Hello all, I am quite new at django and I've been trying to get all the info I can by, amongst other means, reading through django-dev and django-users. I don't remember in which I read this but fastcgi, the way it is designed, doesn't work well with threads. The actual details escape me but I'm certain the thing that made this come up had to do with information from one user being magically overwritten by something submitted by other user... which sounds terribly like you point #2.
The quick fix on that ocasion was using a forking model in apache, instead of multithreading iirc. Just a thought, henrique ak wrote: > Michael, I really don't know how would it be possible, I only know the > following: > 1. My production web server restarts a few times per day. Sometimes > twice (in a really short period ie 2-3 minutes) > 2. I got a report from _new_ user that he received e-mail with login > and pass, clicked to link and became logged in as another user without > login and pass entering. Our auth is based on putting user_id in the > session so new user must have a new clean session without any data. > Any other ideas how he could be logged in as another user, except of > session duplicate ? > 3. After that report I cleaned django_session table so all existing > sessions should be immediately expired. After this I got one more > report from another user who said that he used to work in his app (was > logged in), then somehow he became another logged in user. I opened > logs and found that these users logged in to the system at the same > time. > > And one more thing about ip checking: ok, I agree about network > sniffing (but there still is a possibility that sniffering was run > after i logged in so attacker could not see my pass but he see my > session id :) ). But please don't forget that session cookies may also > be stolen via XSS. > > > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~----------~----~----~----~------~----~------~--~---
