Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

User Sessions shared across multiple users behind Proxy or VPN #1407

Closed
dvdr00t opened this issue Oct 7, 2024 · 3 comments
Closed

User Sessions shared across multiple users behind Proxy or VPN #1407

dvdr00t opened this issue Oct 7, 2024 · 3 comments
Labels
bug Something isn't working evaluate-with-priority What's needed to address this one? needs-triage security

Comments

@dvdr00t
Copy link

dvdr00t commented Oct 7, 2024

Describe the bug
When multiple users access the Chainlit application from the same IP (e.g., when behind a proxy or VPN), the user_session is shared across those users, leading to data from one session being accessible by another. This results in a mixing of session data, causing unexpected behavior, such as retrieving or storing incorrect session-specific information.

To Reproduce
Steps to reproduce the behavior:

  1. Deploy a Chainlit application and expose a specifc port to the internet.
  2. Have two or more users access the application through a proxy or VPN (e.g., an office network).
  3. Each user sets and retrieves session-specific data using cl.user_session.set() and cl.user_session.get().
  4. Observe that session data from one user is accessible by another.

Expected behavior
Each user should have a unique session, even when accessing the application from the same IP address, ensuring that session-specific data remains private to each user.

Screenshots
If applicable, add screenshots to help explain the problem.

Desktop (please complete the following information):

  • OS:
  • Browser:
  • Version:

Smartphone (please complete the following information):

  • Device:
  • OS:
  • Browser:
  • Version:

Additional context
The issue seems to stem from how user sessions are identified and stored. In the current setup, it appears that sessions are identified solely by the session ID, which may not be properly isolated for different users behind the same IP. As a result, users sharing the same IP (e.g., through a corporate proxy or VPN) can end up sharing the same session, causing a mix-up of session data.
@dosubot DosuBot
Copy link

dosubot bot commented Oct 7, 2024

Hey @dvdr00t! I'm here to help you with any bugs, questions, or contributions you have for Chainlit. Let's squash those bugs together!

To ensure that each user has a unique session in a Chainlit application, even when multiple users access it from the same IP address through a proxy or VPN, you can rely on the context.session.id to uniquely identify each session. The UserSession class uses context.session.id to manage user-specific data, ensuring that each session is distinct and not shared across users.

Here's how you can achieve this:

  • The user_sessions dictionary should store session data keyed by context.session.id, which is unique for each session.
  • When a session is accessed, check if context.session.id exists in user_sessions. If not, create a new entry, ensuring that each session is isolated.

Here's a code snippet demonstrating this approach:

user_sessions: Dict[str, Dict] = {}

class UserSession:
    def get(self, key, default=None):
        if not context.session:
            return default

        if context.session.id not in user_sessions:
            user_sessions[context.session.id] = {}

        user_session = user_sessions[context.session.id]
        return user_session.get(key, default)

    def set(self, key, value):
        if not context.session:
            return None

        if context.session.id not in user_sessions:
            user_sessions[context.session.id] = {}

        user_session = user_sessions[context.session.id]
        user_session[key] = value

Additionally, implementing authentication mechanisms such as password authentication, OAuth, or custom header authentication can enhance security and ensure unique user identification. By defining a CHAINLIT_AUTH_SECRET environment variable and using authentication callbacks, you can ensure that each user has a unique identifier, preventing data sharing across users [1][2][3].

To continue talking to Dosu, mention @dosu.

@dosubot dosubot bot added the bug Something isn't working label Oct 7, 2024
@dokterbob dokterbob added security evaluate-with-priority What's needed to address this one? labels Oct 11, 2024
@dokterbob
Copy link
Collaborator

#1442 is probably related.

@dokterbob dokterbob mentioned this issue Nov 13, 2024
Closed
7 tasks
@dokterbob dokterbob mentioned this issue Dec 10, 2024
Merged
dokterbob pushed a commit that referenced this issue Dec 12, 2024
@willydouhard
feat: enhance socket.io configuration and CORS handling (#1575)
d531633 
This improves Socket.IO configuration and CORS handling for cross-origin use cases,
particularly focusing on scenarios where Chainlit is embedded in other websites (copilot, closes #1279) or deployed behind load balancers:

- Make Socket.IO client transports configurable via `project.transports` setting
- Move connection parameters from headers to Socket.IO auth object for better
  websocket compatibility
- Update CORS handling to properly support authenticated cross-origin requests. Closes #1359.
- Remove unnecessary task start/end events from window_message handler

BREAKING CHANGE: For cross-origin deployments, wildcard "*" is no longer supported
in allow_origins when using authenticated connections. Specific origins must be
listed in the project config.

Possibly resolves #719, #1339, #1369, #1407, #1492, #1507.
@dokterbob
Copy link
Collaborator

Should be resolved with #1575. Would love feedback as to whether indeed the issue is resolved!

dokterbob pushed a commit to synergyai-nl/chainlit that referenced this issue Jan 14, 2025
@willydouhard @dokterbob
feat: enhance socket.io configuration and CORS handling (Chainlit#1575)
7bc71d6 
This improves Socket.IO configuration and CORS handling for cross-origin use cases,
particularly focusing on scenarios where Chainlit is embedded in other websites (copilot, closes Chainlit#1279) or deployed behind load balancers:

- Make Socket.IO client transports configurable via `project.transports` setting
- Move connection parameters from headers to Socket.IO auth object for better
  websocket compatibility
- Update CORS handling to properly support authenticated cross-origin requests. Closes Chainlit#1359.
- Remove unnecessary task start/end events from window_message handler

BREAKING CHANGE: For cross-origin deployments, wildcard "*" is no longer supported
in allow_origins when using authenticated connections. Specific origins must be
listed in the project config.

Possibly resolves Chainlit#719, Chainlit#1339, Chainlit#1369, Chainlit#1407, Chainlit#1492, Chainlit#1507.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working evaluate-with-priority What's needed to address this one? needs-triage security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dokterbob @dvdr00t