librelist archives

« back to archive

Session swapping issue on Apache

Session swapping issue on Apache

From:
Dong Tao
Date:
2012-09-07 @ 18:46
Hi, 
I was running Flask on Apache2 with Mod_WSGI 3.3, and I ran into a strange
issue that user sessions were randomly swapped, i.e. I suddenly found 
myself logged in as a different user. This problem doesn't exist when I 
was running the Flask dev server.
I found a similar question asked in March, 2010 by Ron DuPlain at 
http://flask.pocoo.org/mailinglist/archive/2012/3/9/session-swapping-running-flask-in-apache/#9d7db229c98c40360f4bcee028ae2681
However, the thread doesn't say how the problem is solved, if at all. Has 
anyone else ran into this? What did you do to fix it?
Thanks for your help!
Tao
  		 	   		  

Re: [flask] Session swapping issue on Apache

From:
Kerem Ulutaş
Date:
2012-09-07 @ 19:02
Are you using Flask-Login extension? I am using it and wondering if this is
related to Flask-Login.

Btw another thread about this weird problem is this:

http://flask.pocoo.org/mailinglist/archive/2012/8/12/weird-user-cookie-switching-problem/

2012/9/7 Dong Tao <tao.dong@outlook.com>

> Hi,
>
> I was running Flask on Apache2 with Mod_WSGI 3.3, and I ran into a strange
> issue that user sessions were randomly swapped, i.e. I suddenly found
> myself logged in as a different user. This problem doesn't exist when I was
> running the Flask dev server.
>
> I found a similar question asked in March, 2010 by Ron DuPlain at
> 
http://flask.pocoo.org/mailinglist/archive/2012/3/9/session-swapping-running-flask-in-apache/#9d7db229c98c40360f4bcee028ae2681However,
the thread doesn't say how the problem is solved, if at all. Has
> anyone else ran into this? What did you do to fix it?
>
> Thanks for your help!
>
> Tao
>
>
>



-- 

Blog'umu okudunuz mu? http://www.ulutas.gen.tr

The box said "Requires Windows 95, NT, or better", so I installed Linux.

Re: [flask] Session swapping issue on Apache

From:
Dong Tao
Date:
2012-09-07 @ 19:33
No, I'm not using any extension to manage sessions and login-process, just
the built-in session object. Since this never happend in the dev 
environment for me, I feel this has something to do with the interactions 
between mod_wsig and the built-in session management in Flask. Very 
frustrating. 
Date: Fri, 7 Sep 2012 22:02:46 +0300
From: 1151986@gmail.com
Subject: Re: [flask] Session swapping issue on Apache
To: flask@librelist.com

Are you using Flask-Login extension? I am using it and wondering if this 
is related to Flask-Login.
Btw another thread about this weird problem is this: 

http://flask.pocoo.org/mailinglist/archive/2012/8/12/weird-user-cookie-switching-problem/


2012/9/7 Dong Tao <tao.dong@outlook.com>




Hi, 
I was running Flask on Apache2 with Mod_WSGI 3.3, and I ran into a strange
issue that user sessions were randomly swapped, i.e. I suddenly found 
myself logged in as a different user. This problem doesn't exist when I 
was running the Flask dev server.

I found a similar question asked in March, 2010 by Ron DuPlain at 
http://flask.pocoo.org/mailinglist/archive/2012/3/9/session-swapping-running-flask-in-apache/#9d7db229c98c40360f4bcee028ae2681
However, the thread doesn't say how the problem is solved, if at all. Has 
anyone else ran into this? What did you do to fix it?

Thanks for your help!
Tao
  		 	   		  


-- 

Blog'umu okudunuz mu? http://www.ulutas.gen.tr

The box said "Requires Windows 95, NT, or better", so I installed Linux.


 		 	   		  

Re: [flask] Session swapping issue on Apache

From:
Kerem Ulutaş
Date:
2012-09-07 @ 19:47
I think it is not related to mod_wsgi, you can eliminate that part. Apache
or Nginx, Gunicorn or mod_wsgi - both sets can have this issue. Consider
Flask-Login and not using it, I have a hunch that it is related to Flask
pickle'ing the session into cookies.

Lucky that you are not using Flask-Login (which needs a little update
before using this) - try using  this snippet
http://flask.pocoo.org/snippets/51/ - I guess you can't reproduce the issue
but test it for a while and tell us if you encountered the same again.

This is all I can suggest, so good luck.

2012/9/7 Dong Tao <tao.dong@outlook.com>

> No, I'm not using any extension to manage sessions and login-process, just
> the built-in session object. Since this never happend in the dev
> environment for me, I feel this has something to do with the interactions
> between mod_wsig and the built-in session management in Flask.
> Very frustrating.
>
> ------------------------------
> Date: Fri, 7 Sep 2012 22:02:46 +0300
> From: 1151986@gmail.com
> Subject: Re: [flask] Session swapping issue on Apache
> To: flask@librelist.com
>
>
> Are you using Flask-Login extension? I am using it and wondering if this
> is related to Flask-Login.
>
> Btw another thread about this weird problem is this:
> 
http://flask.pocoo.org/mailinglist/archive/2012/8/12/weird-user-cookie-switching-problem/
>
> 2012/9/7 Dong Tao <tao.dong@outlook.com>
>
> Hi,
>
> I was running Flask on Apache2 with Mod_WSGI 3.3, and I ran into a strange
> issue that user sessions were randomly swapped, i.e. I suddenly found
> myself logged in as a different user. This problem doesn't exist when I was
> running the Flask dev server.
>
> I found a similar question asked in March, 2010 by Ron DuPlain at
> 
http://flask.pocoo.org/mailinglist/archive/2012/3/9/session-swapping-running-flask-in-apache/#9d7db229c98c40360f4bcee028ae2681However,
the thread doesn't say how the problem is solved, if at all. Has
> anyone else ran into this? What did you do to fix it?
>
> Thanks for your help!
>
> Tao
>
>
>
>
>
>
> --
>
> Blog'umu okudunuz mu? http://www.ulutas.gen.tr
>
> The box said "Requires Windows 95, NT, or better", so I installed Linux.
>



-- 

Blog'umu okudunuz mu? http://www.ulutas.gen.tr

The box said "Requires Windows 95, NT, or better", so I installed Linux.

Re: [flask] Session swapping issue on Apache

From:
Dong Tao
Date:
2012-09-07 @ 19:59
Will try. Thanks!

Date: Fri, 7 Sep 2012 22:47:03 +0300
From: 1151986@gmail.com
Subject: Re: [flask] Session swapping issue on Apache
To: flask@librelist.com

I think it is not related to mod_wsgi, you can eliminate that part. Apache
or Nginx, Gunicorn or mod_wsgi - both sets can have this issue. Consider 
Flask-Login and not using it, I have a hunch that it is related to Flask 
pickle'ing the session into cookies.

Lucky that you are not using Flask-Login (which needs a little update 
before using this) - try using  this snippet 
http://flask.pocoo.org/snippets/51/ - I guess you can't reproduce the 
issue but test it for a while and tell us if you encountered the same 
again. 

This is all I can suggest, so good luck. 

2012/9/7 Dong Tao <tao.dong@outlook.com>




No, I'm not using any extension to manage sessions and login-process, just
the built-in session object. Since this never happend in the dev 
environment for me, I feel this has something to do with the interactions 
between mod_wsig and the built-in session management in Flask. Very 
frustrating. 

Date: Fri, 7 Sep 2012 22:02:46 +0300
From: 1151986@gmail.com
Subject: Re: [flask] Session swapping issue on Apache
To: flask@librelist.com


Are you using Flask-Login extension? I am using it and wondering if this 
is related to Flask-Login.
Btw another thread about this weird problem is this: 

http://flask.pocoo.org/mailinglist/archive/2012/8/12/weird-user-cookie-switching-problem/



2012/9/7 Dong Tao <tao.dong@outlook.com>




Hi, 
I was running Flask on Apache2 with Mod_WSGI 3.3, and I ran into a strange
issue that user sessions were randomly swapped, i.e. I suddenly found 
myself logged in as a different user. This problem doesn't exist when I 
was running the Flask dev server.


I found a similar question asked in March, 2010 by Ron DuPlain at 
http://flask.pocoo.org/mailinglist/archive/2012/3/9/session-swapping-running-flask-in-apache/#9d7db229c98c40360f4bcee028ae2681
However, the thread doesn't say how the problem is solved, if at all. Has 
anyone else ran into this? What did you do to fix it?


Thanks for your help!
Tao
  		 	   		  


-- 

Blog'umu okudunuz mu? http://www.ulutas.gen.tr

The box said "Requires Windows 95, NT, or better", so I installed Linux.



 		 	   		  


-- 

Blog'umu okudunuz mu? http://www.ulutas.gen.tr

The box said "Requires Windows 95, NT, or better", so I installed Linux.


 		 	   		  

Re: [flask] Session swapping issue on Apache

From:
Live Flex
Date:
2012-09-07 @ 23:03
As you have seen, you are not the first person to find this issue.

I'm of the opinion that session data should not be stored client side. I
know that not everyone agrees with this, but it would be interesting to see
if its repeatable using something like redis sessions.

On Fri, Sep 7, 2012 at 8:59 PM, Dong Tao <tao.dong@outlook.com> wrote:

> Will try. Thanks!
>
> ------------------------------
> Date: Fri, 7 Sep 2012 22:47:03 +0300
>
> From: 1151986@gmail.com
> Subject: Re: [flask] Session swapping issue on Apache
> To: flask@librelist.com
>
> I think it is not related to mod_wsgi, you can eliminate that part. Apache
> or Nginx, Gunicorn or mod_wsgi - both sets can have this issue. Consider
> Flask-Login and not using it, I have a hunch that it is related to Flask
> pickle'ing the session into cookies.
>
> Lucky that you are not using Flask-Login (which needs a little update
> before using this) - try using  this snippet
> http://flask.pocoo.org/snippets/51/ - I guess you can't reproduce the
> issue but test it for a while and tell us if you encountered the same
> again.
>
> This is all I can suggest, so good luck.
>
> 2012/9/7 Dong Tao <tao.dong@outlook.com>
>
> No, I'm not using any extension to manage sessions and login-process, just
> the built-in session object. Since this never happend in the dev
> environment for me, I feel this has something to do with the interactions
> between mod_wsig and the built-in session management in Flask.
> Very frustrating.
>
> ------------------------------
> Date: Fri, 7 Sep 2012 22:02:46 +0300
> From: 1151986@gmail.com
> Subject: Re: [flask] Session swapping issue on Apache
> To: flask@librelist.com
>
>
> Are you using Flask-Login extension? I am using it and wondering if this
> is related to Flask-Login.
>
> Btw another thread about this weird problem is this:
> 
http://flask.pocoo.org/mailinglist/archive/2012/8/12/weird-user-cookie-switching-problem/
>
> 2012/9/7 Dong Tao <tao.dong@outlook.com>
>
> Hi,
>
> I was running Flask on Apache2 with Mod_WSGI 3.3, and I ran into a strange
> issue that user sessions were randomly swapped, i.e. I suddenly found
> myself logged in as a different user. This problem doesn't exist when I was
> running the Flask dev server.
>
> I found a similar question asked in March, 2010 by Ron DuPlain at
> 
http://flask.pocoo.org/mailinglist/archive/2012/3/9/session-swapping-running-flask-in-apache/#9d7db229c98c40360f4bcee028ae2681However,
the thread doesn't say how the problem is solved, if at all. Has
> anyone else ran into this? What did you do to fix it?
>
> Thanks for your help!
>
> Tao
>
>
>
>
>
>
> --
>
> Blog'umu okudunuz mu? http://www.ulutas.gen.tr
>
> The box said "Requires Windows 95, NT, or better", so I installed Linux.
>
>
>
>
> --
>
> Blog'umu okudunuz mu? http://www.ulutas.gen.tr
>
> The box said "Requires Windows 95, NT, or better", so I installed Linux.
>

Re: [flask] Session swapping issue on Apache

From:
Lars Hansson
Date:
2012-09-16 @ 08:27
Perhaps using the better client-side sessions will fix it?
http://flask.pocoo.org/snippets/51/

Cheers,
Lars

Re: [flask] Session swapping issue on Apache

From:
Dong Tao
Date:
2012-09-16 @ 17:15
This problem appears to be gone, since I switched to the better 
client-side sessions described in the snippet.
Thanks,
Tao 

> Date: Sun, 16 Sep 2012 16:27:52 +0800
> From: romabysen@gmail.com
> Subject: Re: [flask] Session swapping issue on Apache
> To: flask@librelist.com
> 
> Perhaps using the better client-side sessions will fix it?
> http://flask.pocoo.org/snippets/51/
> 
> Cheers,
> Lars