There is a solution in trunk which consists of ignoring the user preferences (auth.settings.renew_onlogout) and always reset all session variables (not only those associated to the user) when the user is automatically logged out. I believe this is how most users expect this to work. I will post 2.9.3 as soon as other developers had a chance to review it.
On Monday, 3 March 2014 08:35:40 UTC-6, Massimo Di Pierro wrote: > > This is a tricky issue. > > Consider the case of amazon.com, you can add stuff to cart before you > login and after you login it remembers your cart. Even if it logs you out, > you can still add items to your cart. In a sense that information leaks > (although the term leak is not appropriate here) . web2py works the same. > > Logically there are two sessions. One is associated to the client (where > you would store the cart) and one is associated to the user (contains user > specific info). In web2py one is stored in session and one in session.auth. > > So anything that should be reset on logout should be stores in > session.auth and stuff that should not be reset should be in session. > Things have changed at one point and we decided that (unless specified > otherwise in auth.settings.renew_onlogout) the entire session should be > wiped out on logout. The problem is that if the user is automatically > logged out, that happens before the flag auth.settings.renew_onlogout is > set. > > We are investigating and will have a solution shortly. > > Massimo > > > > On Monday, 3 March 2014 08:26:09 UTC-6, Marin Pranjić wrote: >> >> Isn't this why session.renew() was added? >> >> >> On Mon, Mar 3, 2014 at 2:29 PM, Massimo Di Pierro >> <massimo....@gmail.com>wrote: >> >>> I will check and release a patch soon. Please do not discuss possible >>> security issues on this mailing list. Report them to the developers >>> directly. >>> >>> >>> On Monday, 3 March 2014 02:06:05 UTC-6, Kiran Subbaraman wrote: >>>> >>>> I see this in 2.9.2 too (Just tested with the latest release) >>>> >>>> On Monday, March 3, 2014 1:25:14 PM UTC+5:30, Kiran Subbaraman wrote: >>>>> >>>>> Hello, >>>>> I noticed this issue recently related to user session data. >>>>> In my application I store some user specific session data, so that I >>>>> do >>>>> not have to hit the database everytime (now, am also looking at using >>>>> the cache for that, instead of session). >>>>> If userA is logged into the application, and then userA auth session >>>>> expires, a login screen is presented. In case login is performed with >>>>> userB's credentials, the session data from userA is still available, >>>>> and >>>>> is displayed on userB's screen. >>>>> >>>>> I have created a minimal app to demonstrate the issue that I see. Also >>>>> take a look at the screenshots. Notice the session.userdata variable's >>>>> value. >>>>> Tested this on web2py 2.8.2, on Windows 8. >>>>> >>>>> This is my controller code: >>>>> @auth.requires_login() >>>>> def index(): >>>>> ... >>>>> >>>>> if session['userdata'] is None: >>>>> session.userdata = auth.user.first_name >>>>> >>>>> I am suspecting this is an issue / bug. Can anyone confirm? >>>>> This issue does not arise, if the user explicitly logs out of a >>>>> session, >>>>> or the browser window is closed (I have set my browser to clear all >>>>> cookies data when it is closed) >>>>> >>>>> -- >>>>> >>>>> ________________________________________ >>>>> Kiran Subbaraman >>>>> http://subbaraman.wordpress.com/about/ >>>>> >>>>> -- >>> Resources: >>> - http://web2py.com >>> - http://web2py.com/book (Documentation) >>> - http://github.com/web2py/web2py (Source code) >>> - https://code.google.com/p/web2py/issues/list (Report Issues) >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "web2py-users" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to web2py+un...@googlegroups.com. >>> For more options, visit https://groups.google.com/groups/opt_out. >>> >> >> -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
