[Grok-dev] Strange session / security problem with Grok 0.14

Martijn Faassen faassen at startifact.com
Fri Jan 16 10:25:20 EST 2009


Ivo van der Wijk wrote:
> For future reference: We've probably fixed this issue. It appears
> mod_cache was enabled in the apache config and eventhough the ISP
> thought otherwise, it was active on the grok app's virtualhost. An
> explicit "DisableCache /" seems to resolve the issues.

Thanks for the update! We're glad to find it's probably not some 
fundamental problem inside Grok or Zope 3 or something... :)

> Some interesting observations:
> - certain requests not only resulted in a different session cookie,
> you'd actually get 10's of them!
> - cached responses were sent by Server: Apache ... in stead of Twisted.
> - even after disabling mod_cache for the vhost, we we're still able to
> retrieve cached content. Clearing the diskcache resolved that as well.
> If you every run into a similar issue, make sure you're not using
> mod_cache. Heck, make sure you're not using mod_cache at all :)

Is that conclusion because of mod_cache's seemingly rather bad 
misbehavior or are there yet more reasons not to use mod_cache? :)



More information about the Grok-dev mailing list