Cookies problem

Christian Robottom Reis kiko at async.com.br
Thu Nov 20 13:39:15 UTC 2003 

On Thu, Nov 20, 2003 at 06:26:20PM +0530, Vijayan.R.A.Reddy wrote:
> * Bugzilla is installed in a local intranet site
> * It is exposed to customers through an external IP address
> * External IP address is blocked for internal employees and external
> 	customers can not see our intranet bugzilla address
>   (Though both are seeing the same single instance).
> 
> Now, when a customer files a bug, the bug is filed as another user.
> Suddenly, this user sees "Logout <SomeOneelse>'s id" on his footer bar,
> and some of the products are hidden for him as <SomeOneelse> is not
> authorised to see them.

What version of Bugzilla are you running?

Can you tell me if the user sees the correct ID *before* submitting the
bug, or is it wrong from the start (i.e., when he enters his password,
his ID is already incorrect)?

> Clearing cookies/deleting offline contents does NOT help (We suspect
> they are coming through proxy servers).

This is what confuses me. As far as I can see, the user's login cookie
will be sent by his user agent, and I can't see how a proxy would return
a request (which carries the cookie) to the wrong user -- proxies don't
cache Cookie values, and shouldn't cache Set-Cookie headers either.

> An analysis of "logincookies" table shows that many users are coming In
> through only 3 IP addresses, and as they all have one machine each (no
> sharing), obviously the addresses are that of proxy servers. In cases,
> the same IP is shared between two users.

How many lines in logincookies correspond to those IP addresses?

Each user should have a specific integer login cookie, and they should
be dealt out sequentially (at least till bug 119524 is fixed). What you
seem to be reporting is a collision -- the same logincookie sent to two
users.  My limited understanding of the problem points out at least two
hypothesis: 

    - we're allocating the same cookie id to two different users, and
      the second user's cookie overwrites the first one's. I can't see
      how this can happen, however, because cookie is primary key for
      logincookies, and the field is autoincrementing.

    - the second user is receiving a cached Set-Cookie value.
      Specifically where this caching is hapenning is up for grabs, and
      I can't really speculate on this.

> Curiously, this issue is not found at-all inside our intranet, where
> there are 300+ users have used it for a longtime and found it reliable.

Probably because the IP addresses are unique inside the intranet, or
because there is no caching involved.

Take care,
--
Christian Robottom Reis | http://async.com.br/~kiko/ | [+55 16] 261 2331

More information about the developers mailing list