Community « Discussion forum « Bug tracker « Logged in status error? «
Comment: Logged in status error?
| Next >> |
Timster: Actually, YACS has several features aiming to protect session data:
These features have been introduced in February while I was working on adding a demonstration instance of YACS to this server.
Because of all these protections, I think that the issue you have described is related to invalid behavior of cache/proxy servers between workstations and the YACS server.
A possible explanation of the symptom you have described is that some cache/proxy server unduly cache pages fetched by you, and serve these pages to anonymous surfers afterwards.
Therefore, I would recommend you to change the configuration of your server and to disable cache.
Performance will be degraded, of course, but at least all requests would be transmitted to the origin server itself, and the issue you have experienced should not happen anymore.
Also, while YACS strictly implements HTTP protocol specifications, I suspect that some cache/proxy appliances do not. Let me dig into Google to find if we could find some workaround to benefit from cache speed while preserving security.
To summarize on this hot topic:
- the session id is changed to stop some cookie attacks (shared/global.php)
- session data is killed after one hour of inactivity (shared/global.php)
- workstation IP address is recorded and checked to prevent cookie spoofing (shared/surfer.php)
- YACS instance is recorded and checked to prevent cross-impersonation (shared/surfer.php)
These features have been introduced in February while I was working on adding a demonstration instance of YACS to this server.
Because of all these protections, I think that the issue you have described is related to invalid behavior of cache/proxy servers between workstations and the YACS server.
A possible explanation of the symptom you have described is that some cache/proxy server unduly cache pages fetched by you, and serve these pages to anonymous surfers afterwards.
Therefore, I would recommend you to change the configuration of your server and to disable cache.
Performance will be degraded, of course, but at least all requests would be transmitted to the origin server itself, and the issue you have experienced should not happen anymore.
Also, while YACS strictly implements HTTP protocol specifications, I suspect that some cache/proxy appliances do not. Let me dig into Google to find if we could find some workaround to benefit from cache speed while preserving security.
To summarize on this hot topic:
- disable cache NOW to secure your server
- let me revert to you ASAP on additional findings
This comment has inspired:
by Bernard on Mar. 23 2005
