This is now posted in web2py 2.9.3-stable On Monday, 3 March 2014 09:30:28 UTC-6, Massimo Di Pierro wrote: > > There is a solution in trunk which consists of ignoring the user > preferences (auth.settings.renew_onlogout) and always reset all session > variables (not only those associated to the user) when the user is > automatically logged out. I believe this is how most users expect this to > work. I will post 2.9.3 as soon as other developers had a chance to review > it. > > On Monday, 3 March 2014 08:35:40 UTC-6, Massimo Di Pierro wrote: >> >> This is a tricky issue. >> >> Consider the case of amazon.com, you can add stuff to cart before you >> login and after you login it remembers your cart. Even if it logs you out, >> you can still add items to your cart. In a sense that information leaks >> (although the term leak is not appropriate here) . web2py works the same. >> >> Logically there are two sessions. One is associated to the client (where >> you would store the cart) and one is associated to the user (contains user >> specific info). In web2py one is stored in session and one in session.auth. >> >> So anything that should be reset on logout should be stores in >> session.auth and stuff that should not be reset should be in session. >> Things have changed at one point and we decided that (unless specified >> otherwise in auth.settings.renew_onlogout) the entire session should be >> wiped out on logout. The problem is that if the user is automatically >> logged out, that happens before the flag auth.settings.renew_onlogout is >> set. >> >> We are investigating and will have a solution shortly. >> >> Massimo >> >> >> >> On Monday, 3 March 2014 08:26:09 UTC-6, Marin Pranjić wrote: >>> >>> Isn't this why session.renew() was added? >>> >>> >>> On Mon, Mar 3, 2014 at 2:29 PM, Massimo Di Pierro <[email protected] >>> > wrote: >>> >>>> I will check and release a patch soon. Please do not discuss possible >>>> security issues on this mailing list. Report them to the developers >>>> directly. >>>> >>>> >>>> On Monday, 3 March 2014 02:06:05 UTC-6, Kiran Subbaraman wrote: >>>>> >>>>> I see this in 2.9.2 too (Just tested with the latest release) >>>>> >>>>> On Monday, March 3, 2014 1:25:14 PM UTC+5:30, Kiran Subbaraman wrote: >>>>>> >>>>>> Hello, >>>>>> I noticed this issue recently related to user session data. >>>>>> In my application I store some user specific session data, so that I >>>>>> do >>>>>> not have to hit the database everytime (now, am also looking at using >>>>>> the cache for that, instead of session). >>>>>> If userA is logged into the application, and then userA auth session >>>>>> expires, a login screen is presented. In case login is performed with >>>>>> userB's credentials, the session data from userA is still available, >>>>>> and >>>>>> is displayed on userB's screen. >>>>>> >>>>>> I have created a minimal app to demonstrate the issue that I see. >>>>>> Also >>>>>> take a look at the screenshots. Notice the session.userdata >>>>>> variable's >>>>>> value. >>>>>> Tested this on web2py 2.8.2, on Windows 8. >>>>>> >>>>>> This is my controller code: >>>>>> @auth.requires_login() >>>>>> def index(): >>>>>> ... >>>>>> >>>>>> if session['userdata'] is None: >>>>>> session.userdata = auth.user.first_name >>>>>> >>>>>> I am suspecting this is an issue / bug. Can anyone confirm? >>>>>> This issue does not arise, if the user explicitly logs out of a >>>>>> session, >>>>>> or the browser window is closed (I have set my browser to clear all >>>>>> cookies data when it is closed) >>>>>> >>>>>> -- >>>>>> >>>>>> ________________________________________ >>>>>> Kiran Subbaraman >>>>>> http://subbaraman.wordpress.com/about/ >>>>>> >>>>>> -- >>>> Resources: >>>> - http://web2py.com >>>> - http://web2py.com/book (Documentation) >>>> - http://github.com/web2py/web2py (Source code) >>>> - https://code.google.com/p/web2py/issues/list (Report Issues) >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "web2py-users" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> For more options, visit https://groups.google.com/groups/opt_out. >>>> >>> >>>
-- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
