react-sdk icon indicating copy to clipboard operation
react-sdk copied to clipboard

Published 20 hours ago verified publisher icon optimizely

what are the security implications of running `optimizelyClient.setUser()` on the server-side rendering due to it being multi-user environment

Open iamstarkov opened this issue 2 years ago • 3 comments

when you run client.setUser() on the client its fine, because browser is single-user environment, so you can't share or leak user details when there is just one user.

server environment is purposefully created to handle multitude of users at the same time, so one should be very careful to not leak user details in general, or mix different users up. From my understanding I need to run optimizelyClient.setUser() for optimizely to make a decision. I worry that race condition between I setUser for one user and trying to make a decision for it, there will be setUser call happening for another user and all the decision end up mixed up and broken for both users.

iamstarkov avatar Dec 15 '22 13:12 iamstarkov

I'll bring up this issue along with #185 during our standup today.

mikechu-optimizely avatar Dec 16 '22 13:12 mikechu-optimizely

@mikechu-optimizely how did it go?

iamstarkov avatar Dec 19 '22 08:12 iamstarkov

We're taking a closer look at our SSR in general. Ticket FSSDK-9975.

mikechu-optimizely avatar Mar 26 '24 14:03 mikechu-optimizely