Proxy Cookies July 16, 2004 11:31 AM   Subscribe

Bug report: MeFi has suddenly started relying on IP addresses to identify users. A coworker just emailed me with a screenshot which showed that he had my session (he has no account but was identified by my username). Loading the blue just a second ago, I myself was identified as a certain milnak whom I do not know (but that person is located very close to me geographically). The unifying thread seems to be that we work for a certain large software company and thus all access MeFi through the same outgoing HTTP proxy.

And yes, I know, I should get back to work instead of reading the blue, etc, etc.

Side note: metatalk still identifies me correctly as blindcarboncopy.
posted by blindcarboncopy to Bugs at 11:31 AM (11 comments total)

Same thing happened to me, Matt, remember?

Time to make the donuts.
posted by soyjoy at 11:47 AM on July 16, 2004


Huh? Aren't users identified by cookies? After all, I can login from multiple IP addresses (from my laptop) without any confusion or problem.
posted by PigAlien at 12:12 PM on July 16, 2004


This is not an IP address thing, this is a caching thing. xmutex and I did some playing around when this happened to us and we figured out that the ISA (Windows Internet caching serving thing) Server at that location was the culprit.

Maybe Mr. xmutex can explain better, but he's on vacation.
posted by falconred at 12:39 PM on July 16, 2004


This sounds like a proxy caching issue rather than an identification issue. Adding a "Cache-Control: private" or "Cache-Control: no-cache" HTTP header to the response if the request contains login info should (hopefully) clear this up.

On preview: what falconred said.
posted by boaz at 12:47 PM on July 16, 2004


is your server storing client-side cookies?

I'm trying to figure out how and why this is possible, since all the scripts rely on your cookie values. Your server must be caching either cookie values or the form fields that contain their info.
posted by mathowie (staff) at 1:29 PM on July 16, 2004


for what it's worth -- all these years I've been accessing MetaFilter literally from hundreds of IP addys worldwide -- airport lounges, hotels, Internet cafes (one on a small island in the Indian Ocean) -- and have never had any trouble, have never been misidentified, ever
posted by matteo at 1:45 PM on July 16, 2004


As with matteo, I have always (until yesterday) accessed MeFi through dynamically allocated IP addresses and have never ever been misidentified.
posted by dg at 5:27 PM on July 16, 2004


If this problem is due to a poorly written proxy, a possible workaround would be for Metafilter to send Cache-Control: private in the HTTP headers for each page sent to a logged in user. But any proxy product so broken it uses IPs to uniquely identify users probably will ignore cache control headers as well.
posted by Voivod at 5:31 PM on July 16, 2004


The problem as I understand it has nothing to do with what IP address the client is at; it's a proxy server problem. When a proxy serves up a cached page, it never even contacts the original server, so any server-side scripts don't get called, and the requestor just gets an exact copy of the page the proxy saved. The problem occurs when a proxy saves a page meant for one person, and then serves that saved copy to someone else. So, for example, if the proxy caches a page meant for milnak and then serves it to blindcarboncopy, it will look like he's logged in as milnak because that's who the MeFi server rendered the page for.

This is precisely the situation that the "Cache-Control: private" directive is designed to address; it informs any shared proxies between the client and the server not to cache the page because it's, well, private.
posted by boaz at 5:35 PM on July 16, 2004


Here's the easy solution if this is a problem for you:
Use a proxy.

You should also be able to find lists of anonymous proxies, but some of these are rather shady, and many have shut down.
posted by blasdelf at 6:50 PM on July 16, 2004


I used to have session-swapping problems on a ColdFusion application I maintained (but didn't write) because the variables weren't locked.
posted by hyperizer at 6:54 PM on July 16, 2004


« Older MetaFilter Remixed is gone.   |   So I decided to build it myself...(and then it... Newer »

You are not logged in, either login or create an account to post comments