Cookies problem

Vijayan.R.A.Reddy vijayan.reddy at tavant.com
Thu Nov 20 13:49:58 UTC 2003 

Please find my responses interspersed.

On Thu, 2003-11-20 at 19:09, Christian Robottom Reis wrote:
> On Thu, Nov 20, 2003 at 06:26:20PM +0530, Vijayan.R.A.Reddy wrote:
> > * Bugzilla is installed in a local intranet site
> > * It is exposed to customers through an external IP address
> > * External IP address is blocked for internal employees and external
> > 	customers can not see our intranet bugzilla address
> >   (Though both are seeing the same single instance).
> > 
> > Now, when a customer files a bug, the bug is filed as another user.
> > Suddenly, this user sees "Logout <SomeOneelse>'s id" on his footer bar,
> > and some of the products are hidden for him as <SomeOneelse> is not
> > authorised to see them.
> 
> What version of Bugzilla are you running?

2.16.3

> Can you tell me if the user sees the correct ID *before* submitting the
> bug, or is it wrong from the start (i.e., when he enters his password,
> his ID is already incorrect)?

I fear these users dont log off often, so the typical usage scenario is,
customer opens the browser, types in the URL, then goes on to file a
bug, so when he says commit, it goes in someone else's name.

No, the users dont share machines, nor do they share NT/Windows login
accounts, they dont use dumb terminals, and they are behind a proxy.

> > Clearing cookies/deleting offline contents does NOT help (We suspect
> > they are coming through proxy servers).
> 
> This is what confuses me. As far as I can see, the user's login cookie
> will be sent by his user agent, and I can't see how a proxy would return
> a request (which carries the cookie) to the wrong user -- proxies don't
> cache Cookie values, and shouldn't cache Set-Cookie headers either.
> 
> > An analysis of "logincookies" table shows that many users are coming In
> > through only 3 IP addresses, and as they all have one machine each (no
> > sharing), obviously the addresses are that of proxy servers. In cases,
> > the same IP is shared between two users.
> 
> How many lines in logincookies correspond to those IP addresses?

About 70, for 3 users, and yesterday, we deleted all contents in
logincookies table for these three users.

When a single user logged-in (we were monitoring), it generated 3 rows
in the logincookies table.

> Each user should have a specific integer login cookie, and they should
> be dealt out sequentially (at least till bug 119524 is fixed). What you
> seem to be reporting is a collision -- the same logincookie sent to two
> users.  My limited understanding of the problem points out at least two
> hypothesis: 

No. The cookie IDs in the logincookies table are all unique. No
collision here.

>     - we're allocating the same cookie id to two different users, and
>       the second user's cookie overwrites the first one's. I can't see
>       how this can happen, however, because cookie is primary key for
>       logincookies, and the field is autoincrementing.
> 
>     - the second user is receiving a cached Set-Cookie value.
>       Specifically where this caching is hapenning is up for grabs, and
>       I can't really speculate on this.

Yes, this is what we speculated too.

Thanks,
Vijayan.

> > Curiously, this issue is not found at-all inside our intranet, where
> > there are 300+ users have used it for a longtime and found it reliable.
> 
> Probably because the IP addresses are unique inside the intranet, or
> because there is no caching involved.
> 
> Take care,
> --
> Christian Robottom Reis | http://async.com.br/~kiko/ | [+55 16] 261 2331
> -
> To view or change your list settings, click here:
> <http://bugzilla.org/cgi-bin/mj_wwwusr?user=vijayan.reddy@tavant.com>

More information about the developers mailing list