linkedin icon indicating copy to clipboard operation
linkedin copied to clipboard
verified publisher icon hexgnu

LinkedIn API session issue

Open jbayotlang opened this issue 9 years ago • 1 comments

Hi All

Our web app is built around Ruby on Rails 3. We use the linkedin rubygem to integrate the LinkedIn API.

We have successful Linkedin sign-in and registrations, but at rare cases (occurring twice or thrice a year so far), a user logins/registers via LinkedIn but a totally different and unconnected user shows up. (UserA enters LinkedIn credentials for the permissions, but some LinkedIn UserB gets returned). We don't get why this happens at all.

Here is the code snippet for the OAuth url:

client = LinkedIn::Client.new('app_token', 'app_secret', @@config)
request_token = client.request_token(:oauth_callback => "http://#{request.host}:#{request.port}/auth/oauth_account")
session[:rtoken] = request_token.token
session[:rsecret] = request_token.secret
session[:provider_user] = "linkedin"
redirect_to request_token.authorize_url

The bug highly makes it insecure for users. Could someone help?

jbayotlang avatar Apr 05 '16 05:04 jbayotlang

UserA and UserB are in your app?

If so then it seems like a session hijacking issue where the session is getting shared with another user.

Also is your app thread-safe?

hexgnu avatar Apr 05 '16 15:04 hexgnu