Parallel installations affect each others logins

[jeremydouglass]

As per suggestion in closed issue #110 I tried to create two parallel installations of BicBucStriim and point them at different Calibre libraries.

I did this by installing the BicBucStriim from packages.synocommunity.com and then copying the clean (pre-first-configure) site into a new directory.

site1: /bbs/
site2: /bbs2/

I was then able to configure each site from the web and create separate users.

The problem is that the logins of the two sites interact strangely. For example, if I log in as user "foo" on site1, then I will also be logged in on site2 -- even in a separate browser (e.g. Chrome Incognito), even if user "foo" doesn't exist on site2. Conversely, if user "bar" logs out of site2, then "foo" will also be logged out of site1. This sometimes leaves the sites in a state where I can then access either site content without a login from any browser, including on another machine -- even though "Require Login" is still set in both site1 and site2 configuration.

I've tried stopping and restarting the synology Web Station; also clearing browser caches, using separate sandboxed windows and separate machines. I don't know enough about how authentication works to guess at what is happening here. I know that multiple libraries are unsupported, but any suggestions appreciated.

Setup

On a Synology DS713+ (DSM 5.01), I first installed BicBucStriim:

DSM webmin > Package Center > Community > BicBucStriim  
packages.synocommunity.com

Before visiting the site for the first time, I logged in via Terminal and made a copy of the site (with all permissions preserved):

$ cd /var/services/web/
$ cp -r -p bbs bbs2

I then configured each site for a different library and a different user/pass login

user: foo -- library: /volume1/foo/
user: bar -- library: /volume1/bar/

...and restarted Web Station.

[rvolz]

Oh yeah, this is probably a bug in multi-user mode. A user session is identified via a cookie in the browser. Cookies normaly work per server/domain. You use the same domain for both installations and the app doesn't separate the cookies per installation -- and so the cookies/user sessions are shared between both installations.

I'll look into it. Meanwhile, as a workaround: you could try to use virtual hosts (Control Panel /Web Services/Virtual Host) to publish the second library in a different domain. This should solve the problem.

[jeremydouglass]

Thank you for looking into this!

First, I discovered that there is a weird homepage caching bug on single installs that was a separate issue -- I believed it related to multiple installs, but it didn't. I've filed it separately as #174.

Second, some of my testing described above were wrong. For part I used Chrome Incognito windows and assumed that each window had sandboxed cookies -- but in fact they all share one cookiejar) 1 2 3.

When I repeat the tests described above strictly

1. using two separate browsers (Chrome -> /bbs/ and Safari -> /bb2/) and also
2. making sure to completely and correctly log out while avoiding Home content may still appear after logout #174

...then I'm not seeing any inappropriate login access right now -- so this issue may be limited to browsing two BicBucStriim sites hosted from the same server with one browser cookiejar -- much more of an edge case.

[rvolz]

A new session library uses now the instance path, e.g. /bbs, to qualify the session cookies. Multiple instances on the same server should now have separate user sessions. But different paths are required, ports only are not sufficient. Hope this helps.