There's a bug, which we can not replicate, which involves users in one specific region of our enterprise customers swapping. For example, a user logs in as themselves on the login page, and when arriving at the home, they are another user.
It seems like accidental session hijacking, here are the clues:
- cakephp security is set to low (this only means the cookie doesn't rewrite every page load, and the the cookie does not do a user agent check )
- our cookie is set to not care about subdomains (.example.com instead of example.com)
- enterprises users areredirected using a 302 if they login to the wrong area (should we use 303?)
- there was a 301 accidentally sent out, but users are able to replicate
- all the affected users are behind a single router, sharing internet via Sprint MPLS
- all the affected users may be using computers issued by the customer
- their IT claim there is no proxy cache, and no remote VPN access, yet they claim to be able to replicate the issue from home computers and off the network.
Since we can not replicate the issue in any way, we can only assume that the issue is specific to their network.
How can we prove that their network/computers are causing the session swapping? Or, what configuration on our end could be causing this, when no other users experience this issue?
[edits/updates]
Responding to some direction provided by comment - our traffic is not large enough to send duplicate IDs. (the statistically probability is too low to see what we've seen the customer replicate ).
see also:
- Zend Framework Session swapping issue
- why is php generating the same session ids everytime in test environment (WAMP)?
Update:
We use FCGI, and apparrently mod_php is required to understand x_forwarded_for
