You are viewing a plain text version of this content. The canonical link for it is here.
Posted to modperl@perl.apache.org by Dzuy Nguyen <dz...@infinity-studios.com> on 2002/02/15 16:36:21 UTC
Mistaken identity problem with cookie
Hi all,
I have a mysterious "mistaken identity" problem that I have not been
able to solve. Perhaps someone
can shed some light on this.
I authenticate users using Apache::AuthCookieDBI. If anyone is familiar
with Apache::AuthCookie*
modules, you'd know that the cookie normally contains the user's login
info (encrypted). When the
cookie is passed back to the server, it is decrypted and the user is
identified.
I have been getting many reports from our users that they have been
mistakenly identified as someone else.
I have tried to login as that user and just can't re-create the problem
and I can't be at their computer to
diagnose it. One thing I'm pretty sure about is that they must have
gotton someone else's cookie. Another
common thing that I observed is that all the mistaken identity cases
have come from the same domain
which leads me to believe that it's possible that the proxy on the
browser's end may have distributed the
cookies wrongly.
Has anyone seen this problem? Is there a way to confirm or prevent
this? Thanks.
Dzuy
Re: Mistaken identity problem with cookie
Posted by Mithun Bhattacharya <mi...@egurucool.com>.
Dzuy Nguyen wrote:
> I have been getting many reports from our users that they have been
> mistakenly identified as someone else.
> I have tried to login as that user and just can't re-create the problem
> and I can't be at their computer to
> diagnose it. One thing I'm pretty sure about is that they must have
> gotton someone else's cookie. Another
Probably your ISP is using one of those buggy cisco cache server. I am
unfortunate enuff to have faced this problem with one of the largest ISP
in India which believes that if I dont send a expiry header it is static
!! The only way around it is setting a $r->no_cache(1) for every HTML
page. Even then it will take 2-3 days to see whether it worked or not.
http://www.geocrawler.com/mail/thread.php3?subject=%5BLIH%5D+VSNL%27s+transparent+proxy&list=11286
http://www.geocrawler.com/mail/msg.php3?msg_id=7678747&list=11286
Mithun
Re: Mistaken identity problem with cookie
Posted by Dzuy Nguyen <dz...@infinity-studios.com>.
Perrin Harkins wrote:
>>2. I don't think it's a global vairable issue. Basically, I just grab
>>the cookie by $r->header_in('Cookie')
>>and decrypt it.
>>
>
>It's what you do after that that matters.
>
All it does is get the user login info and displays it. The variable is
local to the short script.
>
>
>>Besides, if it's global then the "mistaken" ID's should
>>be from anywhere randomly.
>>
>
>True, but random may not always look random.
>
What I meant was it would have happen to any user from any other ISP or
domain. In all cases,
the mistaken ID's originate from the same ISP (joe@foo.com appears as
bob@foo.com, john@bar.com
appears as doe@bar.com and so on).
>
>
>>There is this nagging fact that the parties involved are from the same
>>ISP's i.e. user A1 and A2 are
>>from foo.com, user B1 and B2 are from bar.com, etc.
>>
>
>You aren't using IP or domain as part of your ID generation, are you? That
>would be bad.
>
No, just straight encrypt($user_id) as the value of the cookie and
decrypt($cookie_str).
>
>- Perrin
>
>
>
Re: Mistaken identity problem with cookie
Posted by Perrin Harkins <pe...@elem.com>.
> 2. I don't think it's a global vairable issue. Basically, I just grab
> the cookie by $r->header_in('Cookie')
> and decrypt it.
It's what you do after that that matters.
> Besides, if it's global then the "mistaken" ID's should
> be from anywhere randomly.
True, but random may not always look random.
> There is this nagging fact that the parties involved are from the same
> ISP's i.e. user A1 and A2 are
> from foo.com, user B1 and B2 are from bar.com, etc.
You aren't using IP or domain as part of your ID generation, are you? That
would be bad.
- Perrin
Re: Mistaken identity problem with cookie
Posted by Ask Bjoern Hansen <as...@valueclick.com>.
On Fri, 15 Feb 2002, Rob Nagler wrote:
> > small operations. I'm pretty convinced that the problem is on their
> > end. My theory is that these proxies may have cached the cookie
> > with an IP address which they provide their clients.
>
> Have you tried capturing all ethernet packets and seeing if the raw
> data supports this conclusion. Checkout:
>
> http://www.ethereal.com/
Much easier is to just use Apache::DumpHeaders.
I usually have stuff that suspects a "weird" transaction log it with
DumpHeaders. Make a nice trail to investigate for patterns or
whatevers.
http://search.cpan.org/search?dist=Apache-DumpHeaders
- ask
--
ask bjoern hansen, http://ask.netcetera.dk/ !try; do();
more than a billion impressions per week, http://valueclick.com
Re: Mistaken identity problem with cookie
Posted by Rob Nagler <na...@bivio.biz>.
> small operations. I'm pretty convinced that the problem is on their
> end. My theory is that these proxies may have cached the cookie
> with an IP address which they provide their clients.
Have you tried capturing all ethernet packets and seeing if the raw
data supports this conclusion. Checkout:
http://www.ethereal.com/
We have found that it is the bigger ISPs which have faulty caches.
Usually it is a DNS problem, not an HTTP caching problem.
Another trick is throwing a time stamp in every cookie. This is
useful for other reasons, e.g. cookie expiration and validation.
Cheers,
Rob
Re: Mistaken identity problem with cookie
Posted by Dzuy Nguyen <dz...@infinity-studios.com>.
Perrin Harkins wrote:
>>I have a mysterious "mistaken identity" problem that I have not been
>>able to solve.
>>
>
>There are two common sources of this problem. One is an ID generation
>system that is not unique enough. Another is a bug in your code with
>globals (see the section of the Guide about debugging with httpd -X).
>
>You could be having problems with a proxy on their end, but most proxies are
>smart about this stuff.
>
>- Perrin
>
>
>
I've debugged the problem and I don't think these are the reasons.
1. I've compared the ID's of the mistaken identity parties involved and
they're not the same.
2. I don't think it's a global vairable issue. Basically, I just grab
the cookie by $r->header_in('Cookie')
and decrypt it. Besides, if it's global then the "mistaken" ID's should
be from anywhere randomly.
There is this nagging fact that the parties involved are from the same
ISP's i.e. user A1 and A2 are
from foo.com, user B1 and B2 are from bar.com, etc. These ISP's are
small operations. I'm pretty
convinced that the problem is on their end. My theory is that these
proxies may have cached the
cookie with an IP address which they provide their clients.
Dzuy
Re: Mistaken identity problem with cookie
Posted by Perrin Harkins <pe...@elem.com>.
> I have a mysterious "mistaken identity" problem that I have not been
> able to solve.
There are two common sources of this problem. One is an ID generation
system that is not unique enough. Another is a bug in your code with
globals (see the section of the Guide about debugging with httpd -X).
You could be having problems with a proxy on their end, but most proxies are
smart about this stuff.
- Perrin