Users are being logged in as the wrong user #5740
Comments
|
@x9sim9 did you manage to track down the issue |
|
No I tried a huge number of things but was unable to find the root cause, the only working solution we have now is to store the email address typed on the login page in a cookie and then compare that to the currently logged in user and force a logout when it occurs. |
|
@x9sim9 would you mind sharing your gemfile, and describing your setup a bit more? Did you try disabling multithreading? |
|
Hi Matthew, Attached is a copy of our Gemfile. We have not yet tried disabling multithreading. Our current Puma configuration uses a thread pool with both the minimum and maximum threads set to 5. Regarding our setup:
Thanks! |
|
Thanks, are you overriding the session controller or modifying current user
in the code
…Sent from my iPhone
On Sun, 26 Jan 2025 at 10:11, John Fullerton ***@***.***> wrote:
Hi Matthew,
Attached is a copy of our gemfile. We use Devise for authentication with a
standard username/password login and Redis-backed sessions. Sessions are
scoped to the root domain, expire after 30 days, and are secured with
same_site: :lax and secure: true (in production).
Our configuration includes case-insensitive and whitespace-trimmed email
authentication, CSRF token cleanup on login, and session timeout handling.
Request parameters like domain and URL are allowed to influence
authentication when needed.
Let me know if there’s anything else I can clarify for you. Thanks.
Gemfile.txt
<https://github.com/user-attachments/files/18549548/Gemfile.txt>
—
Reply to this email directly, view it on GitHub
<#5740 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAABV7NBQCKTHNIOKGH3GT2MSYFNAVCNFSM6AAAAABTQ2K5TOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDMMJUGMYDSOJXHE>
.
You are receiving this because you commented.Message ID:
***@***.***>
--
Bit Zesty Limited is a limited company registered in England and Wales.
Registered number: 06883289. Registered office: 5 Colindeep Lane, London,
England, NW9 6BX.
|
Hi We are having a really strange issue with devise for some reason a user is using 1 set of credentials and being randomly logged in as another user. The issue happens intermittently and we have started saving the email address used when logging in and comparing it to the current_user being reported from devise and forcing a logout when this happens.
We don't have a reliable way of recreating the issue, it seems to happen randomly but we have about 20 rollbar error reports so we do have some information, not sure what information to provide
Environment
Current behavior
User is being logged in as the wrong user
Expected behavior
User should be logged in as the correct user
What we have tried
Using database session storage and redis session storage, here is the current config
Rails.application.config.session_store :redis_store,
url: "#{ENV.fetch("REDIS_URL", "redis://127.0.0.1:6379/0")}/session",
expire_after: 30.days,
key: Rails.env.production? ? "_new_app_session" : "new_app_session#{Rails.env}",
threadsafe: true,
secure: Rails.env.production?,
same_site: :lax,
httponly: true,
domain: :all
The text was updated successfully, but these errors were encountered: