Bug 184314 (rhn-freakyfriday)

Summary: User switching bug for 406/410
Product: [Retired] Red Hat Network Reporter: Mike McCune <mmccune>
Component: RHN/Web SiteAssignee: Jesus M. Rodriguez <jesusr>
Status: CLOSED CURRENTRELEASE QA Contact: Vlady Zlatkin <vzlatkin>
Severity: medium Docs Contact:
Priority: medium    
Version: rhn400CC: rhn-bugs
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: rhn406 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-03-15 19:04:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 178198    

Description Mike McCune 2006-03-07 22:45:28 UTC 
Users are still getting switched around.  The problem was with our cookies and
images:

1) user requests

http://rhn.redhat.com/rhn/help/reference/rhn405/en/stylesheet-images/tip.png

we send back the image and the headers:

Set-Cookie:
rh_auth_token=4483454:1141758581x7ab3843112841343b95825029e2e214b;
Domain=.redhat.com; Expires=Tue, 07-Mar-2006 20:09:41 GMT; Path=/
Set-Cookie:
pxt-session-cookie=2507456287x371ef042b7ba65eb81782069dfe79d28;
Domain=rhn.webqa.redhat.com; Expires=Tue, 07-Mar-2006 20:09:41 GMT;
Path=/; Secure

2) our apache proxy that sits in front of the java/tomcat box sez: "Hey, this is
an image, lets cache it!".  So it caches the image, but also caches the headers
from step 1.

3) another user requests:

http://rhn.redhat.com/rhn/help/reference/rhn405/en/stylesheet-images/tip.png

they were logged in as themselves, but suddenly they are logged in as user from
step 1.

This is because the proxy layer said: "hey, I have this in my cache, lets give
it back to the user" but not only did they get the image, they also got the
cookies from user1.

Switcharoo.

The reason we didn't see this until 405 was the docs weren't being served from
tomcat until 405 was released and all the other images that RHN uses are served
from apache and don't have this issue.



Bryan Kearney wrote:

> Ok.. can you explain for the dumb folks in the room.
>
> -- bk
>
>
> Mike McCune wrote:
>
>> we solved the problem.  Here was our eureka moment (i'm probably hexing us by
sharing this):
>>
>> on rhnphy.back-webdev:
>>
>> (12:18:57) mmccune:  /var/cache/httpd/D/e/V
>> (12:19:03) mmccune: # ls -al
>> (12:19:04) mmccune: total 12
>> (12:19:04) mmccune: drwx------  2 apache apache 4096 Mar  7 15:16 .
>> (12:19:04) mmccune: drwx------  3 apache apache 4096 Mar  7 15:09 ..
>> (12:19:04) mmccune: -rw-------  1 apache apache 3585 Mar  7 15:16
YGANJ7o2fUXGPZaMZeg
>> (12:19:04) mmccune: [root@rhnphy V]#
>> (12:19:19) mmccune: [root@rhnphy V]# more YGANJ7o2fUXGPZaMZeg
>> (12:19:19) mmccune: 00000000440DEA39 0000000043FF27C9 000000003D2527D0
0000000000000003 00000000440DEA39 00000000440DEA39 00000000000007A2
>> (12:19:19) mmccune: X-URL:
http://rlx-2-10.rhndev.redhat.com/rhn/help/reference/rhn405/en/stylesheet-images/tip.png
>> (12:19:19) mmccune: Accept: image/png,*/*;q=0.5
>> (12:19:19) mmccune: Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
>> (12:19:19) mmccune: Accept-Encoding: gzip,deflate
>> (12:19:19) mmccune: Accept-Language: en-us,en;q=0.5
>> (12:19:19) mmccune: Connection: keep-alive
>> (12:19:19) mmccune: Cookie: JSESSIONID=0CC9BE562F5EDCE609FDA1FE9E60807E;
rh_auth_token=0:1141762166x753cc1aad1b272d0df0f26f82c924d21;
pxt-session-cookie=2343597690x38cb985ea49cbc660826794d25f2d3c9;
s_vi=[CS]v1|4403566C00003D08-A160B080000002D[CE]; s_cc=true; s_sq=%5B%5BB%5D%5D
>> (12:19:19) mmccune: Host: rhn.webdev.redhat.com
>> (12:19:19) mmccune: Keep-Alive: 300
>> (12:19:26) mmccune: neato!
>> (12:20:25) mmccune: <VirtualHost rhn.webdev.redhat.com:443>
>> (12:20:25) mmccune: ...
>> (12:20:30) mmccune:    CacheRoot /var/cache/httpd
>> (12:20:30) mmccune:    CacheSize 2560000
>> (12:20:30) mmccune:    CacheMaxExpire 6
>> (12:20:30) mmccune: </VirtualHost>
>> (12:24:07) mmccune:  HEAD -e
https://rhn.webqa.redhat.com/rhn/help/reference/rhn405/en/figs/software-manager/icon_management.png
|grep Cookie
>> (12:24:07) mmccune: Set-Cookie:
rh_auth_token=4483454:1141758581x7ab3843112841343b95825029e2e214b;
Domain=.redhat.com; Expires=Tue, 07-Mar-2006 20:09:41 GMT; Path=/
>> (12:24:07) mmccune: Set-Cookie:
pxt-session-cookie=2507456287x371ef042b7ba65eb81782069dfe79d28;
Domain=rhn.webqa.redhat.com; Expires=Tue, 07-Mar-2006 20:09:41 GMT; Path=/; Secure
>> (12:24:27) mmccune:  HEAD -e
https://rhn.webdev.redhat.com/img/logo_header_network.gif |grep Cookie
>> (12:24:27) mmccune: [mmccune@cascade ~]$
>>
>> don't set headers/cookies on img files.
>>
>

-- 
Mike McCune
mmccune
Engineering Team Lead     | Portland, OR
Red Hat Network           | 650.567.9039x79248
Comment 3 Jesus M. Rodriguez 2006-03-08 19:36:09 UTC 
TEST PLAN
----------
1) login to rhn from 2 different machine or 2 different browsers
   i.e. firefox and konqueror (2 machines is easier) as 2 different
   users i.e. commandcenter & jesusr_redhat

2) Browse to help
   Help -> Reference Guide -> Red Hat Network 4.0.5 Reference Guide ->
   English -> 3. Red Hat Network Daemon

   (do the above for both browsers)

3) now from the commandcenter user, click next '>' a few times

4) now from the jesusr_redhat user do the same after 2 or 3 clicks
   you WOULD'VE become commandcenter.  With this fix you will NOT
   become commandcenter you remain yourself.
Comment 4 Vlady Zlatkin 2006-03-09 19:16:09 UTC 
this works in webqa
Comment 5 Vlady Zlatkin 2006-03-15 19:04:18 UTC 
verified in prod