Details
-
Bug
-
Resolution: Fixed
-
Medium
-
3.1.3, 3.2.0
-
None
-
None
Description
Given
A user logs in before, but for some reason the session times out.
The user is using Chrome(version 28 which has previews to the website, when opening a new tab)
When
The user try to open a new tab in Chrome and quickly type the fisheye home address and hit enter
Expected
The user should have no problem logging in because there is a remember me cookie set already from the last login.
Actual
The user is forced to log in again.
Possible cause
The preview feature from chrome's new tab page tries to load a thumbnail from fisheye which trigger a request to Fisheye with the remember me cookie. This request comes along with the user's request and they cause a racing condition.
If the chrome's request comes first, the backend will generate a new RND number for the the remember me cookie. However, the user's real request comes to the backend with the old cookie number. That will result in a mismatch.
Extra notes
The problem may not only happens in chrome, but in any situation where there are two requests triggered simultaneously after session timeout or expired.
