Titanium JIRA Archive
Appcelerator Community (AC)

[AC-164] ACS mixed credentials (I suppose it is the same in ArrowDB)

GitHub Issuen/a
TypeBug
Priorityn/a
StatusResolved
ResolutionNeeds more info
Resolution Date2015-11-05T11:43:30.000+0000
Affected Version/sn/a
Fix Version/sn/a
Componentsn/a
Labelsnode.acs
ReporterManuel Conde Vendrell
AssigneeMostafizur Rahman
Created2015-06-15T12:03:23.000+0000
Updated2015-11-21T19:35:53.000+0000

Description

This is a strange behaviour I notice today. When you login in two different browsers (so different cookies), the last logged user is the current user in Node.ACS app (that ok), but the session objects don't reflect that. You can reproduce it doing next steps (you need a Node.ACS app with at least 2 users):

Open one browser (e.g. Chrome)

Login in your Node.ACS app as a valid user1 of your app

Open a different browser (e.g. Firefox)

Login as a different valid user2 of your app

Now in Chrome, all actions performed by user1 are owned as user2, e.g, save a new object (user_id owner will be from user2 instead of user1), but the req.session values stored in your app are still from user1. If user1 has more "permissions" (in an own permission designed system based on level, e.g.) this allows user2 to do actions as user1. Expected: or session must be invalidated for user1 or objects saved in Chrome with user1 session must be owned by user1. If you need more info I can help

Comments

  1. Mostafizur Rahman 2015-11-01

    Hello, Could you please send us more info? We need a test case and details about your environment. Thanks.
  2. Manuel Conde Vendrell 2015-11-21

    Can't provide a test case because you need to create the users in ACS. Just follow the steps I gave and you will see the problem. Don't know if the problem also happens in ArrowDB, but being it the former ACS, probably do. Anyway, this problem only occurs in the same machine with 2 different browsers, so it is an edge case very uncommon.

JSON Source