Random session swapping, logged in as different user without password / 2FA check
Summary
When using Chrome, you can add multiple "persons" to your browser.
Each has it's own "scope".
For example, when I go in a browser window with person 1 to gitlab.com I am logged in.
But when I open a browser window with person 2, and I go to gitlab.com, I am not logged in.
This is expected, because you are a different entity / user (person).
However, for some reason in GitLab CE 9.3.3 (I don't experienced this bug in older versions) it seems that there is some link between the two sessions.
It started when I was logged in on both persons in Chrome, but under different GitLab user accounts.
Person 1 started a MR, and person 2 was merging that requests.
After the merge completed (while both persons stays on that MR page) it seems that some weird session swapping is happening.
Person 1 is suddenly logged in as person 2 after refreshing (sometimes it takes a couple of refreshings) and person 2 is logged in as person 1.
In my case, person 2 is an admin and person 1 is not.
So it's pretty bad that (even with 2FA enabled on all users) you can log in as admin (or any user, for that matters) without a password or 2FA.
Besides that this bug happens in MR's, I also occur it when loggin in on one person, while not logged in with the other person.
After loggin in with person 1, person 2 is also logged in as the same user.
Note: The _gitlab_session
cookie is different from both. And is doesn't always happen.
Not exactly figured out when this exactly is the case.
Steps to reproduce
(Described in the summary above)
What is the current bug behavior?
"Random" switching user sessions / accounts
What is the expected correct behavior?
Stay on your own account.
Results of GitLab environment info
Expand for output related to GitLab environment info
System information System: Debian 8.8 Current User: git Using RVM: no Ruby Version: 2.3.3p222 Gem Version: 2.6.6 Bundler Version:1.13.7 Rake Version: 10.5.0 Redis Version: 3.2.5 Git Version: 2.13.0 Sidekiq Version:5.0.0 Go Version: unknownGitLab information Version: 9.3.3 Revision: 92cd381 Directory: /opt/gitlab/embedded/service/gitlab-rails DB Adapter: postgresql URL: https://gitlab.domain.nl HTTP Clone URL: https://gitlab.domain.nl/some-group/some-project.git SSH Clone URL: git@gitlab.domain.nl:some-group/some-project.git Using LDAP: no Using Omniauth: no
GitLab Shell Version: 5.0.5 Repository storage paths:
- default: /var/opt/gitlab/git-data/repositories Hooks: /opt/gitlab/embedded/service/gitlab-shell/hooks Git: /opt/gitlab/embedded/bin/git
Results of GitLab application Check
Expand for output related to the GitLab application check
Checking GitLab Shell ...GitLab Shell version >= 5.0.5 ? ... OK (5.0.5) Repo base directory exists? default... yes Repo storage directories are symlinks? default... no Repo paths owned by git:root, or git:git? default... yes Repo paths access is drwxrws---? default... yes hooks directories in repos are links: ... 6/1 ... ok 6/3 ... ok 7/5 ... ok 7/6 ... ok 12/8 ... ok 12/9 ... ok 8/10 ... ok 12/11 ... ok 7/12 ... ok 5/13 ... ok 5/14 ... ok 2/15 ... ok 20/16 ... ok 21/17 ... ok 21/18 ... repository is empty 22/19 ... ok 23/20 ... ok 23/21 ... ok 12/22 ... repository is empty 12/23 ... ok Running /opt/gitlab/embedded/service/gitlab-shell/bin/check Check GitLab API access: OK Access to /var/opt/gitlab/.ssh/authorized_keys: OK Send ping to redis server: OK gitlab-shell self-check successful
Checking GitLab Shell ... Finished
Checking Sidekiq ...
Running? ... yes Number of Sidekiq processes ... 1
Checking Sidekiq ... Finished
Checking Reply by email ...
Reply by email is disabled in config/gitlab.yml
Checking Reply by email ... Finished
Checking LDAP ...
LDAP is disabled in config/gitlab.yml
Checking LDAP ... Finished
Checking GitLab ...
Git configured correctly? ... yes Database config exists? ... yes All migrations up? ... yes Database contains orphaned GroupMembers? ... no GitLab config exists? ... yes GitLab config up to date? ... yes Log directory writable? ... yes Tmp directory writable? ... yes Uploads directory exists? ... yes Uploads directory has correct permissions? ... yes Uploads directory tmp has correct permissions? ... yes Init script exists? ... skipped (omnibus-gitlab has no init script) Init script up-to-date? ... skipped (omnibus-gitlab has no init script) Projects have namespace: ... 6/1 ... yes 6/3 ... yes 7/5 ... yes 7/6 ... yes 12/8 ... yes 12/9 ... yes 8/10 ... yes 12/11 ... yes 7/12 ... yes 5/13 ... yes 5/14 ... yes 2/15 ... yes 20/16 ... yes 21/17 ... yes 21/18 ... yes 22/19 ... yes 23/20 ... yes 23/21 ... yes 12/22 ... yes 12/23 ... yes Redis version >= 2.8.0? ... yes Ruby version >= 2.3.3 ? ... yes (2.3.3) Git version >= 2.7.3 ? ... yes (2.13.0) Active users: ... 9
Checking GitLab ... Finished