I saw an instance where a user was assigned session corresponding to another user because of webpy_session_id cookie change (not made by me) and hence the data of userA was visible to userB. Has anybody run into a similar situation earlier and if so how was it solved?
The big picture is: ============== My web.py app runs in /mydomain/appdomain URL and I have integrated PHP classes for OAuth authentication so a user can login using their FB or Gmail logins. These PHP classes reside in /mydomain/phpdomain. I have set the cookies in appdomain with "/" path so they are visible to PHP code as well. When an anonymous user visits /mydomain/appdomain the session created assigns default user id of 1 which corresponds to anonymous user. When such a user wants to login he navigates over to /mydomain/phpdomain. The code here authenticates and if OK sets matched userid in cookie and the page is redirected to /mydomain/appdomain/fblogin . This fblogin handler simply reads cookie with user id which was set by PHP code and modifies session.uid data from 1 to be the new ID and then redirects to the home page. Since the ID is now set to the authenticated user id, I expected the app to run in the now logged in user context. However what I saw was that the app was running as a third user (with ID 46) instead of the actual authenticated user with id 62. Has anybody seen similar behaviour ? The apache log clearly shows this change in the session value. I saw the change in the session id in the browser as well however I did not save browser logs. I do have apache logs. When I deleted all sessions from the database and redid the test, everything worked as expected. The fact that a wrong session was assigned even once during tests is causing me alarm and hence the question to the group. If anybody is interested in debugging/explaining to me, I will attach apache log. -- You received this message because you are subscribed to the Google Groups "web.py" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/webpy. For more options, visit https://groups.google.com/d/optout.
