0

I built this in-house web app (built on Flask and served with Gunicorn) and for ages it's never stored any sort of user data or session data and it worked fine. Now I added an authentication page, using my organization's LDAP - user inputs username and password (same they use to log in on their machines), app verifies the credentials on the LDAP server and lets the user through if everything matches.

When I serve the app with only one process (gunicorn -w 1) it works fine. But when I serve the app with multiple processes I get erratic behavior! Sometimes authentication fails even though username and password are correct. Sometimes if one user authenticates then others are treated as authenticated. And sometimes the user authenticates and gets to use the app for a while but then clicks something and gets redirected to the login page (all functions are decorated to check that the user is authenticated).

My guess is that I'm failing to properly isolate the users - user X enters correct username and password but when clicks "submit" the app thinks that's user Y, who hasn't authenticated, and therefore denies access (here's the logic of the authentication: I check if flask.session has the key user; if it does, the user gets through; if not, user is redirected to the login page and if authentication is successful I store the username in flask.session["user"]).

How can I debug this? If my guess is correct then how can I make sure that users' credentials don't get mixed up?

Parzival
  • 2,004
  • 4
  • 33
  • 47
  • You mentioned that it works fine for one process, and that "Sometimes authentication fails even though username and password are correct". Are the different processes definitely connecting to the same database? – Isaac Jan 08 '16 at 13:29
  • Is it possible that you're setting the session information on a global object? If you run this locally, what happens if you log in with one user, then switch browser? Are you still authenticated? – Isaac Jan 08 '16 at 13:51
  • I'm storing the session information in Flask's [session](http://flask.pocoo.org/docs/0.10/quickstart/#sessions) object. If I switch browsers the behavior is erratic, just as with the same browser. – Parzival Jan 08 '16 at 13:58
  • I just noticed that `sessions` was not persisting (it kept getting empty apparently for no reason). So, I googled 'flask session gunicorn', found this [answer](http://stackoverflow.com/questions/30984622/flask-session-not-persistent-across-requests-in-flask-app-with-gunicorn-on-herok), and made my `app.secret_key` fixed (instead of random) - and now `session` seems to be persisting and things seem to be working. But too early to tell, I need to test it more (I'll report it back here). – Parzival Jan 08 '16 at 14:13

1 Answers1

0

I noticed that the session object was not persisting (it kept getting empty for no apparent reason). I googled around and found this answer. Turns out my app's secret key shouldn't be random (it was os.urandom(24)), it should be a constant string instead. Once I fixed that the authentication worked correctly.

Community
  • 1
  • 1
Parzival
  • 2,004
  • 4
  • 33
  • 47