OK, after a week with no reports of people being logged into the wrong account, we've re-enabled the onion, but now without the response rewriting reverse proxy. This means that the onion works now, but will make some clearnet requests. If we go another week without issues, we will consider it a bug within our reverse proxy.

As always, let us know if you're logged in to someone else's account.

@headmasters I'll be surprised if it ends up being the rewrite proxy after looking at the code; it seems to not really touch headers?

My guess is related to session_activations/auth tokens getting confused with loopback requests originating from else-, but I couldn't ultimately find a smoking gun in masto code.

Sign in to participate in the conversation
Freak University

A school for anyone that has been denied their full humanity through no fault of their own. All freaks and freak allies are welcome here. Classes start soon, so register today!