haim
Etsy Admin
haim says:
Here’s a quick update on some of the bigger bugs we’ve been fighting…- The cookie/login issue
We’ve found a bug in how we generate random data that could possibly result in login “collisions”. It’s our theory that user A would login and get his random data token. Sometime thereafter user B would generate the exact same random data thus grabbing user A’s session. We’ve got a short term fix in the works that will highly decrease the chances of that happening. It’s our goal to have that fix pushed out early Wednesday AM EST. In addition we’re working on a larger long term fix to better handle cookies in general.
- 500 errors on the bill pages
Users with a large amount of unbilled charges or a large amount of charges under a single bill would generate “500 errors” when loading pages. We’ve got a fix in the works to paginate out these pages which should resolve the issue.
- Images not loading/hanging
This one is a horrible ghost in the machine. The crazy randomness of this issue along with an inability to recreate on demand is making this one incredibly difficult to track down. We’ve got people looking over every single part of our system to try and find where this gremlin lives. I don’t have any updates for you as of yet, but it’s something we’re all working on.
[Editor-added bolding]
These are updates on issues we covered previously:
Users reporting seeing other people’s account info which continued from our original coverage.
July 24th, 2007 at 8:07 pm
*watches the experiment with interest*
July 24th, 2007 at 8:03 pm
well cookies are just little text files. Theoretically they can be edited if you find the folder where they are stored. I know where the folder is in IE but not it firefox- I guess it’s buried somewhere in the ff program files folder?
It might be easier if I just log on in IE!
July 24th, 2007 at 7:33 pm
Yeah, I understood the PAGE to be cached, not the cookie.
July 24th, 2007 at 7:32 pm
Except how to change a token - can that be done manually? That’s scary if possible.
:( Not sure if you’re kidding or not.
(not an engineer)
July 24th, 2007 at 7:30 pm
JB,
Do you want to try that? You have my email.
July 24th, 2007 at 7:26 pm
haim says:
Yup we’re looking into mean accelerators that might be trying to cache the cookies etc as well. As part of the longer term cookie fix we’re looking into ways to introduce randomness and other such things to try and prevent our cookies from being cached, or at least force them to seem much more unique to these accelerators.
- H
—————————————
hmmm, as I understood it, the cookie itself was not being cached, it was the web page that was cached. Kind of like if I took a screenshot of “my convos” and emailed it to soap. He’s talking now about cookies being cached, which I didn’t think was possible. I thought google accelerator only cached certain file extensions like html web pages and images. It would be a much bigger problem if GWA was caching people’s cookies on a shared server!
July 24th, 2007 at 7:06 pm
oh..and yes, presumably in this scenario the user would be able to edit and make changes, create a treasury, etc under the other user’s name.
As opposed to the GWA caching issue which I believe just lets you SEE stuff but doesn’t let you DO stuff.
July 24th, 2007 at 7:05 pm
I am not sure how these random data tokens work.
I’m looking at my etsy cookie in firefox, and there are 4 files. The file named token does have a long strong of random numbers. I guess if I emailed those numbers to you, and you were able to edit your cookie to have my set of numbers, you would be logged in as me?
July 24th, 2007 at 6:44 pm
Yeah, kind of like the multiple cars per Toyota key a few years back :( That’s scarier - at least in the access of cached info, presumably pages can only be viewed but no changes made. If there really is an authentic cookie pulling up an existing page, doesn’t that give authorization for the user to alter pages?
Mind you, I am not an engineer.
July 24th, 2007 at 6:39 pm
That’s quite interesting about the cookie issue. Random doesn’t always mean unique, so apparently 2 users can have the same random token and then get their wires crossed.
This may account for the cases where people didn’t use web accelerators. I don’t think it accounts for all the cases, and the behavior of the bug, i.e. how much you can access, may depend on which variation of the bug you have. I now think it’s actually TWO bugs with similar symptoms. I’m glad they are working on one part of it, and have admitted it’s on their own system not on the user’s end.