Cookies seem to contain successive registration emails.

Question

Cookies seem to contain successive registration emails.

dukedougal opened this issue 10 years ago · 3 comments

I had a look in the Flask-Login source but could not see where this is being written into the cookie but it doesn't seem ideal from a security perspective.

<SecureCookieSession {'_id': '6948290bcaabea200d00961712d41d83', 'user_id': '64', '_fresh': True, '_flashes': [('success', 'Thank you. Confirmation instructions have been sent to hfvlu6@example.org.'), ('success', 'Thank you. Confirmation instructions have been sent to lzlmzl@example.org.'), ('success', 'Thank you. Confirmation instructions have been sent to urk9sa@example.org.'), ('success', 'Thank you. Confirmation instructions have been sent to 782sud@example.org.'), ('success', 'Thank you. Confirmation instructions have been sent to 2jp1nj@example.org.'), ('success', 'Thank you. Confirmation instructions have been sent to 48h6ph@example.org.'), ('success', 'Thank you. Confirmation instructions have been sent to guuh3n@example.org.'), ('success', 'Thank you. Confirmation instructions have been sent to rabbit@example.org.'), ('success', 'Thank you. Confirmation instructions have been sent to blah234523@example.org.'), ('success', 'Thank you. Confirmation instructions have been sent to sdfsdfs@example.org.'), ('success', 'Thank you. Confirmation instructions have been sent to sdfsdfddfs@example.org.'), ('success', 'Thank you. Confirmation instructions have been sent to dgfrdfgdfr@example.org.'), ('success', 'Thank you. Confirmation instructions have been sent to dgfrdfgdfr12231@example.org.'), ('success', 'Thank you. Confirmation instructions have been sent to hergrbv@example.org.')], 'csrf_token': 'b345ae0a9bef46fdb0954abc191c71933d802a27'}>
[pid: 5020|app: 0|req: 12/12] 120.148.164.173 () {76 vars in 1822 bytes} [Wed Jul 30 21:37:00 2014] POST /app/api/pages/savepage/128 => generated 16 bytes in 64 msecs (HTTP/1.1 200) 3 headers in 550 bytes (1 switches on core 0)
Loads user from session or remember_me cookie as applicable

Answer 1 · 2014-08-01T20:35:03.000Z

I dont see anything in that log message that indicates a security problem.

Answer 2 · 2014-08-01T22:02:26.000Z

Weird I don't know how I posted that. Here's the correct info.

Session:
<overholt.pages.models.Page object at 0x7f921aaa7cf8>
<overholt.pages.models.Page object at 0x7f921e823668>
pid: 8536|app: 0|req: 7/7 {76 vars in 1580 bytes} [Fri Aug 1 10:25:51 2014] GET /app/api/pages/?_=1406886563513 => generated 304 bytes in 31 msecs (HTTP/1.1 200) 3 headers in 313 bytes (1 switches on core 0)
Loads user from session or remember_me cookie as applicable
Session:
<SecureCookieSession {'_id': '85a6b08909dc7cca4a9af6efc1a744d6', '_fresh': False, 'csrf_token': '60b666e8f6a3be842dadc2a95fbfa0554e90ddd3', 'user_id': '2'}>
pid: 8536|app: 0|req: 8/8 {80 vars in 1662 bytes} [Fri Aug 1 10:25:52 2014] POST /app/api/users/generalstatedata/ => generated 18 bytes in 21 msecs (HTTP/1.1 200) 3 headers in 312 bytes (1 switches on core 0)
Loads user from session or remember_me cookie as applicable
Session:
<SecureCookieSession {'_id': '6948290bcaabea200d00961712d41d83', '_fresh': True, 'csrf_token': 'b345ae0a9bef46fdb0954abc191c71933d802a27', 'user_id': '64', 'flashes': [('success', 'Thank you. Confirmation instructions have been sent to hfvlu6@example.org.'), ('success', 'Thank you. Confirmation instructions have been sent to lzlmzl@example.org.'), ('success', 'Thank you. Confirmation instructions have been sent to urk9sa@example.org.'), ('success', 'Thank you. Confirmation instructions have been sent to 782sud@example.org.'), ('success', 'Thank you. Confirmation instructions have been sent to 2jp1nj@example.org.'), ('success', 'Thank you. Confirmation instructions have been sent to 48h6ph@example.org.'), ('success', 'Thank you. Confirmation instructions have been sent to guuh3n@example.org.'), ('success', 'Thank you. Confirmation instructions have been sent to rabbit@example.org.'), ('success', 'Thank you. Confirmation instructions have been sent to blah234523@example.org.'), ('success', 'Thank you. Confirmation instructions have been sent to sdfsdfs@example.org.'), ('success', 'Thank you. Confirmation instructions have been sent to sdfsdfddfs@example.org.'), ('success', 'Thank you. Confirmation instructions have been sent to dgfrdfgdfr@example.org.'), ('success', 'Thank you. Confirmation instructions have been sent to dgfrdfgdfr12231@example.org.'), ('success', 'Thank you. Confirmation instructions have been sent to hergrbv@example.org.'), ('success', 'Thank you. Confirmation instructions have been sent to bing@example.org.'), ('success', 'Thank you. Confirmation instructions have been sent to sdfsd@example.org.'), ('success', 'Thank you. Confirmation instructions have been sent to dfgdfg@example.org.'), ('success', 'Thank you. Confirmation instructions have been sent to fghfgdf@example.org.'), ('success', 'Thank you. Confirmation instructions have been sent to flooble@example.org.'), ('success', 'Thank you. Confirmation instructions have been sent to brekkkk@example.org.')]}>
1406897085.935562##2a8138c699742410a48cb59b36688213359b04f0
pid: 8536|app: 0|req: 9/9 {72 vars in 1818 bytes} [Fri Aug 1 11:44:45 2014] GET /app/api/users/getcsrf?=1406868451149 => generated 97 bytes in 7 msecs (HTTP/1.1 200) 3 headers in 589 bytes (1 switches on core 0)
Loads user from session or remember_me cookie as applicable

Answer 3 · 2014-08-01T22:13:24.000Z

It looks like Github is removing the info from my post becauise it contains email addresses. I have put it here on SO instead.

http://stackoverflow.com/questions/25089438/overholt-successive-login-addresses-in-cookie