logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: Users logged in as wrong user using form/cookie login -bug?
Author
abstraktion



Joined: 16 Aug 2024
Posts: 2

PostPosted: Mon 09 Sep '24 20:21    Post subject: Users logged in as wrong user using form/cookie login -bug? Reply with quote

Hey All!

I am trying to move my company's login page a bit more into the present - off of basic auth, and into a nice form login.

I used the mod_auth_form+mod_session_cookie module to implement this, everything seemed to be fine until we started getting reports that some users seemed to magically be logged in as other users, like so:

- User A logs in on their device
- We show a message in the corner of the screen "Logged in as User A"
- User A clicks a link, or refreshes the page
- Message now says "Logged in as User B"

In most cases, User B had never logged into the page on the device that User A was using. I saw this behavior firsthand - I was "User B" on a device that I had never logged into.

I managed to look at saved cookies for a user this happened to, they were receiving a cookie containing a username/password for a user that had never once logged into their device (a personal mobile device).

Things I've tried:
- Reviewing .htaccess files for overrides
- Reviewing usages of PHP_AUTH_USER and PHP_AUTH_PW in our php app
- Reviewing all places in the php app where we set a cookie
- Reproducing the issue with scripts + extra logging turned on (was unable to reproduce using the same config with ports changed on the same server)

Here is a partially redacted copy of our apache config, the authorization bits start at line 114: https://gist.github.com/jpcastberg/a3fd0486435cd5fd8ef786d9327b6193

Here is modules.conf: https://gist.github.com/jpcastberg/cc3415f8a6ad3984739a539ffcd163c2

Thank y'all so much in advance! Please let me know if you need any additional context or info...
Back to top
tangent
Moderator


Joined: 16 Aug 2020
Posts: 346
Location: UK

PostPosted: Mon 09 Sep '24 21:58    Post subject: Reply with quote

Based on the detail you've posted, I'd take a look at the server side caching as being a possible cause of your problem.

If an incorrect user cookie is being sent to a client, then some element of cached content is being returned cross session.

I'd start by not caching cookies:

Code:
CacheIgnoreHeaders Set-Cookie

and if that doesn't resolve things, disable caching altogether just to see if caching is the problem.
Back to top
abstraktion



Joined: 16 Aug 2024
Posts: 2

PostPosted: Sat 14 Sep '24 17:44    Post subject: Reply with quote

We enabled the setting (just for the set-cookie header), so far so good for the past few days. Will report back if there are issues, thank you for the assist!
Back to top


Reply to topic   Topic: Users logged in as wrong user using form/cookie login -bug? View previous topic :: View next topic
Post new topic   Forum Index -> Apache