I've got a Rails application using by having an authentication system using Peaceful Authentication with no modification.
Customers have reported finding themselves drenched in because the wrong user. In a minumum of one situation it had been on their own initial page view, never getting drenched in before.
Is it feasible their session ids are becoming confused? Would switching to CookieStore allow it to be impossible to do this since no session information is saved around the server by doing this? I suspect the issue is associated with Passenger but I'm not sure how to start debugging this. Its only happened about 4 occasions in a number of several weeks to be live so its virtually impossible to breed.
Atmosphere: ActiveRecord session storage Rails 2.2.2 Passenger 2..1 Apache 2 Ruby 1.8.6
If you are using a customer-side session storage (default for more recent Rails versions), it might be an error within the application and never a stolen session (or something like that like this). Make certain you know which session storage you utilize and just how it really works.
I am seeing that as well... you may be thinking about the thread here: Users take sessions of other users when sessions are stored in memcached (Rails)
My current thinking is this fact is really associated with Passenger, that appears to become the most popular component between what you are seeing, what I am seeing, and exactly what the other publish reviews (we are all using different session stores and rails versions).
I remember when i experienced an identical problem and also the cause switched to be the user was saved inside a class variable rather than a case variable. Say for example that you simply authenticate/store your user such as this:
def current_user User.current ||= ( login_from_session || login_by_password ) end
Within this situation the consumer is going to be saved within the class and never the instance and also the first user who login is going to be saved within the class which is going to be passed to the following customers session too. To resolve it, it was transformed to
def current_user @current_user ||= ( login_from_session || login_by_password ) end
This really is obviously only one of several options however i would start my troubleshooting by writing both user_id in the session and also the user variable you utilize, towards the log to ascertain if you will find any variations.