(twitter.com)

475 points danielstocks | 2 comments | 27 May 21 10:28 UTC | HN request time: 0.498s | source

Show context

mavster ◴[27 May 21 13:50 UTC] No.27303085[source]▶

I'm just guessing, but...

"developer gets a great idea - let's push an update to the API as a GET request so we can cache this on the CDN... forgetting that the JWT token is potentially returned in the call. Now, whoever makes the call first gets their JWT token stored for everyone else to load instead when the API call is made."

Ta-da, Klarna.

replies(10): >>27303554 #>>27303645 #>>27303782 #>>27303857 #>>27303919 #>>27304192 #>>27304408 #>>27304728 #>>27305016 #>>27305863 #

1. dminor ◴[27 May 21 14:35 UTC] No.27303645[source]▶

>>27303085 #

Years ago I added varnish in front of a website to cache image requests, not realizing that if the response included 'set-cookie' that was also cached.

We immediately started getting reports of random products appearing in our customers' shopping carts, as people's sessions got merged with random strangers.

replies(1): >>27306863 #

2. Puts ◴[27 May 21 19:09 UTC] No.27306863[source]▶

>>27303645 (TP) #

Just feel the urge to point out that Varnish by default do specifically not cache requests with a set-cookie header. :)

↑

Klarna users are being signed in to random accounts