0

I have an application in grails using spring-security for users and roles management. Since, past few days I am facing a strange issue: When one user logs in at some point the users becomes another user (session mix up).

Example: User A logs in to system, User B logs in to system from another browser, when moving through controller actions, at some random point User A becomes User B in User A system, same with User B, too.

This issue is in PRODUCTION and not development.

I have found some of similar cases over internet but none of grails. Spring Security/JSF/Hibernate Accidental Session Hijacking on Tomcat?, this similar one but in jsf and solution mentioned does not seem to work for me. Another one is Session mix up - apache httpd with mod_jk, tomcat, spring security - serving data of other user but here issue seems to be because of mod_jk which is not the case for me (I have not used mod_jk).

My system versions:

  • Grails Version: 3.2.4
  • Groovy Version: 2.4.7
  • JVM Version: 1.8.0_05
  • Server version: Apache Tomcat/8.5.14
  • JVM Version: 1.8.0_121-8u121-b13-0ubuntu1.16.04.2-b13
Jumper
  • 103
  • 1
  • 8
  • The key is going to be something at the ISP. Something within their infrastructure, a web proxy or something perhaps. – Joshua Moore Jun 14 '17 at 04:01
  • But, would the ISP really affect user session tracked by spring security? Because I don't have issue with page redirection or anything such but the session which I think is maintained by spring security and tomcat. – Jumper Jun 14 '17 at 06:23
  • It sounds like the cookie value (session id) which is used to associate a browser with a session is getting swapped/changed around somewhere during the request traveling through the ISP before it gets to the server. Have you tried using HTTPS and secure cookies? Perhaps by doing so you'll prevent this. – Joshua Moore Jun 14 '17 at 12:34

1 Answers1

0

Finally, I found the issue.

Culprit were the ISPs (currently found in Subisu and Mercantile in Nepal). They would actually cache the whole page requested and when the same url is requested by another user within certain timeframe (few hours), provided both users in same ISP network, the cached page would be rendered to the next user.

How I found my issue: I did an experiment. First, I logged in with two different users in separate computers in same ISP, I immediately found the issue. Then I logged out one user in that ISP, disconnected from that ISP, connected to another ISP and logged in to the system. Now, I had User1 in Computer1 in ISP1 and User2 in Computer2 in ISP2, even after browsing for half hour the issue was not found.

How I fixed it: I generated unique uuid and appended to every menu link. This makes every url different, its been 4 days and the issue have not been found even once. In some menus I have not put the unique uuid and still the issue but not in those where I put the unique string.

Jumper
  • 103
  • 1
  • 8