Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LinkedIn API session issue #260

Open
jbayotlang opened this issue Apr 5, 2016 · 1 comment
Open

LinkedIn API session issue #260

jbayotlang opened this issue Apr 5, 2016 · 1 comment

Comments

@jbayotlang
Copy link

Hi All

Our web app is built around Ruby on Rails 3. We use the linkedin rubygem to integrate the LinkedIn API.

We have successful Linkedin sign-in and registrations, but at rare cases (occurring twice or thrice a year so far), a user logins/registers via LinkedIn but a totally different and unconnected user shows up. (UserA enters LinkedIn credentials for the permissions, but some LinkedIn UserB gets returned). We don't get why this happens at all.

Here is the code snippet for the OAuth url:

client = LinkedIn::Client.new('app_token', 'app_secret', @@config)
request_token = client.request_token(:oauth_callback => "http://#{request.host}:#{request.port}/auth/oauth_account")
session[:rtoken] = request_token.token
session[:rsecret] = request_token.secret
session[:provider_user] = "linkedin"
redirect_to request_token.authorize_url

The bug highly makes it insecure for users. Could someone help?
@hexgnu
Copy link
Owner

hexgnu commented Apr 5, 2016

UserA and UserB are in your app?

If so then it seems like a session hijacking issue where the session is getting shared with another user.

Also is your app thread-safe?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hexgnu @jbayotlang