top | item 40584458

(no title)

definitelyauser | 1 year ago

> how could that possibly happen?

Global singleton shared across requests, instead of request scoped.

1. [Client 1/You] Auth/write to variable (failed).

2. [Client 2/ISP] Auth/write to variable (success).

3. Verify what the result was (success)

A race condition combined with a global singleton can easily explain such behavior.

discuss

spopejoy|1 year ago

The article mentions Spring, although I couldn't see anything in the output that would tip me off (like massive java.lang.xxxException traces) ... plus I've seen other mentions of singletons in this discussion --

Are you describing some kind of server-side global object that statefully says a session/api key is "authenticated" and will then allow the request during that time frame? That seems like a bug you could drive container ships through. Yes I know saas s/w sucks out there but this would seem to at least be something an audit could easily flag.