Here is what she told me: 1. She clicked a link (from Facebook), and was taken directly to one of the pages for logged in users. I think this was her first visit to the site. 2. She went back to Facebook, and re-clicked the link, and was again taken to a user page 3. She clicked the "Logout" link, and could no longer access user pages. She never tried to logon or register.
Hardly seems possible to me, and I would have been very sceptical about the whole thing except that she told me the name of the other user (which she would have had no way of knowing). I'll send you a copy of the app. Neil On Tuesday, July 24, 2012 4:43:44 PM UTC+1, Massimo Di Pierro wrote: > > We will investigate this throughly but please get as much information as > possible about what this person was doing. Did he try login? Could you also > send me a copy of your app (confidentially)? > > The fact is even if there were a session conflict (I do not believe that > is possible unless uuid is broken) a client must request the session via a > cookie. A new user always gets assigned a new session id and therefore an > empty session. > > Trunk contains experimental code for sessions in cookies. That code does > not work yet. I am assuming you are not using that anyway. > > Trunk also contains a new password crypt handling. One version of it was > broken (nobody could login). We are testing that too. > > Massimo > > > > > > On Tuesday, 24 July 2012 07:18:45 UTC-5, Neil wrote: >> >> I just heard from someone who had never been to my site before. When she >> visited (on her phone), it was already logged on as another user. This >> other user (she told me his name) is located on the other side of the >> world, and may or may not have logged out. I'm rather worried - she was >> accessing functions decorated with @auth.requires_login() without even >> having an account, let alone logging in! Once she clicked "logout" she was >> no longer able to access any user pages. >> >> I understand this will be tough to debug with so little information. >> Furthermore, I've never observed this behaviour personally. However, it's >> concerning enough that I thought I'd see if anyone else >> has experienced such a thing. If not, any ideas how such a thing could even >> happen? >> >> I'm using trunk - I suppose I should roll back to stable? >> >> Neil >> >> --
