Re: Mistaken identity problem with cookie
Dzuy Nguyen wrote: > I have been getting many reports from our users that they have been > mistakenly identified as someone else. > I have tried to login as that user and just can't re-create the problem > and I can't be at their computer to > diagnose it. One thing I'm pretty sure about is that they must have > gotton someone else's cookie. Another Probably your ISP is using one of those buggy cisco cache server. I am unfortunate enuff to have faced this problem with one of the largest ISP in India which believes that if I dont send a expiry header it is static !! The only way around it is setting a $r->no_cache(1) for every HTML page. Even then it will take 2-3 days to see whether it worked or not. http://www.geocrawler.com/mail/thread.php3?subject=%5BLIH%5D+VSNL%27s+transparent+proxy&list=11286 http://www.geocrawler.com/mail/msg.php3?msg_id=7678747&list=11286 Mithun
Re: Mistaken identity problem with cookie
On Fri, 15 Feb 2002, Rob Nagler wrote: > > small operations. I'm pretty convinced that the problem is on their > > end. My theory is that these proxies may have cached the cookie > > with an IP address which they provide their clients. > > Have you tried capturing all ethernet packets and seeing if the raw > data supports this conclusion. Checkout: > > http://www.ethereal.com/ Much easier is to just use Apache::DumpHeaders. I usually have stuff that suspects a "weird" transaction log it with DumpHeaders. Make a nice trail to investigate for patterns or whatevers. http://search.cpan.org/search?dist=Apache-DumpHeaders - ask -- ask bjoern hansen, http://ask.netcetera.dk/ !try; do(); more than a billion impressions per week, http://valueclick.com
Re: Mistaken identity problem with cookie
Perrin Harkins wrote:
009001c1b65b$068df3d0$18020c0a@PerriHar">
2. I don't think it's a global vairable issue. Basically, I just grabthe cookie by $r->header_in('Cookie')and decrypt it.
It's what you do after that that matters.
All it does is get the user login info and displays it. The variable is
local to the short script.
009001c1b65b$068df3d0$18020c0a@PerriHar">
Besides, if it's global then the "mistaken" ID's shouldbe from anywhere randomly.
True, but random may not always look random.
What I meant was it would have happen to any user from any other ISP or domain.
In all cases,
the mistaken ID's originate from the same ISP ([EMAIL PROTECTED] appears as [EMAIL PROTECTED],
[EMAIL PROTECTED]
appears as [EMAIL PROTECTED] and so on).
009001c1b65b$068df3d0$18020c0a@PerriHar">
There is this nagging fact that the parties involved are from the sameISP's i.e. user A1 and A2 arefrom foo.com, user B1 and B2 are from bar.com, etc.
You aren't using IP or domain as part of your ID generation, are you? Thatwould be bad.
No, just straight encrypt($user_id) as the value of the cookie and decrypt($cookie_str).
009001c1b65b$068df3d0$18020c0a@PerriHar">
- Perrin
Re: Mistaken identity problem with cookie
> small operations. I'm pretty convinced that the problem is on their > end. My theory is that these proxies may have cached the cookie > with an IP address which they provide their clients. Have you tried capturing all ethernet packets and seeing if the raw data supports this conclusion. Checkout: http://www.ethereal.com/ We have found that it is the bigger ISPs which have faulty caches. Usually it is a DNS problem, not an HTTP caching problem. Another trick is throwing a time stamp in every cookie. This is useful for other reasons, e.g. cookie expiration and validation. Cheers, Rob
Re: Mistaken identity problem with cookie
> 2. I don't think it's a global vairable issue. Basically, I just grab
> the cookie by $r->header_in('Cookie')
> and decrypt it.
It's what you do after that that matters.
> Besides, if it's global then the "mistaken" ID's should
> be from anywhere randomly.
True, but random may not always look random.
> There is this nagging fact that the parties involved are from the same
> ISP's i.e. user A1 and A2 are
> from foo.com, user B1 and B2 are from bar.com, etc.
You aren't using IP or domain as part of your ID generation, are you? That
would be bad.
- Perrin
Re: Mistaken identity problem with cookie
Perrin Harkins wrote:
002801c1b63b$2563aea0$18020c0a@PerriHar">
I have a mysterious "mistaken identity" problem that I have not beenable to solve.
There are two common sources of this problem. One is an ID generationsystem that is not unique enough. Another is a bug in your code withglobals (see the section of the Guide about debugging with httpd -X).You could be having problems with a proxy on their end, but most proxies aresmart about this stuff.- Perrin
I've debugged the problem and I don't think these are the reasons.
1. I've compared the ID's of the mistaken identity parties involved and they're
not the same.
2. I don't think it's a global vairable issue. Basically, I just grab the
cookie by $r->header_in('Cookie')
and decrypt it. Besides, if it's global then the "mistaken" ID's should
be from anywhere randomly.
There is this nagging fact that the parties involved are from the same ISP's
i.e. user A1 and A2 are
from foo.com, user B1 and B2 are from bar.com, etc. These ISP's are small
operations. I'm pretty
convinced that the problem is on their end. My theory is that these proxies
may have cached the
cookie with an IP address which they provide their clients.
Dzuy
Re: Mistaken identity problem with cookie (fwd)
Although all your cookies will be probably be going to the same proxy for those requests from the same isp, the tcp-ip session will remain the same and it is most likely that you'll still be connected to the same ip which made the initial proxy connection. My thought is possibly that you're misuing global variables here, or that you have name space issues? Thus the variable which you are setting your cookie value with may not be correctly reset. Just a thought. Fiq
Re: Mistaken identity problem with cookie
> I have a mysterious "mistaken identity" problem that I have not been > able to solve. There are two common sources of this problem. One is an ID generation system that is not unique enough. Another is a bug in your code with globals (see the section of the Guide about debugging with httpd -X). You could be having problems with a proxy on their end, but most proxies are smart about this stuff. - Perrin
