Redash version: 2.0.0+b2990

We found very strange issue.

  1. Login with admin privileges;
  2. Goto user list;
  3. Edit name or email of different user (not self);
  4. All authorized users from your IP will be logged under the credentials of changed user!

What we tried to fix:

  1. Logout / login;
  2. Change REDASH_COOKIE_SECRET to invalidate cookies;
  3. Flush redis;
  4. Restart workers/server.

Nothing helps!! Everybody still login under the changed user.

But if you change IP you can login normally.
I guess that there is a problem with sessions. But I can’t understand where user session data is store.

How we can fix this?

P.S. To test this bug you can use two browsers on one PC.

Do they need to login again or after a page refresh they see themselves as the edited user?

You deploy standard Redash code or have some of your own modifications?

No need to login, right after refresh.

No, we don’t have modifications.

Any proxy / CDN in front of Redash?

Only nginx. I would like to note that we are using redash for more than two years, and we have never encountered similar issues.

nginx config for redash host:

upstream rd_servers {
  server 127.0.0.1:5000;
}

server {
 server_tokens off;
 listen 80 default;

 access_log /var/log/nginx/rd.access.log;

 gzip on;
 gzip_types *;
 gzip_proxied any;

 location / {
    proxy_set_header Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_pass       http://rd_servers;
  }
}

You are right. Problem was with Kerio which we are using in our office network. It start cache some http requests.

Sorry for bothering.

Glad you got this resolved. I wonder if we still might have an issue here in the form of us sending headers that made Kerio cache this?