librelist archives

« back to archive

Weird user cookie switching problem?

Weird user cookie switching problem?

From:
Matthew Hoopes
Date:
2012-08-12 @ 14:34
OK, please let me start by saying this is strange. I have a flask
application in production, with nginx in front of it, proxying to port
8000, where gunicorn is running. (internet -> nginx -> gunicorn -> flask)
Gunicorn is running with regular old workers, not gevent or anything
special.

I have user A in connecticut, and users B and C in massachusetts. I don't
yet have a definite timeline on these events, but it's something like:
1) User A is logged in
2) User B logs in, and things are fine
3) Sometime during user B's session, they flip to being logged in as user
A, and remain that way until they log out and back in again.

(this has happened exactly once for users B and C, which is why i'm
actually taking it seriously)

For the record, i'm currently using Flask-Login for user session
management, with no real modifications.

This currently has me stumped. I've written a script that logs in as each
user, and gets a page 10000 times. Each time, it checks to make sure their
name is displayed correctly (the flag i'm using to make sure they are still
logged in as themselves). This error never occurs.

This is obviously pointing to:
1) some insane user error, even though they work in different offices
2) some crazy thing i'm doing, although it's a pretty straighforward app so
far
3) some even crazier thing with threads in nginx/gunicorn (???)

Even though this is most likely my fault - where should I start to look to
try to track down if this is even happening? Has anyone ever seen anything
remotely like this before?

Thanks for any ideas in advance! Will update with any new information...

Re: [flask] Weird user cookie switching problem?

From:
Live Flex
Date:
2012-08-12 @ 18:51
I'd start by tracking original_user_id (this is the user_id that they
originally log in with), and current_user_id. If they don't match, then
immediately kill the session and force the user to log in again. This at
least gives you immediate protection, and also gives you an event to track.

I'd then start to build in logging to see if there is any pattern as to
what the app is doing when this event occurs. Is it a specific uri that
they are accessing? Or posting to something specific? Etc, etc.

Search your entire app for all instances of "user_id" (or however you track
the current user). Go through it with a fine tooth comb to make sure that
you are not setting it manually or incorrectly somewhere.

On Sun, Aug 12, 2012 at 3:34 PM, Matthew Hoopes <matthew.hoopes@gmail.com>wrote:

> OK, please let me start by saying this is strange. I have a flask
> application in production, with nginx in front of it, proxying to port
> 8000, where gunicorn is running. (internet -> nginx -> gunicorn -> flask)
> Gunicorn is running with regular old workers, not gevent or anything
> special.
>
> I have user A in connecticut, and users B and C in massachusetts. I don't
> yet have a definite timeline on these events, but it's something like:
> 1) User A is logged in
> 2) User B logs in, and things are fine
> 3) Sometime during user B's session, they flip to being logged in as user
> A, and remain that way until they log out and back in again.
>
> (this has happened exactly once for users B and C, which is why i'm
> actually taking it seriously)
>
> For the record, i'm currently using Flask-Login for user session
> management, with no real modifications.
>
> This currently has me stumped. I've written a script that logs in as each
> user, and gets a page 10000 times. Each time, it checks to make sure their
> name is displayed correctly (the flag i'm using to make sure they are still
> logged in as themselves). This error never occurs.
>
> This is obviously pointing to:
> 1) some insane user error, even though they work in different offices
> 2) some crazy thing i'm doing, although it's a pretty straighforward app
> so far
> 3) some even crazier thing with threads in nginx/gunicorn (???)
>
> Even though this is most likely my fault - where should I start to look to
> try to track down if this is even happening? Has anyone ever seen anything
> remotely like this before?
>
> Thanks for any ideas in advance! Will update with any new information...
>

Re: [flask] Weird user cookie switching problem?

From:
Matthew Hoopes
Date:
2012-08-14 @ 20:52
Thanks very much for your response!

In case people google this in the future, we still haven't tracked this
down, and still have no idea what's happening. Our current best guess is
our customer has a huge network, and there might be something wacky going
on with their squid caching. Just a guess, but who knows. We can't
replicate it in the dev environment though.

Thanks again!

On Sun, Aug 12, 2012 at 2:51 PM, Live Flex <liveflex8@gmail.com> wrote:

> I'd start by tracking original_user_id (this is the user_id that they
> originally log in with), and current_user_id. If they don't match, then
> immediately kill the session and force the user to log in again. This at
> least gives you immediate protection, and also gives you an event to track.
>
> I'd then start to build in logging to see if there is any pattern as to
> what the app is doing when this event occurs. Is it a specific uri that
> they are accessing? Or posting to something specific? Etc, etc.
>
> Search your entire app for all instances of "user_id" (or however you
> track the current user). Go through it with a fine tooth comb to make sure
> that you are not setting it manually or incorrectly somewhere.
>
>
> On Sun, Aug 12, 2012 at 3:34 PM, Matthew Hoopes <matthew.hoopes@gmail.com>wrote:
>
>> OK, please let me start by saying this is strange. I have a flask
>> application in production, with nginx in front of it, proxying to port
>> 8000, where gunicorn is running. (internet -> nginx -> gunicorn -> flask)
>> Gunicorn is running with regular old workers, not gevent or anything
>> special.
>>
>> I have user A in connecticut, and users B and C in massachusetts. I don't
>> yet have a definite timeline on these events, but it's something like:
>> 1) User A is logged in
>> 2) User B logs in, and things are fine
>> 3) Sometime during user B's session, they flip to being logged in as user
>> A, and remain that way until they log out and back in again.
>>
>> (this has happened exactly once for users B and C, which is why i'm
>> actually taking it seriously)
>>
>> For the record, i'm currently using Flask-Login for user session
>> management, with no real modifications.
>>
>> This currently has me stumped. I've written a script that logs in as each
>> user, and gets a page 10000 times. Each time, it checks to make sure their
>> name is displayed correctly (the flag i'm using to make sure they are still
>> logged in as themselves). This error never occurs.
>>
>> This is obviously pointing to:
>> 1) some insane user error, even though they work in different offices
>> 2) some crazy thing i'm doing, although it's a pretty straighforward app
>> so far
>> 3) some even crazier thing with threads in nginx/gunicorn (???)
>>
>> Even though this is most likely my fault - where should I start to look
>> to try to track down if this is even happening? Has anyone ever seen
>> anything remotely like this before?
>>
>> Thanks for any ideas in advance! Will update with any new information...
>>
>
>