undefined | Better HN

0 pointsjgrahamc3y ago0 comments

Team is writing it up. Will get it out later today.

0 comments

5 comments · 2 top-level

tikotzky3y ago· 3 in thread

We were seeing some pages with cookies incorrectly getting cached, causing users to get logged in as other users. We quickly disabled cache on the dashboard, is this related to that?

bcjordan3y ago

Curious what you find happened with that.

On the webdev side—what can be done as extra defense-in-depth step to guard against this kind of issue? Unrelated to Cloudflare I feel like it is a common issue that crops up on even massive sites quite often. Is there some sort of secondary check / content decryption that could be required on the client-side to contain session cookie crossover?

rob-olmos3y ago

Outside of HTTPS, typically it would be tying the session cookie to the IP address or netblock but because it's Cloudflare IPs, for regular browser navigation requests I don't think there's anything that can be done?

jgrahamcOP3y ago

Please email me details (jgc).

ehPReth3y ago

Awesome - thanks :)

j / k navigate · click thread line to collapse