Beware maintaining Customer Balance Information in Coldfusion's Traditional Sessions

If you are working with logged in users, Coldfusion has an excellent method of maintaining client information in session variables. Typically, However, beware of session independence between different types of browsers when using traditional ColdFusion session variables (CFID & CFSESSION). When a session variable is updated in one browser, it is not automatically in other browsers. While not a big deal if the variable doesn't change much, such as the user's email or name, or even ID number.

On the other hand, if the variable contains information that would be business critical or updated frequently, such as account balances, or time logged, using CF 'vanilla' session variables (where the session ID are determined by CF administrator) may not be the proper place to store the information to be relied upon.

If a user uses two computers both logged in at the same time, or two different user log in with the same account information simultaneously, we already realize that frequently updated information may lag and not reflect actual values due to activity in the different sessions updating the session variables without regard to the other session. This same phenomena occurs

when a user uses a single computer and logs in using two different browsers (IE and FF for example). The sessions are independent of each other. Any results session variable that gets updated will not be reflected in the other session.

An example is this: A membership based site charges $1 for each music download. WillyJo logs in FF and a session variable shows he has a balance of $15 and downloads 3 songs. With each download, his database and session variable are updated so that he has a $12 balance. While continuing to download, WillyJo then opens an IE browser, logs in and a session variable is set for $12. Since he is downloading a song in FF, his balance has been updated to $11, but his IE balance still says $12. Continuing to purchase and download songs in FF will continue to decrement his balance by $1 each time, while his session balance in IE remains at $12.

What happens next? Willy Jo has download 15 songs in FF and is now broke. However, since his IE balance is at $12, does he have the ability to download more in IE? He does IF the webpage relies solely on the session variable 'balance' for determining whether or not Willy Jo has any money in his account.

For frequently updated Information, loading a session variable is a quick method of retrieving information, but as a developer, you'll have be aware of the pitfalls.

How Can you avoid this issue? Plan for it. When the information is frequently updated, it may be worth considering wither the information fits as a session, or client variable at all. If so, then any user activity that depends on that session information must also be verified against the data in the table. If the user's balance is kept at the top corner of each page of the site, then sure, a session variable would be great to reduce database calls for each page. But each time Willy Jo wants to download a song, the application would then retrieve the actual balance of the moment from the table (and update the sesion variable if need be).