2ee session variables.