search

optimizely / react-sdk

React SDK for Optimizely Feature Experimentation and Optimizely Full Stack (legacy)
https://docs.developers.optimizely.com/experimentation/v4.0.0-full-stack/docs/javascript-react-sdk
Apache License 2.0
89 stars 36 forks source link

what are the security implications of running `optimizelyClient.setUser()` on the server-side rendering due to it being multi-user environment #186

Open iamstarkov opened 1 year ago

iamstarkov commented 1 year ago

when you run client.setUser() on the client its fine, because browser is single-user environment, so you can't share or leak user details when there is just one user.

server environment is purposefully created to handle multitude of users at the same time, so one should be very careful to not leak user details in general, or mix different users up. From my understanding I need to run optimizelyClient.setUser() for optimizely to make a decision. I worry that race condition between I setUser for one user and trying to make a decision for it, there will be setUser call happening for another user and all the decision end up mixed up and broken for both users.

mikechu-optimizely commented 1 year ago

I'll bring up this issue along with #185 during our standup today.

iamstarkov commented 1 year ago

@mikechu-optimizely how did it go?

mikechu-optimizely commented 7 months ago

We're taking a closer look at our SSR in general. Ticket FSSDK-9975.