[Grok-dev] Strange session / security problem with Grok 0.14
faassen at startifact.com
Mon Jan 12 09:59:03 EST 2009
Ivo van der Wijk wrote:
> Has anyone seen such behaviour before? Does anyone know what might cause this?
New to me, and pretty scary-sounding. That said I haven't had much
experience with public-facing authentication setups for Grok yet. Still
you'd think the Zope 3 community would by now - you might want to ask on
zope-dev if you haven't already.
Replying to your later post: it shouldn't matter whether it's Grok 0.13
or Grok 0.14 as far as I can see.
> If I understand correctly, the zope3_cs_xxxx cookie is the zope3
> session cookie. If two (or perhaps more) different, concurrent users
> are logged in, under hard to reproduce conditions, one user seems to
> get the other user's cookie and becomes logged in as the other user.
> Logging out will also logout the other user.
The cookie *value* is actually identical? Weird. The cookie name being
identical seems to be normal when I read the zope.session code even
though it's generated from the current time. Perhaps to invalidate
sessions on a server restart - not sure.
More information about the Grok-dev