[AC-164] ACS mixed credentials (I suppose it is the same in ArrowDB)
| GitHub Issue | n/a |
|---|---|
| Type | Bug |
| Priority | n/a |
| Status | Resolved |
| Resolution | Needs more info |
| Resolution Date | 2015-11-05T11:43:30.000+0000 |
| Affected Version/s | n/a |
| Fix Version/s | n/a |
| Components | n/a |
| Labels | node.acs |
| Reporter | Manuel Conde Vendrell |
| Assignee | Mostafizur Rahman |
| Created | 2015-06-15T12:03:23.000+0000 |
| Updated | 2015-11-21T19:35:53.000+0000 |
Description
This is a strange behaviour I notice today. When you login in two different browsers (so different cookies), the last logged user is the current user in Node.ACS app (that ok), but the session objects don't reflect that.
You can reproduce it doing next steps (you need a Node.ACS app with at least 2 users):
Open one browser (e.g. Chrome)
Login in your Node.ACS app as a valid user1 of your app
Open a different browser (e.g. Firefox)
Login as a different valid user2 of your app
Now in Chrome, all actions performed by user1 are owned as user2, e.g, save a new object (user_id owner will be from user2 instead of user1), but thereq.session values stored in your app are still from user1. If user1 has more "permissions" (in an own permission designed system based on level, e.g.) this allows user2 to do actions as user1.
Expected: or session must be invalidated for user1 or objects saved in Chrome with user1 session must be owned by user1.
If you need more info I can help
Hello, Could you please send us more info? We need a test case and details about your environment. Thanks.
Can't provide a test case because you need to create the users in ACS. Just follow the steps I gave and you will see the problem. Don't know if the problem also happens in ArrowDB, but being it the former ACS, probably do. Anyway, this problem only occurs in the same machine with 2 different browsers, so it is an edge case very uncommon.