We will investigate this throughly but please get as much information as 
possible about what this person was doing. Did he try login? Could you also 
send me a copy of your app (confidentially)?

The fact is even if there were a session conflict (I do not believe that is 
possible unless uuid is broken) a client must request the session via a 
cookie. A new user always gets assigned a new session id and therefore an 
empty session.

Trunk contains experimental code for sessions in cookies. That code does 
not work yet. I am assuming you are not using that anyway.

Trunk also contains a new password crypt handling. One version of it was 
broken (nobody could login). We are testing that too. 

Massimo





On Tuesday, 24 July 2012 07:18:45 UTC-5, Neil wrote:
>
> I just heard from someone who had never been to my site before. When she 
> visited (on her phone), it was already logged on as another user. This 
> other user (she told me his name) is located on the other side of the 
> world, and may or may not have logged out. I'm rather worried - she was 
> accessing functions decorated with @auth.requires_login() without even 
> having an account, let alone logging in! Once she clicked "logout" she was 
> no longer able to access any user pages.
>
> I understand this will be tough to debug with so little information. 
> Furthermore, I've never observed this behaviour personally. However, it's 
> concerning enough that I thought I'd see if anyone else 
> has experienced such a thing. If not, any ideas how such a thing could even 
> happen?
>
> I'm using trunk - I suppose I should roll back to stable?
>
> Neil
>
>

-- 



Reply via email to