User Sessions shared across multiple users behind Proxy or VPN

Chainlit / chainlit

Build Conversational AI in minutes ⚡️

Apache License 2.0

7.27k stars 958 forks source link

Describe the bug
When multiple users access the Chainlit application from the same IP (e.g., when behind a proxy or VPN), the user_session is shared across those users, leading to data from one session being accessible by another. This results in a mixing of session data, causing unexpected behavior, such as retrieving or storing incorrect session-specific information.

To Reproduce
Steps to reproduce the behavior:

Deploy a Chainlit application and expose a specifc port to the internet.
Have two or more users access the application through a proxy or VPN (e.g., an office network).
Each user sets and retrieves session-specific data using cl.user_session.set() and cl.user_session.get().
Observe that session data from one user is accessible by another.

Expected behavior
Each user should have a unique session, even when accessing the application from the same IP address, ensuring that session-specific data remains private to each user.

Screenshots
If applicable, add screenshots to help explain the problem.

Desktop (please complete the following information):

OS:
Browser:
Version:

Smartphone (please complete the following information):

Device:
OS:
Browser:
Version:

Additional context
The issue seems to stem from how user sessions are identified and stored. In the current setup, it appears that sessions are identified solely by the session ID, which may not be properly isolated for different users behind the same IP. As a result, users sharing the same IP (e.g., through a corporate proxy or VPN) can end up sharing the same session, causing a mix-up of session data.

Hey @dvdr00t! I'm here to help you with any bugs, questions, or contributions you have for Chainlit. Let's squash those bugs together!

To ensure that each user has a unique session in a Chainlit application, even when multiple users access it from the same IP address through a proxy or VPN, you can rely on the context.session.id to uniquely identify each session. The UserSession class uses context.session.id to manage user-specific data, ensuring that each session is distinct and not shared across users.

Here's how you can achieve this:

The user_sessions dictionary should store session data keyed by context.session.id, which is unique for each session.
When a session is accessed, check if context.session.id exists in user_sessions. If not, create a new entry, ensuring that each session is isolated.

Here's a code snippet demonstrating this approach:

user_sessions: Dict[str, Dict] = {}

class UserSession:
    def get(self, key, default=None):
        if not context.session:
            return default

        if context.session.id not in user_sessions:
            user_sessions[context.session.id] = {}

        user_session = user_sessions[context.session.id]
        return user_session.get(key, default)

    def set(self, key, value):
        if not context.session:
            return None

        if context.session.id not in user_sessions:
            user_sessions[context.session.id] = {}

        user_session = user_sessions[context.session.id]
        user_session[key] = value

Additionally, implementing authentication mechanisms such as password authentication, OAuth, or custom header authentication can enhance security and ensure unique user identification. By defining a CHAINLIT_AUTH_SECRET environment variable and using authentication callbacks, you can ensure that each user has a unique identifier, preventing data sharing across users ^[1]^[2]^[3].

To continue talking to Dosu, mention @dosu.

Chainlit / chainlit

User Sessions shared across multiple users behind Proxy or VPN #1407

1442 is probably related.