Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
Topic: Users logged in as wrong user using form/cookie login -bug? |
|
Author |
|
abstraktion
Joined: 16 Aug 2024 Posts: 2
|
Posted: Mon 09 Sep '24 20:21 Post subject: Users logged in as wrong user using form/cookie login -bug? |
|
|
Hey All!
I am trying to move my company's login page a bit more into the present - off of basic auth, and into a nice form login.
I used the mod_auth_form+mod_session_cookie module to implement this, everything seemed to be fine until we started getting reports that some users seemed to magically be logged in as other users, like so:
- User A logs in on their device
- We show a message in the corner of the screen "Logged in as User A"
- User A clicks a link, or refreshes the page
- Message now says "Logged in as User B"
In most cases, User B had never logged into the page on the device that User A was using. I saw this behavior firsthand - I was "User B" on a device that I had never logged into.
I managed to look at saved cookies for a user this happened to, they were receiving a cookie containing a username/password for a user that had never once logged into their device (a personal mobile device).
Things I've tried:
- Reviewing .htaccess files for overrides
- Reviewing usages of PHP_AUTH_USER and PHP_AUTH_PW in our php app
- Reviewing all places in the php app where we set a cookie
- Reproducing the issue with scripts + extra logging turned on (was unable to reproduce using the same config with ports changed on the same server)
Here is a partially redacted copy of our apache config, the authorization bits start at line 114: https://gist.github.com/jpcastberg/a3fd0486435cd5fd8ef786d9327b6193
Here is modules.conf: https://gist.github.com/jpcastberg/cc3415f8a6ad3984739a539ffcd163c2
Thank y'all so much in advance! Please let me know if you need any additional context or info... |
|
Back to top |
|
tangent Moderator
Joined: 16 Aug 2020 Posts: 346 Location: UK
|
Posted: Mon 09 Sep '24 21:58 Post subject: |
|
|
Based on the detail you've posted, I'd take a look at the server side caching as being a possible cause of your problem.
If an incorrect user cookie is being sent to a client, then some element of cached content is being returned cross session.
I'd start by not caching cookies:
Code: | CacheIgnoreHeaders Set-Cookie |
and if that doesn't resolve things, disable caching altogether just to see if caching is the problem. |
|
Back to top |
|
abstraktion
Joined: 16 Aug 2024 Posts: 2
|
Posted: Sat 14 Sep '24 17:44 Post subject: |
|
|
We enabled the setting (just for the set-cookie header), so far so good for the past few days. Will report back if there are issues, thank you for the assist! |
|
Back to top |
|
|
|
|
|
|