This is a tricky issue. Consider the case of amazon.com, you can add stuff to cart before you login and after you login it remembers your cart. Even if it logs you out, you can still add items to your cart. In a sense that information leaks (although the term leak is not appropriate here) . web2py works the same.
Logically there are two sessions. One is associated to the client (where you would store the cart) and one is associated to the user (contains user specific info). In web2py one is stored in session and one in session.auth. So anything that should be reset on logout should be stores in session.auth and stuff that should not be reset should be in session. Things have changed at one point and we decided that (unless specified otherwise in auth.settings.renew_onlogout) the entire session should be wiped out on logout. The problem is that if the user is automatically logged out, that happens before the flag auth.settings.renew_onlogout is set. We are investigating and will have a solution shortly. Massimo On Monday, 3 March 2014 08:26:09 UTC-6, Marin Pranjić wrote: > > Isn't this why session.renew() was added? > > > On Mon, Mar 3, 2014 at 2:29 PM, Massimo Di Pierro > <massimo....@gmail.com<javascript:> > > wrote: > >> I will check and release a patch soon. Please do not discuss possible >> security issues on this mailing list. Report them to the developers >> directly. >> >> >> On Monday, 3 March 2014 02:06:05 UTC-6, Kiran Subbaraman wrote: >>> >>> I see this in 2.9.2 too (Just tested with the latest release) >>> >>> On Monday, March 3, 2014 1:25:14 PM UTC+5:30, Kiran Subbaraman wrote: >>>> >>>> Hello, >>>> I noticed this issue recently related to user session data. >>>> In my application I store some user specific session data, so that I do >>>> not have to hit the database everytime (now, am also looking at using >>>> the cache for that, instead of session). >>>> If userA is logged into the application, and then userA auth session >>>> expires, a login screen is presented. In case login is performed with >>>> userB's credentials, the session data from userA is still available, >>>> and >>>> is displayed on userB's screen. >>>> >>>> I have created a minimal app to demonstrate the issue that I see. Also >>>> take a look at the screenshots. Notice the session.userdata variable's >>>> value. >>>> Tested this on web2py 2.8.2, on Windows 8. >>>> >>>> This is my controller code: >>>> @auth.requires_login() >>>> def index(): >>>> ... >>>> >>>> if session['userdata'] is None: >>>> session.userdata = auth.user.first_name >>>> >>>> I am suspecting this is an issue / bug. Can anyone confirm? >>>> This issue does not arise, if the user explicitly logs out of a >>>> session, >>>> or the browser window is closed (I have set my browser to clear all >>>> cookies data when it is closed) >>>> >>>> -- >>>> >>>> ________________________________________ >>>> Kiran Subbaraman >>>> http://subbaraman.wordpress.com/about/ >>>> >>>> -- >> Resources: >> - http://web2py.com >> - http://web2py.com/book (Documentation) >> - http://github.com/web2py/web2py (Source code) >> - https://code.google.com/p/web2py/issues/list (Report Issues) >> --- >> You received this message because you are subscribed to the Google Groups >> "web2py-users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to web2py+un...@googlegroups.com <javascript:>. >> For more options, visit https://groups.google.com/groups/opt_out. >> > > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
