Cookies problem
Christian Robottom Reis
kiko at async.com.br
Thu Nov 20 13:39:15 UTC 2003
On Thu, Nov 20, 2003 at 06:26:20PM +0530, Vijayan.R.A.Reddy wrote:
> * Bugzilla is installed in a local intranet site
> * It is exposed to customers through an external IP address
> * External IP address is blocked for internal employees and external
> customers can not see our intranet bugzilla address
> (Though both are seeing the same single instance).
>
> Now, when a customer files a bug, the bug is filed as another user.
> Suddenly, this user sees "Logout <SomeOneelse>'s id" on his footer bar,
> and some of the products are hidden for him as <SomeOneelse> is not
> authorised to see them.
What version of Bugzilla are you running?
Can you tell me if the user sees the correct ID *before* submitting the
bug, or is it wrong from the start (i.e., when he enters his password,
his ID is already incorrect)?
> Clearing cookies/deleting offline contents does NOT help (We suspect
> they are coming through proxy servers).
This is what confuses me. As far as I can see, the user's login cookie
will be sent by his user agent, and I can't see how a proxy would return
a request (which carries the cookie) to the wrong user -- proxies don't
cache Cookie values, and shouldn't cache Set-Cookie headers either.
> An analysis of "logincookies" table shows that many users are coming In
> through only 3 IP addresses, and as they all have one machine each (no
> sharing), obviously the addresses are that of proxy servers. In cases,
> the same IP is shared between two users.
How many lines in logincookies correspond to those IP addresses?
Each user should have a specific integer login cookie, and they should
be dealt out sequentially (at least till bug 119524 is fixed). What you
seem to be reporting is a collision -- the same logincookie sent to two
users. My limited understanding of the problem points out at least two
hypothesis:
- we're allocating the same cookie id to two different users, and
the second user's cookie overwrites the first one's. I can't see
how this can happen, however, because cookie is primary key for
logincookies, and the field is autoincrementing.
- the second user is receiving a cached Set-Cookie value.
Specifically where this caching is hapenning is up for grabs, and
I can't really speculate on this.
> Curiously, this issue is not found at-all inside our intranet, where
> there are 300+ users have used it for a longtime and found it reliable.
Probably because the IP addresses are unique inside the intranet, or
because there is no caching involved.
Take care,
--
Christian Robottom Reis | http://async.com.br/~kiko/ | [+55 16] 261 2331
More information about the developers
mailing list