You are viewing a plain text version of this content. The canonical link for it is here.
Posted to modperl@perl.apache.org by Dzuy Nguyen <dz...@infinity-studios.com> on 2002/02/15 16:36:21 UTC

Mistaken identity problem with cookie

Hi all,

I have a mysterious "mistaken identity" problem that I have not been 
able to solve.  Perhaps someone
can shed some light on this.

I authenticate users using Apache::AuthCookieDBI.  If anyone is familiar 
with Apache::AuthCookie*
modules, you'd know that the cookie normally contains the user's login 
info (encrypted).  When the
cookie is passed back to the server, it is decrypted and the user is 
identified.

I have been getting many reports from our users that they have been 
mistakenly identified as someone else.
I have tried to login as that user and just can't re-create the problem 
and I can't be at their computer to
diagnose it.  One thing I'm pretty sure about is that they must have 
gotton someone else's cookie.  Another
common thing that I observed is that all the mistaken identity cases 
have come from the same domain
which leads me to believe that it's possible that the proxy on the 
browser's end may have distributed the
cookies wrongly.

Has anyone seen this problem?  Is there a way to confirm or prevent 
this?  Thanks.

Dzuy

Re: Mistaken identity problem with cookie

Posted by Mithun Bhattacharya <mi...@egurucool.com>.
Dzuy Nguyen wrote:



> I have been getting many reports from our users that they have been 
> mistakenly identified as someone else.
> I have tried to login as that user and just can't re-create the problem 
> and I can't be at their computer to
> diagnose it.  One thing I'm pretty sure about is that they must have 
> gotton someone else's cookie.  Another



Probably your ISP is using one of those buggy cisco cache server. I am 
unfortunate enuff to have faced this problem with one of the largest ISP 
in India which believes that if I dont send a expiry header it is static 
!! The only way around it is setting a $r->no_cache(1) for every HTML 
page. Even then it will take 2-3 days to see whether it worked or not.

http://www.geocrawler.com/mail/thread.php3?subject=%5BLIH%5D+VSNL%27s+transparent+proxy&list=11286

http://www.geocrawler.com/mail/msg.php3?msg_id=7678747&list=11286



Mithun

Re: Mistaken identity problem with cookie

Posted by Dzuy Nguyen <dz...@infinity-studios.com>.

Perrin Harkins wrote:

>>2. I don't think it's a global vairable issue.  Basically, I just grab
>>the cookie by $r->header_in('Cookie')
>>and decrypt it.
>>
>
>It's what you do after that that matters.
>
All it does is get the user login info and displays it.  The variable is 
local to the short script.

>
>
>>Besides, if it's global then the "mistaken" ID's should
>>be from anywhere randomly.
>>
>
>True, but random may not always look random.
>
What I meant was it would have happen to any user from any other ISP or 
domain.  In all cases,
the mistaken ID's originate from the same ISP (joe@foo.com appears as 
bob@foo.com, john@bar.com
appears as doe@bar.com and so on).

>
>
>>There is this nagging fact that the parties involved are from the same
>>ISP's i.e. user A1 and A2 are
>>from foo.com, user B1 and B2 are from bar.com, etc.
>>
>
>You aren't using IP or domain as part of your ID generation, are you?  That
>would be bad.
>
No, just straight encrypt($user_id) as the value of the cookie and 
decrypt($cookie_str).

>
>- Perrin
>
>
>

Re: Mistaken identity problem with cookie

Posted by Perrin Harkins <pe...@elem.com>.
> 2. I don't think it's a global vairable issue.  Basically, I just grab
> the cookie by $r->header_in('Cookie')
> and decrypt it.

It's what you do after that that matters.

> Besides, if it's global then the "mistaken" ID's should
> be from anywhere randomly.

True, but random may not always look random.

> There is this nagging fact that the parties involved are from the same
> ISP's i.e. user A1 and A2 are
> from foo.com, user B1 and B2 are from bar.com, etc.

You aren't using IP or domain as part of your ID generation, are you?  That
would be bad.

- Perrin

Re: Mistaken identity problem with cookie

Posted by Ask Bjoern Hansen <as...@valueclick.com>.
On Fri, 15 Feb 2002, Rob Nagler wrote:

> > small operations.  I'm pretty convinced that the problem is on their
> > end.  My theory is that these proxies may have cached the cookie
> > with an IP address which they provide their clients.
> 
> Have you tried capturing all ethernet packets and seeing if the raw
> data supports this conclusion.  Checkout:
> 
> http://www.ethereal.com/

Much easier is to just use Apache::DumpHeaders.

I usually have stuff that suspects a "weird" transaction log it with 
DumpHeaders. Make a nice trail to investigate for patterns or 
whatevers.

http://search.cpan.org/search?dist=Apache-DumpHeaders


 - ask

-- 
ask bjoern hansen, http://ask.netcetera.dk/         !try; do();
more than a billion impressions per week, http://valueclick.com

Re: Mistaken identity problem with cookie

Posted by Rob Nagler <na...@bivio.biz>.
> small operations.  I'm pretty convinced that the problem is on their
> end.  My theory is that these proxies may have cached the cookie
> with an IP address which they provide their clients.

Have you tried capturing all ethernet packets and seeing if the raw
data supports this conclusion.  Checkout:

http://www.ethereal.com/

We have found that it is the bigger ISPs which have faulty caches.
Usually it is a DNS problem, not an HTTP caching problem.

Another trick is throwing a time stamp in every cookie.  This is
useful for other reasons, e.g. cookie expiration and validation.

Cheers,
Rob

Re: Mistaken identity problem with cookie

Posted by Dzuy Nguyen <dz...@infinity-studios.com>.
Perrin Harkins wrote:

>>I have a mysterious "mistaken identity" problem that I have not been
>>able to solve.
>>
>
>There are two common sources of this problem.  One is an ID generation
>system that is not unique enough.  Another is a bug in your code with
>globals (see the section of the Guide about debugging with httpd -X).
>
>You could be having problems with a proxy on their end, but most proxies are
>smart about this stuff.
>
>- Perrin
>
>
>
I've debugged the problem and I don't think these are the reasons.  

1. I've compared the ID's of the mistaken identity parties involved and 
they're not the same.
2. I don't think it's a global vairable issue.  Basically, I just grab 
the cookie by $r->header_in('Cookie')
and decrypt it.  Besides, if it's global then the "mistaken" ID's should 
be from anywhere randomly.
There is this nagging fact that the parties involved are from the same 
ISP's i.e. user A1 and A2 are
from foo.com, user B1 and B2 are from bar.com, etc.  These ISP's are 
small operations.  I'm pretty
convinced that the problem is on their end.  My theory is that these 
proxies may have cached the
cookie with an IP address which they provide their clients.

Dzuy

Re: Mistaken identity problem with cookie

Posted by Perrin Harkins <pe...@elem.com>.
> I have a mysterious "mistaken identity" problem that I have not been
> able to solve.

There are two common sources of this problem.  One is an ID generation
system that is not unique enough.  Another is a bug in your code with
globals (see the section of the Guide about debugging with httpd -X).

You could be having problems with a proxy on their end, but most proxies are
smart about this stuff.

- Perrin