I'm using Flask-Security to manage users, and I'm getting reports that users are logged-in successfully as themselves, but randomly when they load a page, it will show them logged as someone completely different. I'm not sure where I'm going wrong. What are possible ways this could happen?
I user a UserService to do some simple user management. I instantiate a user service before every request and pass in current_user.
@app.before_request def load_request_services(): g.user_service = UserService(user_datastore, application_service, email_service, ORGS, current_user)
Then, I get the current user in UserService from this method:
def current_user_get_info(self): return { 'user': self.current_user.email, 'first_name': self.current_user.first_name, 'last_name': self.current_user.last_name, 'phone_number': self.current_user.phone_number, }
this is called when this API request code is executed:
class CurrentUser(restful.Resource): def get(self): return json_response(g.user_service.current_user_get_info())
The issue is caused by a Sign-in Option – As it turns out, this particular issue mostly occurs due to a change inside the Sign-in Options menu that forces the machine to use the sign-in info to automatically finish setting up the device and reopen apps.
Right-click the taskbar, then select “Task Manager“. Select the “Users” tab. Details on the users logged into the machine are displayed.
I found the issue and am posting here for others who might have the same issue.
It turns out that the users who were accessing my site were behind a VPN with a proxy. The proxy was caching the pages along with the user's cookies. When one user makes request, the proxy would cache the page along with that user's cookie in the header. On the next user's request, the proxy would serve back the page with the first user's cookie and thus the second user would find himself as someone else.
See here for more info: https://code.google.com/p/doctype-mirror/wiki/ArticleHttpCaching
I solved it by setting the cache-control HTTP header to 'private' so that the proxy will not try to cache it. In Flask, it looks like this:
@app.after_request
def add_header(response):
response.cache_control.private = True
response.cache_control.public = False
return response
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With