In Rails, what could cause a user to have another user's session?_问答_开发者

In Rails, what could cause a user to have another user's session?

开发者 https://www.devze.com 2022-12-23 05:18 出处：网络

I have a Rails application using with an authentication system using Restful Authentication without any modification.

Users have reported fi开发者_运维问答nding themselves logged in as the wrong user. In at least one case it was on their very first page view, never having logged in before.

Is it possible their session ids are getting mixed up? Would switching to CookieStore make it impossible for this to happen since no session data is stored on the server this way? I suspect the problem is related to Passenger but I don't know where to start debugging this. Its only happened about 4 times in several months of being live so its virtually impossible to reproduce.

Environment: ActiveRecord session storage Rails 2.2.2 Passenger 2.0.1 Apache 2 Ruby 1.8.6

Many thanks

If you use a client-side session storage (default for newer Rails versions), it may be a mistake in the application and not a stolen session (or something like that). Make sure that you know which session storage you use and how it works.

I'm seeing this too... you might be interested in the thread here: Users take sessions of other users when sessions are stored in memcached (Rails)

My current thinking is that this is actually related to Passenger, that seems to be the common component between what you're seeing, what I'm seeing, and what the other post reports (we're all using different session stores and rails versions).

I once experienced a similar problem and the cause turned out to be that the user was stored in a class variable instead of an instance variable. Say for instance that you authenticate/store your user like this:

  def current_user
    User.current ||= ( login_from_session || login_by_password )
  end

In this case the user will be stored in the class and not the instance and the first user who login will be stored in the class and that will be passed over to the next users session as well. To solve it, this was changed to

def current_user
  @current_user ||= ( login_from_session || login_by_password )
end

This is of course only one of many possibilities but I would start my troubleshooting by writing both the user_id from the session and the user variable you use, to the log to see if there are any differences.