|
|
|
|
|
|
by skissane
2461 days ago
|
|
|
I saw something very similar to this happen once in a system (many moons ago, before my current role). Hopelessly incompetent software developers put the session cookie in a static field of one of the Java classes responsible for the login process, and if two users logged in at the exact same moment (and their requests happened to be served by the same node of the app server cluster), one of them would be given the other's session cookie. So A and B would both log in at the same time, and there was a chance that B would get logged into A's account details instead of their own. Somehow, all through QA testing, nobody noticed it (or if they did, they didn't report it). At just about the last possible minute before go-live, somebody observed it happen. Then there was a mad rush to patch the bug in the middle of the go-live weekend so the go-live stayed on schedule. |
|
|