Web Session Data Leak?

Edit: I’ve moved the original conversation to a new thread, because the answer presented was not to the original question - @Greg O’Lone
https://forum.xojo.com/15980-web-session-memory-leak

I haven’t experienced that particular problem but I have encountered another problem where input from one web session gets displayed in another. That’s rather disturbing. I now set cookies with both the Session.Identifier and the Session.RemoteAddress in the Session.PrepareSession event and check them at each step of the app to make sure they match, otherwise I terminate the session. Merely checking the Session.Identifier is not sufficient to ensure that session data is not leaking into the wrong session.

Recently? If this is going on in the latest version, I need a sample project right away.

The last time I encountered this problem was a few weeks ago. I don’t remember if it was before or after the current release. I’ve made a number of changes to the source code since then so I don’t have a project file that I’ve seen the problem on since I started using cookies to verify the session. Prior to that I was just leaving it up to Session.DoSomething to find the right session.

Can you tell me how this manifests itself?

I was putting Session.RemoteAddress in a Session.Property for display on a web page and sometimes seeing someone else’s IP address displayed in my session rather than my own IP address. I haven’t seen that problem since I started verifying Session.Identifier and Session.RemoteAddress with cookies before processing any user data.

Ok, but where were you setting that property and what did the code look like? I’m just trying to figure if this is a bug on our part or not. I would expect that we would be hearing about this a lot more if it were in the framework.

By the way, what version of the ide are you using Carl?

[quote=131221:@John Joyce]@Greg O’Lone - what do you make of this?

I have had some similar experiences while load testing web-apps. Here is my info:

IDE: 2014 r 2.1
Target: CentOS release 6.4 (Final)

I have several web apps running on this server, but this is the first time I have created one that is primarily an API using HandleSpecialURL. I did some testing in the extremely basic stages and found that it was quite easy to overload the app.

Just passing it along for your thoughts.
John[/quote]
Lets keep this on the original topic, Please start a new thread for your question.

[quote=131200:@Greg O’Lone]Ok, but where were you setting that property and what did the code look like? I’m just trying to figure if this is a bug on our part or not. I would expect that we would be hearing about this a lot more if it were in the framework.

By the way, what version of the ide are you using Carl?[/quote]
I believe the builds where I was seeing the problem were done in the previous IDEs, not the current release. I was originally using Session.Properties to get user info, so in the Session.PrepareSession event I was doing this:

Session.IPAddress = Session.RemoteAddress

Then in the web page I would display the user’s connection info:

Label.Text = Session.IPAddress

That’s where I was sometimes seeing someone else’s IP address displayed in my session. Then I started using cookies to verify the session. I put this in the Session.PrepareSession event:

Session.Cookies.Set("ThisSession",Session.Identifier) Session.Cookies.Set("ThisIP",Session.RemoteAddress")
Then, in the web page, I verify the cookies before doing anything:

If Session.Cookies.Value("ThisSession") = Session.Identifier and Session.Cookies.Value("ThisIP") = Session.RemoteAddress then //Do stuff Else Session.MsgBox "Bonk!" Session.ShowURL http://website End
I haven’t seen the problem since I started verifying the session with cookies.

Keep in mind that user IP addresses do change, especially in corporate environments where they have multiple connections to the internet (sort of a reverse load balancer), so you may be causing more disconnects than necessary with this technique.

We did have a session leak in 2012r2 which was fixed in 2012r2.1, but that’s the only one that I am aware of. If you can provide a sample project in a feedback report that shows this problem I’d really like to get it fixed.

[quote=131434:@Greg O’Lone]Keep in mind that user IP addresses do change, especially in corporate environments where they have multiple connections to the internet (sort of a reverse load balancer), so you may be causing more disconnects than necessary with this technique.

We did have a session leak in 2012r2 which was fixed in 2012r2.1, but that’s the only one that I am aware of. If you can provide a sample project in a feedback report that shows this problem I’d really like to get it fixed.[/quote]
Although, I wouldn’t expect my connection to change to another Internet service in a different country, so I think it’s pretty much a certainty that someone else’s connection information was displaying in my session. In any case, if I see the problem again, I’ll submit a feedback report with the project code.

Marco, if you’d ask your original question again in a new thread, we can try to discuss it. I’m sorry I let your thread get hijacked.

I thought I was providing information that was relevant to his comment regarding web session leaks, then I started answering your questions. Was that a hijacking?

Marco was talking about a memory leak, you (Carl) were talking about data leakage between sessions.

I was initially responding to his use of the term web session leak and then I answered the questions you asked me. How is that a thread hijacking?

You said

That is, I’m not having your problem, but here’s the problem I’m having. I should have asked you to start a new thread right then and there because they are two different issues.

[quote=131812:@Greg O’Lone]You said

That is, I’m not having your problem, but here’s the problem I’m having. I should have asked you to start a new thread right then and there because they are two different issues.[/quote]
I was still talking about a web session leak even if the nature was different, so I didn’t see that as being off topic, and I was responding to your questions, after all, thus I don’t get your comment about the thread being hijacked. That bit of unnecessary sarcasm was not appreciated, especially considering how infrequently I post here.

Chill Carl. It wasn’t sarcasm. You two are talking about two different kinds of leaks. Marco’s is a memory leak which results in sessions not closing properly and yours is a data leak which results in data being displayed on a second session. They are not related to one another in any way. I was apologizing to Marco for letting your question get answered instead of his in this thread. I should have immediately asked you to move your question to another thread because I understood that they were two different issues. Now I’m asking Marco to ask his question again in a new topic so we don’t have two questions asked and answered in the same thread because of how confusing it will be if someone reads it later.

There. I’ve moved the original conversation to a new thread so we can answer it separately.