Could be a session fixation attack. Web2py doesn't ever use session id's in the url does it?
On Tuesday, July 24, 2012 11:00:30 AM UTC-5, Neil wrote: > > Here is what she told me: > > 1. She clicked a link (from Facebook), and was taken directly to one of > the pages for logged in users. I think this was her first visit to the site. > 2. She went back to Facebook, and re-clicked the link, and was again taken > to a user page > 3. She clicked the "Logout" link, and could no longer access user pages. > She never tried to logon or register. > > Hardly seems possible to me, and I would have been very sceptical about > the whole thing except that she told me the name of the other user (which > she would have had no way of knowing). > > I'll send you a copy of the app. > > Neil > > On Tuesday, July 24, 2012 4:43:44 PM UTC+1, Massimo Di Pierro wrote: >> >> We will investigate this throughly but please get as much information as >> possible about what this person was doing. Did he try login? Could you also >> send me a copy of your app (confidentially)? >> >> The fact is even if there were a session conflict (I do not believe that >> is possible unless uuid is broken) a client must request the session via a >> cookie. A new user always gets assigned a new session id and therefore an >> empty session. >> >> Trunk contains experimental code for sessions in cookies. That code does >> not work yet. I am assuming you are not using that anyway. >> >> Trunk also contains a new password crypt handling. One version of it was >> broken (nobody could login). We are testing that too. >> >> Massimo >> >> >> >> >> >> On Tuesday, 24 July 2012 07:18:45 UTC-5, Neil wrote: >>> >>> I just heard from someone who had never been to my site before. When she >>> visited (on her phone), it was already logged on as another user. This >>> other user (she told me his name) is located on the other side of the >>> world, and may or may not have logged out. I'm rather worried - she was >>> accessing functions decorated with @auth.requires_login() without even >>> having an account, let alone logging in! Once she clicked "logout" she was >>> no longer able to access any user pages. >>> >>> I understand this will be tough to debug with so little information. >>> Furthermore, I've never observed this behaviour personally. However, it's >>> concerning enough that I thought I'd see if anyone else >>> has experienced such a thing. If not, any ideas how such a thing could even >>> happen? >>> >>> I'm using trunk - I suppose I should roll back to stable? >>> >>> Neil >>> >>> --
