We will investigate this throughly but please get as much information as possible about what this person was doing. Did he try login? Could you also send me a copy of your app (confidentially)?
The fact is even if there were a session conflict (I do not believe that is possible unless uuid is broken) a client must request the session via a cookie. A new user always gets assigned a new session id and therefore an empty session. Trunk contains experimental code for sessions in cookies. That code does not work yet. I am assuming you are not using that anyway. Trunk also contains a new password crypt handling. One version of it was broken (nobody could login). We are testing that too. Massimo On Tuesday, 24 July 2012 07:18:45 UTC-5, Neil wrote: > > I just heard from someone who had never been to my site before. When she > visited (on her phone), it was already logged on as another user. This > other user (she told me his name) is located on the other side of the > world, and may or may not have logged out. I'm rather worried - she was > accessing functions decorated with @auth.requires_login() without even > having an account, let alone logging in! Once she clicked "logout" she was > no longer able to access any user pages. > > I understand this will be tough to debug with so little information. > Furthermore, I've never observed this behaviour personally. However, it's > concerning enough that I thought I'd see if anyone else > has experienced such a thing. If not, any ideas how such a thing could even > happen? > > I'm using trunk - I suppose I should roll back to stable? > > Neil > > --