Every thing was working fine until we have configured checkpoint. For checkpoint, we have a separate vpc in aws.
After that this bug started randomly. Some users are switched with other user. Example let's say User A was logged into application and after some time User A was suddenly changed with User B. This is so random that i am not able to find the way to reproduce. But end users are reporting it periodically.
My application is built in Yii 1 and logic mechanics is straight forward. Session is setting when user logged into website.
Yii1 Configuration
<?php
return array(
'basePath' => dirname(__FILE__) . DIRECTORY_SEPARATOR . '..',
'name' => 'Project',
'defaultController' => 'site/login',
// application components
'components' => array(
'request' => array(
'enableCsrfValidation' => true,
'enableCookieValidation' => true,
'class' => 'HttpRequest',
'csrfTokenName' => '_csrf',
),
'session' => array(
'class' => 'CDbHttpSession',
'autoStart' => true,
'connectionID' => 'db',
'sessionTableName' => 'tbl_session',
'timeout' => 3600 * 24 * 30,
'autoCreateSessionTable' => false
),
'user' => array(
'allowAutoLogin' => true,
'authTimeout' => 3600 * 24 * 30,
),
::::::::::::::::::::::::::::::::::::::
//Other Stuff
::::::::::::::::::::::::::::::::::::::
),
);
Below is the sample request:
Note: i have changed the URLs to dummy one.
General
Request URL: https://[randomuniquestring].access.project.com/index.php?r=home/index
Request Method: GET
Status Code: 200
Remote Address: 143.204.*****:443
Referrer Policy: no-referrer-when-downgrade
Request Headers
:authority: randomuniquestring.access.project.com
:method: GET
:path: /index.php?r=home/index
:scheme: https
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cache-control: max-age=0
cookie: selected_realm=ssl_vpn; _gcl_au=1.1.997081439.1542180219; __qca=P0-2107182343-1542180221727; _ga=GA1.2.663976907.1542956670; ___fnbDropDownState=1; CPCVPN_BASE_HOST=.access.project.com; CPCVPN_OBSCURE_KEY=6a97dc429cb24dafe51d5177d2e87218; _gid=GA1.2.33488363.1549271004; CPCVPN_SESSION_ID=96c6835fb518aeefe7eb64e5767c730401e4f547; _gat=1; CPCVPN_SDATA_VERSION=2
referer: https://[randomuniquestring].access.project.com/index.php?
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Response Header
cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
content-length: 0
content-type: text/html; charset=UTF-8
date: Thu, 07 Feb 2019 10:38:55 GMT
expires: Thu, 19 Nov 1981 08:52:00 GMT
location: https://[randomuniquestring].access.project.com/?r=home/index
pragma: no-cache
server: CPWS
set-cookie: CPCVPN_SDATA_VERSION=2; path=/; secure; HttpOnly;
status: 302
strict-transport-security: max-age=1261440000; includeSubDomains
vary: User-Agent
via: 1.1 [randomuniquestring].cloudfront.net (CloudFront)
x-amz-cf-id: lWZ0rvOKiPO5FhJk6oPqdTchfzzsrTlb6du1DD6rNaOQZDSL1cGlcw==
x-cache: Miss from cloudfront
x-frame-options: SAMEORIGIN
x-frame-options: SAMEORIGIN
I have refer this question: PHP cookie-bases session swapping in phorum but didn't found any solution.
So is there a way to find the root cause behind it and how to resolve this one?
Other Detail
For a checkpoint, we have a separate vpc in aws. This vpc contains link and other migrated application
