One session for users from the same IP (FIXED)


#1

Redash version: 2.0.0+b2990

We found very strange issue.

  1. Login with admin privileges;
  2. Goto user list;
  3. Edit name or email of different user (not self);
  4. All authorized users from your IP will be logged under the credentials of changed user!

What we tried to fix:

  1. Logout / login;
  2. Change REDASH_COOKIE_SECRET to invalidate cookies;
  3. Flush redis;
  4. Restart workers/server.

Nothing helps!! Everybody still login under the changed user.

But if you change IP you can login normally.
I guess that there is a problem with sessions. But I can’t understand where user session data is store.

How we can fix this?

P.S. To test this bug you can use two browsers on one PC.


#2

Do they need to login again or after a page refresh they see themselves as the edited user?

You deploy standard Redash code or have some of your own modifications?


#3

No need to login, right after refresh.

No, we don’t have modifications.


#4

Any proxy / CDN in front of Redash?


#5

Only nginx. I would like to note that we are using redash for more than two years, and we have never encountered similar issues.


#6

nginx config for redash host:

upstream rd_servers {
  server 127.0.0.1:5000;
}

server {
 server_tokens off;
 listen 80 default;

 access_log /var/log/nginx/rd.access.log;

 gzip on;
 gzip_types *;
 gzip_proxied any;

 location / {
    proxy_set_header Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_pass       http://rd_servers;
  }
}

#7

You are right. Problem was with Kerio which we are using in our office network. It start cache some http requests.

Sorry for bothering.


#8

Glad you got this resolved. I wonder if we still might have an issue here in the form of us sending headers that made Kerio cache this?