[Grok-dev] Strange session / security problem with Grok 0.14

Ivo van der Wijk vladdrac at gmail.com
Mon Jan 12 11:00:39 EST 2009

2009/1/12 Martijn Faassen <faassen at startifact.com>:
> Hi there,
> The cookie *value* is actually identical? Weird. The cookie name being
> identical seems to be normal when I read the zope.session code even
> though it's generated from the current time. Perhaps to invalidate
> sessions on a server restart - not sure.

Yes, After login (or actually already before, when visiting the login
screen), the users get different cookies. But after randomly clicking
around in two browsers with two sessions, they suddenly become the
same session (so one of the cookies changes)

I've looked at the same code - the cookie name is persistent in a
local utility (and can be changed there), so it even survives
restarts. But that's not the issue.

Let's see what happens once the loadbalancer is removed. Don't worry
unless the problem persists after that :)



Drs. I.R. van der Wijk / m3r Consultancy B.V.
Linux/Python/Zope/Plone and Open Source solutions
PO-box 51091, 1007 EB Amsterdam, The Netherlands
Email: ivo <at> m3r.nl Web: http://m3r.eu/

More information about the Grok-dev mailing list