Incorrect user login

[rich-hart]

In beta.cnx.org, webview will automatically sign in under the wrong user name without a password. For example, when visiting beta.cnx.org my browser will automatically sign into 'amwebb' without any prompt.

@reedstrm suggests that this is a problem of incorrectly caching with varnish. Note: clearing my browser cache removes the 'amwebb' login. This issue was first reported in openstax/rhaptos.cnxmlutils/issues/120

[reedstrm]

likely a caching issue just presenting the page. Not sure anyone actually tried say the workspace link to see if you got Amber's stuff.

[amberwebb]

@reedstrm I believe @karenc said she could see my workspace

[rich-hart]

I could access amber's workspace as well

[mmulich]

This is a devops issue, not webview. But it's here now...

I'll throw my question here, since I hadn't heard a response:

13:42:58 pumazi : It's likely that the resource is cached with the session info in the response.
...
13:56:42 pumazi : reedstrm: Is it possible for nginx to append a header (maybe something like x-no-cache) when falling back to a protected app?
13:57:52 pumazi : Just trying to figure this out now, rather than implement this cascading /contents/ only to find that we have auth leaks like the one karen just experienced.

The idea with the x-no-cache is to have the caching server see it and ignore it. But there is likely a few ways to achieve the same thing.

[amberwebb]

Closing this as a webview issue.

[reedstrm]

We need a header to tell varnish not to cache pages that are authenticated. Ideally, the app itself should add them, making this an authoring issue.