[Grok-dev] Strange session / security problem with Grok 0.14

Ivo van der Wijk vladdrac at gmail.com
Sun Jan 11 06:40:29 EST 2009


One of my apps recently got deployed in production and we're
experiencing a strange security issue. It's asif people can randomly
(unwillingly) take over each others session. There's no reliable/easy
way to reproduce this so it's very hard to debug.

If I understand correctly, the zope3_cs_xxxx cookie is the zope3
session cookie. If two (or perhaps more) different, concurrent users
are logged in, under hard to reproduce conditions, one user seems to
get the other user's cookie and becomes logged in as the other user.
Logging out will also logout the other user.

I have implemented my own principalfolder but I leave the
login/logout/session stuff to the standard Zope3 machinery. There's no
specific caching or ZEO setup being used.

All data (and users) managed by the application is stored in an RDBMs.
No data is stored in the ZODB (except for some session data it seems,
but that's not explicitly done by my application)

Has anyone seen such behaviour before? Does anyone know what might cause this?



Drs. I.R. van der Wijk / m3r Consultancy B.V.
Linux/Python/Zope/Plone and Open Source solutions
PO-box 51091, 1007 EB Amsterdam, The Netherlands
Email: ivo <at> m3r.nl Web: http://m3r.eu/

More information about the Grok-dev mailing list