Skip to content

Record an ActivityLog when session anomalies are detected for a user#24486

Merged
diox merged 5 commits intomozilla:masterfrom
diox:session-changes-logging
Feb 25, 2026
Merged

Record an ActivityLog when session anomalies are detected for a user#24486
diox merged 5 commits intomozilla:masterfrom
diox:session-changes-logging

Conversation

@diox
Copy link
Member

@diox diox commented Feb 19, 2026
edited
Loading

Description

When session authentication is used (login_required or SessionIDAuthentication are about to return a valid user) this checks that several key HTTP headers in the request match what we had in the session. Any mismatch we didn't already know about counts as an anomaly and is logged.

The feature is behind a enable-session-anomaly-recording waffle switch.

Testing

These headers are added/overwritten by the CDN/WAF, but you can test locally by:

  • Enabling the enable-session-anomaly-recording waffle switch
  • Grabbing the session ID from the cookies of an authenticated user from your browser
  • Making an authenticated API request With that session ID to an API that allows session authentication, with one or more of the headers (Client-JA4, Cloudfront-Viewer-Country, Ohfp) set
    • Nothing should happen yet. If you inspect the session in a shell however, you should see we started recording the values of the headers in the session:
    from importlib import import_module
engine = import_module(settings.SESSION_ENGINE)
print(engine.SessionStore(session_key=<session_id>).get('request_headers'))
  • Repeating previous step while changing the value for one or more of the headers that was present before: you should still be authenticated but inspecting the database you should see an ActivityLog for that user showing the differences in details. You should also see the same thing in the session under a session_anomalies key.

Fixes https://mozilla-hub.atlassian.net/browse/AMOENG-2165
Fixes https://mozilla-hub.atlassian.net/browse/AMOENG-2170

@diox
Record an ActivityLog when session anomalies are detected for a user
a1d0347 
When authentication is used (login_required or SessionIDAuthentication
are about to return a valid user) we check that several key HTTP
headers in the request match what we had in the session. Any mismatch
counts as an anomaly and is logged.

The feature is behind a enable-session-anomaly-recording waffle switch.
diox
diox commented Feb 19, 2026
View reviewed changes
src/olympia/amo/middleware.py
Comment on lines -157 to -158
We skip the cache in Zeus if someone has an AMOv3+ cookie, so varying on
Cookie at this level only hurts us.
Copy link
Member Author

@diox diox Feb 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hasn't been true for a while...

diox
diox commented Feb 19, 2026
View reviewed changes
src/olympia/amo/decorators.py
Comment on lines -25 to -26
If redirect=False then we return 401 instead of redirecting to the
login page. That's nice for ajax views.
Copy link
Member Author

@diox diox Feb 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

redirect=False wasn't used.

@diox diox marked this pull request as ready for review February 23, 2026 11:29
@diox diox requested a review from willdurand February 23, 2026 11:29
willdurand
willdurand approved these changes Feb 25, 2026
View reviewed changes
@diox diox merged commit 6e5b2d4 into mozilla:master Feb 25, 2026
44 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@willdurand willdurand willdurand approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@diox @willdurand