[Grok-dev] Strange session / security problem with Grok 0.14

Martijn Faassen faassen at startifact.com
Mon Jan 12 09:59:03 EST 2009


Hi there,

Ivo van der Wijk wrote:
[snip]
> Has anyone seen such behaviour before? Does anyone know what might cause this?

New to me, and pretty scary-sounding. That said I haven't had much 
experience with public-facing authentication setups for Grok yet. Still 
you'd think the Zope 3 community would by now - you might want to ask on 
zope-dev if you haven't already.

Replying to your later post: it shouldn't matter whether it's Grok 0.13 
or Grok 0.14 as far as I can see.

> If I understand correctly, the zope3_cs_xxxx cookie is the zope3
> session cookie. If two (or perhaps more) different, concurrent users
> are logged in, under hard to reproduce conditions, one user seems to
> get the other user's cookie and becomes logged in as the other user.
> Logging out will also logout the other user.

The cookie *value* is actually identical? Weird. The cookie name being 
identical seems to be normal when I read the zope.session code even 
though it's generated from the current time. Perhaps to invalidate 
sessions on a server restart - not sure.

Regards,

Martijn



More information about the Grok-dev mailing list