Private activity is broadcast to other users by WIAB authentication

[GoogleCodeExporter]

What steps will reproduce the problem?
1. Run a fresh WIAB server, no accounts.
2. On one machine, create account A and log in.
3. On machine B, go to the WIAB URL.

EXPECTED:  B's screen should be the login page.
ACTUAL: Instead, it is the logged-in client of A, with A's user id in the 
status bar.

This tells B the identity of the last user to log in on that machine.  
Fortunately, the search panel on B is blank, so it appears that wave content is 
not sent to B.

@Joseph: any ideas?

Original issue reported on code.google.com by hearn...@google.com on 17 Jan 2011 at 9:09

[GoogleCodeExporter]

Actually, it's far worse than that.  When I tried before it was probably some 
transient index-wave problem.

B's screen does show A's set of waves, and B can open and view all of A's 
waves, with streaming updates.

Attempts by B to edit the wave cause shinies.

Original comment by hearn...@google.com on 17 Jan 2011 at 9:14

• Added labels: Priority-Critical
• Removed labels: Priority-Medium

[GoogleCodeExporter]

Alex suggested this may be a proxy caching issue.  Perhaps we need to 
double-check the headers to make sure that no authenticated page is cacheable?

Original comment by hearn...@google.com on 17 Jan 2011 at 11:50

[GoogleCodeExporter]

Yeah, thats what I thought too. Worth checking out.

Original comment by jose...@gmail.com on 20 Jan 2011 at 11:53

[GoogleCodeExporter]

Strange, I couldn't replicate this issue. However, it is possible to view other 
people waves by pasting the wave URL in the address bar.

Original comment by vega113 on 11 Feb 2011 at 12:20