NimbostratusUsers account sessions mixed up..
Hi < I have been asked to look into a very strange issue. And not sure from where to start. I dont think it is happening due to Big IP. But could someone please provide a insight. Only persistence cookie is sent by big ip. Session and auth cookie is sent by back end servers. Although Big IP just add 'secure' parameter into all those cookies. Summary of the issue is below.
We need your help on this critical matter. A user has reported that for some reason, her sessions got mixed up.
That is, she logged under Username JFSM first and went to My Billing page to perform a function. Then she logged as JSMIREZ and was going to the My Billing Page for the new account. Instead, of getting to right page, she was directed to the previous log-in’s Account Summary page.
Now, she confirmed she was only using one browser session.
Is there any chance that sessions can get mixed up from the big ip for the same browser? That is, somehow a prior page request can be re-sent to the current session? I know am grasping at straws here but I am not sure what are the possibilities. I do have to note that the way the site has been working is that when I open up a browser and log-in to a User Account, let’s call Account A. Then on the same browser, I open up a new window and try to log-in as Account B; I would still get the information for Account A. The reason being, that this is considered as the same session/browser and considers Account A as still active for this session and not Account B even if the requests were made from different windows/tabs.
One thing for sure though, if there are multiple users hitting the servers from different browsers, is there any chance at all where their requests can get mixed up?
That is, you can have Users A, B, and C all hitting the website at the same time. And each of them are using separate browsers from different ip addresses. Is there any chance that the load balancer would ever mix up their sessions where User A’s page requests will be returned to User C and User C’s requests are returned to User B enabling them to see someone else’s account?
