[Grok-dev] Strange session / security problem with Grok 0.14
Ivo van der Wijk
vladdrac at gmail.com
Fri Jan 16 08:44:41 EST 2009
2009/1/12 Ivo van der Wijk <vladdrac at gmail.com>:
> Yes, After login (or actually already before, when visiting the login
> screen), the users get different cookies. But after randomly clicking
> around in two browsers with two sessions, they suddenly become the
> same session (so one of the cookies changes)
> I've looked at the same code - the cookie name is persistent in a
> local utility (and can be changed there), so it even survives
> restarts. But that's not the issue.
> Let's see what happens once the loadbalancer is removed. Don't worry
> unless the problem persists after that :)
For future reference: We've probably fixed this issue. It appears
mod_cache was enabled in the apache config and eventhough the ISP
thought otherwise, it was active on the grok app's virtualhost. An
explicit "DisableCache /" seems to resolve the issues.
Some interesting observations:
- certain requests not only resulted in a different session cookie,
you'd actually get 10's of them!
- cached responses were sent by Server: Apache ... in stead of Twisted.
- even after disabling mod_cache for the vhost, we we're still able to
retrieve cached content. Clearing the diskcache resolved that as well.
If you every run into a similar issue, make sure you're not using
mod_cache. Heck, make sure you're not using mod_cache at all :)
Drs. I.R. van der Wijk / m3r Consultancy B.V.
Linux/Python/Zope/Plone and Open Source solutions
PO-box 51091, 1007 EB Amsterdam, The Netherlands
Email: ivo <at> m3r.nl Web: http://m3r.eu/
More information about the Grok-dev