Bug 184314 - (rhn-freakyfriday) User switching bug for 406/410
User switching bug for 406/410
Status: CLOSED CURRENTRELEASE
Product: Red Hat Network
Classification: Red Hat
Component: RHN/Web Site (Show other bugs)
rhn400
All Linux
medium Severity medium
: ---
: ---
Assigned To: Jesus M. Rodriguez
Vlady Zlatkin
:
Depends On:
Blocks: 178198
  Show dependency treegraph
 
Reported: 2006-03-07 17:45 EST by Mike McCune
Modified: 2007-04-18 13:39 EDT (History)
1 user (show)

See Also:
Fixed In Version: rhn406
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-03-15 14:04:18 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Mike McCune 2006-03-07 17:45:28 EST
Users are still getting switched around.  The problem was with our cookies and
images:

1) user requests

http://rhn.redhat.com/rhn/help/reference/rhn405/en/stylesheet-images/tip.png

we send back the image and the headers:

Set-Cookie:
rh_auth_token=4483454:1141758581x7ab3843112841343b95825029e2e214b;
Domain=.redhat.com; Expires=Tue, 07-Mar-2006 20:09:41 GMT; Path=/
Set-Cookie:
pxt-session-cookie=2507456287x371ef042b7ba65eb81782069dfe79d28;
Domain=rhn.webqa.redhat.com; Expires=Tue, 07-Mar-2006 20:09:41 GMT;
Path=/; Secure

2) our apache proxy that sits in front of the java/tomcat box sez: "Hey, this is
an image, lets cache it!".  So it caches the image, but also caches the headers
from step 1.

3) another user requests:

http://rhn.redhat.com/rhn/help/reference/rhn405/en/stylesheet-images/tip.png

they were logged in as themselves, but suddenly they are logged in as user from
step 1.

This is because the proxy layer said: "hey, I have this in my cache, lets give
it back to the user" but not only did they get the image, they also got the
cookies from user1.

Switcharoo.

The reason we didn't see this until 405 was the docs weren't being served from
tomcat until 405 was released and all the other images that RHN uses are served
from apache and don't have this issue.



Bryan Kearney wrote:

> Ok.. can you explain for the dumb folks in the room.
>
> -- bk
>
>
> Mike McCune wrote:
>
>> we solved the problem.  Here was our eureka moment (i'm probably hexing us by
sharing this):
>>
>> on rhnphy.back-webdev:
>>
>> (12:18:57) mmccune:  /var/cache/httpd/D/e/V
>> (12:19:03) mmccune: # ls -al
>> (12:19:04) mmccune: total 12
>> (12:19:04) mmccune: drwx------  2 apache apache 4096 Mar  7 15:16 .
>> (12:19:04) mmccune: drwx------  3 apache apache 4096 Mar  7 15:09 ..
>> (12:19:04) mmccune: -rw-------  1 apache apache 3585 Mar  7 15:16
YGANJ7o2fUXGPZaMZeg
>> (12:19:04) mmccune: [root@rhnphy V]#
>> (12:19:19) mmccune: [root@rhnphy V]# more YGANJ7o2fUXGPZaMZeg
>> (12:19:19) mmccune: 00000000440DEA39 0000000043FF27C9 000000003D2527D0
0000000000000003 00000000440DEA39 00000000440DEA39 00000000000007A2
>> (12:19:19) mmccune: X-URL:
http://rlx-2-10.rhndev.redhat.com/rhn/help/reference/rhn405/en/stylesheet-images/tip.png
>> (12:19:19) mmccune: Accept: image/png,*/*;q=0.5
>> (12:19:19) mmccune: Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
>> (12:19:19) mmccune: Accept-Encoding: gzip,deflate
>> (12:19:19) mmccune: Accept-Language: en-us,en;q=0.5
>> (12:19:19) mmccune: Connection: keep-alive
>> (12:19:19) mmccune: Cookie: JSESSIONID=0CC9BE562F5EDCE609FDA1FE9E60807E;
rh_auth_token=0:1141762166x753cc1aad1b272d0df0f26f82c924d21;
pxt-session-cookie=2343597690x38cb985ea49cbc660826794d25f2d3c9;
s_vi=[CS]v1|4403566C00003D08-A160B080000002D[CE]; s_cc=true; s_sq=%5B%5BB%5D%5D
>> (12:19:19) mmccune: Host: rhn.webdev.redhat.com
>> (12:19:19) mmccune: Keep-Alive: 300
>> (12:19:26) mmccune: neato!
>> (12:20:25) mmccune: <VirtualHost rhn.webdev.redhat.com:443>
>> (12:20:25) mmccune: ...
>> (12:20:30) mmccune:    CacheRoot /var/cache/httpd
>> (12:20:30) mmccune:    CacheSize 2560000
>> (12:20:30) mmccune:    CacheMaxExpire 6
>> (12:20:30) mmccune: </VirtualHost>
>> (12:24:07) mmccune:  HEAD -e
https://rhn.webqa.redhat.com/rhn/help/reference/rhn405/en/figs/software-manager/icon_management.png
|grep Cookie
>> (12:24:07) mmccune: Set-Cookie:
rh_auth_token=4483454:1141758581x7ab3843112841343b95825029e2e214b;
Domain=.redhat.com; Expires=Tue, 07-Mar-2006 20:09:41 GMT; Path=/
>> (12:24:07) mmccune: Set-Cookie:
pxt-session-cookie=2507456287x371ef042b7ba65eb81782069dfe79d28;
Domain=rhn.webqa.redhat.com; Expires=Tue, 07-Mar-2006 20:09:41 GMT; Path=/; Secure
>> (12:24:27) mmccune:  HEAD -e
https://rhn.webdev.redhat.com/img/logo_header_network.gif |grep Cookie
>> (12:24:27) mmccune: [mmccune@cascade ~]$
>>
>> don't set headers/cookies on img files.
>>
>

-- 
Mike McCune
mmccune@redhat.com
Engineering Team Lead     | Portland, OR
Red Hat Network           | 650.567.9039x79248
Comment 3 Jesus M. Rodriguez 2006-03-08 14:36:09 EST
TEST PLAN
----------
1) login to rhn from 2 different machine or 2 different browsers
   i.e. firefox and konqueror (2 machines is easier) as 2 different
   users i.e. commandcenter & jesusr_redhat

2) Browse to help
   Help -> Reference Guide -> Red Hat Network 4.0.5 Reference Guide ->
   English -> 3. Red Hat Network Daemon

   (do the above for both browsers)

3) now from the commandcenter user, click next '>' a few times

4) now from the jesusr_redhat user do the same after 2 or 3 clicks
   you WOULD'VE become commandcenter.  With this fix you will NOT
   become commandcenter you remain yourself.
Comment 4 Vlady Zlatkin 2006-03-09 14:16:09 EST
this works in webqa
Comment 5 Vlady Zlatkin 2006-03-15 14:04:18 EST
verified in prod

Note You need to log in before you can comment on or make changes to this bug.