{ "id": "148774", "key": "AC-164", "fields": { "issuetype": { "id": "1", "description": "A problem which impairs or prevents the functions of the product.", "name": "Bug", "subtask": false }, "project": { "id": "12217", "key": "AC", "name": "Appcelerator - INBOX", "projectCategory": { "id": "10000", "description": "", "name": "Customer Service" } }, "resolution": { "id": "8", "description": "", "name": "Needs more info" }, "resolutiondate": "2015-11-05T11:43:30.000+0000", "created": "2015-06-15T12:03:23.000+0000", "labels": [ "node.acs" ], "versions": [], "issuelinks": [], "assignee": { "name": "mrahman", "key": "mrahman", "displayName": "Mostafizur Rahman", "active": true, "timeZone": "Asia/Dhaka" }, "updated": "2015-11-21T19:35:53.000+0000", "status": { "description": "A resolution has been taken, and it is awaiting verification by reporter. From here issues are either reopened, or are closed.", "name": "Resolved", "id": "5", "statusCategory": { "id": 3, "key": "done", "colorName": "green", "name": "Done" } }, "components": [], "description": "This is a strange behaviour I notice today. When you login in two different browsers (so different cookies), the last logged user is the current user in Node.ACS app (that ok), but the session objects don't reflect that.\r\n\r\nYou can reproduce it doing next steps (you need a Node.ACS app with at least 2 users):\r\n# Open one browser (e.g. Chrome)\r\n# Login in your Node.ACS app as a valid user1 of your app\r\n# Open a different browser (e.g. Firefox)\r\n# Login as a different valid user2 of your app\r\n\r\nNow in Chrome, all actions performed by user1 are owned as user2, e.g, save a new object (user_id owner will be from user2 instead of user1), but the `req.session` values stored in your app are still from user1. If user1 has more \"permissions\" (in an own permission designed system based on level, e.g.) this allows user2 to do actions as user1.\r\n\r\nExpected: or session must be invalidated for user1 or objects saved in Chrome with user1 session must be owned by user1.\r\n\r\nIf you need more info I can help", "attachment": [], "flagged": false, "summary": "ACS mixed credentials (I suppose it is the same in ArrowDB)", "creator": { "name": "mcvendrell", "key": "mcvendrell", "displayName": "Manuel Conde Vendrell", "active": true, "timeZone": "Europe/Madrid" }, "subtasks": [], "reporter": { "name": "mcvendrell", "key": "mcvendrell", "displayName": "Manuel Conde Vendrell", "active": true, "timeZone": "Europe/Madrid" }, "environment": null, "comment": { "comments": [ { "id": "368536", "author": { "name": "mrahman", "key": "mrahman", "displayName": "Mostafizur Rahman", "active": true, "timeZone": "Asia/Dhaka" }, "body": "Hello,\r\n\r\nCould you please send us more info? We need a test case and details about your environment.\r\n\r\nThanks.", "updateAuthor": { "name": "morahman", "key": "morahman", "displayName": "Motiur Rahman", "active": true, "timeZone": "Asia/Dhaka" }, "created": "2015-11-01T11:15:31.000+0000", "updated": "2015-11-05T07:07:21.000+0000" }, { "id": "371053", "author": { "name": "mcvendrell", "key": "mcvendrell", "displayName": "Manuel Conde Vendrell", "active": true, "timeZone": "Europe/Madrid" }, "body": "Can't provide a test case because you need to create the users in ACS. Just follow the steps I gave and you will see the problem. Don't know if the problem also happens in ArrowDB, but being it the former ACS, probably do.\r\n\r\nAnyway, this problem only occurs in the same machine with 2 different browsers, so it is an edge case very uncommon.", "updateAuthor": { "name": "mcvendrell", "key": "mcvendrell", "displayName": "Manuel Conde Vendrell", "active": true, "timeZone": "Europe/Madrid" }, "created": "2015-11-21T19:35:53.000+0000", "updated": "2015-11-21T19:35:53.000+0000" } ], "maxResults": 2, "total": 2, "startAt": 0 } } }