[Grok-dev] Strange session / security problem with Grok 0.14

[Ivo van der Wijk]

2009/1/12 Ivo van der Wijk <vladdrac at gmail.com>:
>
> Yes, After login (or actually already before, when visiting the login
> screen), the users get different cookies. But after randomly clicking
> around in two browsers with two sessions, they suddenly become the
> same session (so one of the cookies changes)
>
> I've looked at the same code - the cookie name is persistent in a
> local utility (and can be changed there), so it even survives
> restarts. But that's not the issue.
>
> Let's see what happens once the loadbalancer is removed. Don't worry
> unless the problem persists after that :)
>

For future reference: We've probably fixed this issue. It appears
mod_cache was enabled in the apache config and eventhough the ISP
thought otherwise, it was active on the grok app's virtualhost. An
explicit "DisableCache /" seems to resolve the issues.

Some interesting observations:

- certain requests not only resulted in a different session cookie,
you'd actually get 10's of them!
- cached responses were sent by Server: Apache ... in stead of Twisted.
- even after disabling mod_cache for the vhost, we we're still able to
retrieve cached content. Clearing the diskcache resolved that as well.

If you every run into a similar issue, make sure you're not using
mod_cache. Heck, make sure you're not using mod_cache at all :)

Regards

Ivo


-- 
Drs. I.R. van der Wijk / m3r Consultancy B.V.
Linux/Python/Zope/Plone and Open Source solutions
PO-box 51091, 1007 EB Amsterdam, The Netherlands
Email: ivo <at> m3r.nl Web: http://m3r.eu/