184314 – (rhn-freakyfriday) User switching bug for 406/410

Bug 184314 (rhn-freakyfriday) - User switching bug for 406/410

Summary: User switching bug for 406/410

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	rhn-freakyfriday
Product:	Red Hat Network
Classification:	Retired
Component:	RHN/Web Site
Sub Component:
Version:	rhn400
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Jesus M. Rodriguez
QA Contact:	Vlady Zlatkin
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	178198
TreeView+	depends on / blocked

Reported:	2006-03-07 22:45 UTC by Mike McCune
Modified:	2007-04-18 17:39 UTC (History)
CC List:	1 user (show)
Fixed In Version:	rhn406
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2006-03-15 19:04:18 UTC
Embargoed:

Attachments	(Terms of Use)

Description Mike McCune 2006-03-07 22:45:28 UTC

Users are still getting switched around.  The problem was with our cookies and
images:

1) user requests

http://rhn.redhat.com/rhn/help/reference/rhn405/en/stylesheet-images/tip.png

we send back the image and the headers:

Set-Cookie:
rh_auth_token=4483454:1141758581x7ab3843112841343b95825029e2e214b;
Domain=.redhat.com; Expires=Tue, 07-Mar-2006 20:09:41 GMT; Path=/
Set-Cookie:
pxt-session-cookie=2507456287x371ef042b7ba65eb81782069dfe79d28;
Domain=rhn.webqa.redhat.com; Expires=Tue, 07-Mar-2006 20:09:41 GMT;
Path=/; Secure

2) our apache proxy that sits in front of the java/tomcat box sez: "Hey, this is
an image, lets cache it!".  So it caches the image, but also caches the headers
from step 1.

3) another user requests:

http://rhn.redhat.com/rhn/help/reference/rhn405/en/stylesheet-images/tip.png

they were logged in as themselves, but suddenly they are logged in as user from
step 1.

This is because the proxy layer said: "hey, I have this in my cache, lets give
it back to the user" but not only did they get the image, they also got the
cookies from user1.

Switcharoo.

The reason we didn't see this until 405 was the docs weren't being served from
tomcat until 405 was released and all the other images that RHN uses are served
from apache and don't have this issue.



Bryan Kearney wrote:

> Ok.. can you explain for the dumb folks in the room.
>
> -- bk
>
>
> Mike McCune wrote:
>
>> we solved the problem.  Here was our eureka moment (i'm probably hexing us by
sharing this):
>>
>> on rhnphy.back-webdev:
>>
>> (12:18:57) mmccune:  /var/cache/httpd/D/e/V
>> (12:19:03) mmccune: # ls -al
>> (12:19:04) mmccune: total 12
>> (12:19:04) mmccune: drwx------  2 apache apache 4096 Mar  7 15:16 .
>> (12:19:04) mmccune: drwx------  3 apache apache 4096 Mar  7 15:09 ..
>> (12:19:04) mmccune: -rw-------  1 apache apache 3585 Mar  7 15:16
YGANJ7o2fUXGPZaMZeg
>> (12:19:04) mmccune: [root@rhnphy V]#
>> (12:19:19) mmccune: [root@rhnphy V]# more YGANJ7o2fUXGPZaMZeg
>> (12:19:19) mmccune: 00000000440DEA39 0000000043FF27C9 000000003D2527D0
0000000000000003 00000000440DEA39 00000000440DEA39 00000000000007A2
>> (12:19:19) mmccune: X-URL:
http://rlx-2-10.rhndev.redhat.com/rhn/help/reference/rhn405/en/stylesheet-images/tip.png
>> (12:19:19) mmccune: Accept: image/png,*/*;q=0.5
>> (12:19:19) mmccune: Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
>> (12:19:19) mmccune: Accept-Encoding: gzip,deflate
>> (12:19:19) mmccune: Accept-Language: en-us,en;q=0.5
>> (12:19:19) mmccune: Connection: keep-alive
>> (12:19:19) mmccune: Cookie: JSESSIONID=0CC9BE562F5EDCE609FDA1FE9E60807E;
rh_auth_token=0:1141762166x753cc1aad1b272d0df0f26f82c924d21;
pxt-session-cookie=2343597690x38cb985ea49cbc660826794d25f2d3c9;
s_vi=[CS]v1|4403566C00003D08-A160B080000002D[CE]; s_cc=true; s_sq=%5B%5BB%5D%5D
>> (12:19:19) mmccune: Host: rhn.webdev.redhat.com
>> (12:19:19) mmccune: Keep-Alive: 300
>> (12:19:26) mmccune: neato!
>> (12:20:25) mmccune: <VirtualHost rhn.webdev.redhat.com:443>
>> (12:20:25) mmccune: ...
>> (12:20:30) mmccune:    CacheRoot /var/cache/httpd
>> (12:20:30) mmccune:    CacheSize 2560000
>> (12:20:30) mmccune:    CacheMaxExpire 6
>> (12:20:30) mmccune: </VirtualHost>
>> (12:24:07) mmccune:  HEAD -e
https://rhn.webqa.redhat.com/rhn/help/reference/rhn405/en/figs/software-manager/icon_management.png
|grep Cookie
>> (12:24:07) mmccune: Set-Cookie:
rh_auth_token=4483454:1141758581x7ab3843112841343b95825029e2e214b;
Domain=.redhat.com; Expires=Tue, 07-Mar-2006 20:09:41 GMT; Path=/
>> (12:24:07) mmccune: Set-Cookie:
pxt-session-cookie=2507456287x371ef042b7ba65eb81782069dfe79d28;
Domain=rhn.webqa.redhat.com; Expires=Tue, 07-Mar-2006 20:09:41 GMT; Path=/; Secure
>> (12:24:27) mmccune:  HEAD -e
https://rhn.webdev.redhat.com/img/logo_header_network.gif |grep Cookie
>> (12:24:27) mmccune: [mmccune@cascade ~]$
>>
>> don't set headers/cookies on img files.
>>
>

-- 
Mike McCune
mmccune
Engineering Team Lead     | Portland, OR
Red Hat Network           | 650.567.9039x79248

Comment 3 Jesus M. Rodriguez 2006-03-08 19:36:09 UTC

TEST PLAN
----------
1) login to rhn from 2 different machine or 2 different browsers
   i.e. firefox and konqueror (2 machines is easier) as 2 different
   users i.e. commandcenter & jesusr_redhat

2) Browse to help
   Help -> Reference Guide -> Red Hat Network 4.0.5 Reference Guide ->
   English -> 3. Red Hat Network Daemon

   (do the above for both browsers)

3) now from the commandcenter user, click next '>' a few times

4) now from the jesusr_redhat user do the same after 2 or 3 clicks
   you WOULD'VE become commandcenter.  With this fix you will NOT
   become commandcenter you remain yourself.

Comment 4 Vlady Zlatkin 2006-03-09 19:16:09 UTC

this works in webqa

Comment 5 Vlady Zlatkin 2006-03-15 19:04:18 UTC

verified in prod

Note You need to log in before you can comment on or make changes to this bug.