|
List Info
Thread: Duplicate session ids
|
|
| Duplicate session ids |
|
2007-05-25 18:11:13 |
I fired up an older application today and couldn't log in.
I've
recently updated this machine, so not sure that's related.
Running Cat 5.7007 with current plugins:
'Session',
'Session::Store::FastMmap',
'Session::State::Cookie',
If I have this in my base class:
sub finalize_cookies {
my $c = shift;
$c->session->;
return $c->NEXT::finalize_cookies(  _ );
}
Then I see this:
[debug] "GET" request for "foo" from
"192.168.1.2"
[debug] Path is "foo"
[debug] Created session
"c60bac05b858475180fd7ec87c136f39a0d864e5"
[debug] Created session
"cb18f99367411577cf491e5d4b623704c177f1b4"
If I remove the $c->session then I get:
sub finalize_cookies {
my $c = shift;
return $c->NEXT::finalize_cookies( _ );
}
[debug] "GET" request for "foo" from
"192.168.1.2"
[debug] Path is "foo"
[debug] Created session
"3c23e190850ca9854d893f93b6ea20148fc24d61"
Wasn't there some issue with FastMmap recently? I tried
with 1.15 and
1.16.
1.16 didn't pass all tests:
t/6.....NOK 6
# Failed test 'leak test 128 > 30k'
# in t/6.t at line 81.
t/6.....ok 9/9# Looks like you failed 1 test of 9.
t/6.....dubious
Test returned status 1 (wstat 256, 0x100)
DIED. FAILED test 6
Failed 1/9 tests, 88.89% okay
t/7.....ok
--
Bill Moseley
moseleyhank.org
_______________________________________________
List: Catalystlists.rawmode.org
Listinfo: ht
tp://lists.rawmode.org/mailman/listinfo/catalyst
Searchable archive: http://www.mail-
archive.com/catalystlists.rawmode.org/
Dev site: http://dev.catalyst.per
l.org/
|
|
| Re: Duplicate session ids |
|
2007-05-26 12:00:25 |
Perhaps an easier way to show the problem with duplicate
created
sessions would help.
If you cut-n-paste the commands below into a bash shell you
should see
something like this:
[debug] Created session
"aad42ec88bcfd85dd0c51d38d3b5f207bbca6462"
[debug] Created session
"2bc62f4b3903025c77577e92139964c60d9467bb"
Note: this will create a "Session" directory in
the current dir:
catalyst.pl Session >/dev/null
cat << 'EOF' > Session/lib/Session.pm
package Session;
use strict;
use warnings;
use Catalyst::Runtime '5.70';
use Catalyst qw/
-Debug
ConfigLoader
Static::Simple
Session
Session::Store::FastMmap
Session::State::Cookie
/;
__PACKAGE__->config( name => 'Session' );
__PACKAGE__->setup;
sub foo : Local {
my ( $self, $c ) = _;
$c->session-> = 'hello';
$c->res->body( "in foon" );
}
sub finalize_cookies {
my $c = shift;
my $x = $c->session->;
return $c->NEXT::finalize_cookies( _ );
}
1;
EOF
Session/script/session_test.pl /foo 2>&1 | grep
session
I'm running:
[info] Session powered by Catalyst 5.7007
| Catalyst::Plugin::ConfigLoader 0.05
|
| Catalyst::Plugin::Session 0.14
|
| Catalyst::Plugin::Session::State::Cookie 0.07
|
| Catalyst::Plugin::Session::Store::FastMmap 0.02
|
| Catalyst::Plugin::Static::Simple 0.14
$ perl -MCache::FastMmap -le 'print
$Cache::FastMmap::VERSION'
1.16
--
Bill Moseley
moseleyhank.org
_______________________________________________
List: Catalystlists.rawmode.org
Listinfo: ht
tp://lists.rawmode.org/mailman/listinfo/catalyst
Searchable archive: http://www.mail-
archive.com/catalystlists.rawmode.org/
Dev site: http://dev.catalyst.per
l.org/
|
|
| Re: Duplicate session ids |
|
2007-05-26 15:08:48 |
On 5/26/07, Bill Moseley <moseleyhank.org> wrote:
> Perhaps an easier way to show the problem with
duplicate created
> sessions would help.
Do you mean duplicate or multiple? The session ID
generation code in
Catalyst::Plugin::Session does look like it could generate
duplicates
to me, but that would be rare and unpredictable.
- Perrin
_______________________________________________
List: Catalystlists.rawmode.org
Listinfo: ht
tp://lists.rawmode.org/mailman/listinfo/catalyst
Searchable archive: http://www.mail-
archive.com/catalystlists.rawmode.org/
Dev site: http://dev.catalyst.per
l.org/
|
|
| Re: Duplicate session ids |
 
United States |
2007-05-26 15:19:48 |
On Saturday 26 May 2007 03:08:48 pm Perrin Harkins wrote:
> On 5/26/07, Bill Moseley <moseleyhank.org> wrote:
> > Perhaps an easier way to show the problem with
duplicate created
> > sessions would help.
>
> Do you mean duplicate or multiple? The session ID
generation code in
> Catalyst::Plugin::Session does look like it could
generate duplicates
> to me, but that would be rare and unpredictable.
>
Please keep in mind that by "rare", he means that
you would have to generate
2317195645184714165087019331424 sessions per second for
10000000000 years in
order to have a 50% chance of colliding with an existing
session.
In other words, don't worry about duplicate session IDs.
--
package JAPH;use Catalyst
qw/-Debug/;($;=JAPH)->config(name => do {
$,.=reverse qw[Jonathan tsu rehton lre rekca
Rockway][$_].[split //,
";$;"]->[$_].q; ;for
1..4;$,=~s;^.;;;$,});$;->setup;
_______________________________________________
List: Catalystlists.rawmode.org
Listinfo: ht
tp://lists.rawmode.org/mailman/listinfo/catalyst
Searchable archive: http://www.mail-
archive.com/catalystlists.rawmode.org/
Dev site: http://dev.catalyst.per
l.org/
|
|
| Re: Duplicate session ids |
|
2007-05-26 16:28:41 |
On Sat, May 26, 2007 at 04:08:48PM -0400, Perrin Harkins
wrote:
> On 5/26/07, Bill Moseley <moseleyhank.org> wrote:
> >Perhaps an easier way to show the problem with
duplicate created
> >sessions would help.
>
> Do you mean duplicate or multiple? The session ID
generation code in
> Catalyst::Plugin::Session does look like it could
generate duplicates
> to me, but that would be rare and unpredictable.
Ya, sorry. Multiple. It's generating one session id,
storing values
under that ID, then creating a new session id and then
sending that as
the cookie. So when the browser returns that cookie none of
the
session data is there.
Let me add some data:
catalyst.pl Session >/dev/null
cat << 'EOF' > Session/lib/Session.pm
package Session;
use strict;
use warnings;
use Catalyst::Runtime '5.70';
use Catalyst qw/
-Debug
ConfigLoader
Static::Simple
Session
Session::Store::FastMmap
Session::State::Cookie
/;
__PACKAGE__->config( name => 'Session' );
__PACKAGE__->setup;
sub foo : Local {
my ( $self, $c ) = _;
$c->session-> = 'hello';
warn "Session id = " . $c->sessionid .
" and value of bar is [" .
$c->session-> ."]n";
$c->res->body( "in foon" );
}
sub finalize_cookies {
my $c = shift;
my $x = $c->session->;
return $c->NEXT::finalize_cookies( _ );
}
1;
EOF
Session/script/session_server.pl
Then:
$ GET -e http://localhost:3000/foo
Connection: close
Date: Sat, 26 May 2007 21:26:29 GMT
Content-Length: 7
Content-Type: text/html; charset=utf-8
Client-Date: Sat, 26 May 2007 21:26:29 GMT
Client-Peer: 127.0.0.1:3000
Client-Response-Num: 1
Set-Cookie:
session_session=8090bbdfc17c61425fed48c447098f2fb8187577;
path=/; expires=Sat, 26-May-2007 23:26:29 GMT
Status: 200
X-Catalyst: 5.7007
in foo
Now notice the session id? But the debug log showed this:
You can connect to your server at http://bumby:3000
Session id = d7a4953c14ef52183940b57a06cde96f72c7da96
and value of bar is [hello]
[info] *** Request 1 (0.042/s) [18238] [Sat May 26
14:26:29 2007] ***
[debug] "GET" request for "foo" from
"127.0.0.1"
[debug] Path is "foo"
[debug] Created session
"d7a4953c14ef52183940b57a06cde96f72c7da96"
[debug] Created session
"8090bbdfc17c61425fed48c447098f2fb8187577"
--
Bill Moseley
moseleyhank.org
_______________________________________________
List: Catalystlists.rawmode.org
Listinfo: ht
tp://lists.rawmode.org/mailman/listinfo/catalyst
Searchable archive: http://www.mail-
archive.com/catalystlists.rawmode.org/
Dev site: http://dev.catalyst.per
l.org/
|
|
| Re: Duplicate session ids |
United States |
2007-05-26 17:00:31 |
Bill Moseley wrote:
> On Sat, May 26, 2007 at 04:08:48PM -0400, Perrin
Harkins wrote:
>> On 5/26/07, Bill Moseley <moseleyhank.org> wrote:
>>> Perhaps an easier way to show the problem with
duplicate created
>>> sessions would help.
>> Do you mean duplicate or multiple? The session ID
generation code in
>> Catalyst::Plugin::Session does look like it could
generate duplicates
>> to me, but that would be rare and unpredictable.
>
> Ya, sorry. Multiple. It's generating one session id,
storing values
> under that ID, then creating a new session id and then
sending that as
> the cookie. So when the browser returns that cookie
none of the
> session data is there.
I think I see what's happening.
First, it's the same behavior with Session::Store::File.
In Catalyst->handle_request, there's this (debugging
added):
my $c = $class->prepare(arguments);
$c->dispatch;
$c->log->debug("SID Before: " .
$c->_sessionid);
$status = $c->finalize;
$c->log->debug("SID After: " .
$c->_sessionid);
You'll see that the session id changes after the call
to finalize.
[debug] SID Before:
dedcc0cbe98a54a4cb91513d7fc57ac5cabf20ac
[debug] SID After:
a069c84ee4004a21e50faa91f77d3278819c5704
The problem is that the finalize() process calls the
Catalyst::Plugin::Session->finalize_session before
finalize_cookies()
is called.
And finalize_session() calls
$c->_clear_session_instance_data after
saving.
So by the time your finalize_cookies() is called, the
session has
been saved and cleared. When you call $c->session in
finalize_cookies(),
it's unaware that the session ever existed, so a new one is
created.
I don't know what the proper fix is. I'm still trying to
understand
the whole process flow. Maybe $c->session should raise an
exception
if it's already been saved. And then should the session try
to finalize
later (dunno if that's even possible).
Maurice
_______________________________________________
List: Catalystlists.rawmode.org
Listinfo: ht
tp://lists.rawmode.org/mailman/listinfo/catalyst
Searchable archive: http://www.mail-
archive.com/catalystlists.rawmode.org/
Dev site: http://dev.catalyst.per
l.org/
|
|
| Re: Duplicate session ids |
|
2007-05-26 17:24:42 |
On 5/26/07, Jonathan Rockway <jonjrock.us> wrote:
> Please keep in mind that by "rare", he means
that you would have to generate
> 2317195645184714165087019331424 sessions per second for
10000000000 years in
> order to have a 50% chance of colliding with an
existing session.
Or you could have it happen on the first try. It's just
probability.
If duplicate session IDs are a major concern for your
application,
generating them from mod_unique_id or a database sequence
should
prevent the possibility, and verifying your cookies with a
MAC of some
kind will prevent people from taking advantage of
predictable IDs.
It doesn't sound like this is the problem Bill was talking
about though.
- Perrin
_______________________________________________
List: Catalystlists.rawmode.org
Listinfo: ht
tp://lists.rawmode.org/mailman/listinfo/catalyst
Searchable archive: http://www.mail-
archive.com/catalystlists.rawmode.org/
Dev site: http://dev.catalyst.per
l.org/
|
|
| Re: Duplicate session ids |
United States |
2007-05-26 17:49:23 |
mla wrote:
> Bill Moseley wrote:
>> On Sat, May 26, 2007 at 04:08:48PM -0400, Perrin
Harkins wrote:
>>> On 5/26/07, Bill Moseley <moseleyhank.org> wrote:
>>>> Perhaps an easier way to show the problem
with duplicate created
>>>> sessions would help.
>>> Do you mean duplicate or multiple? The session
ID generation code in
>>> Catalyst::Plugin::Session does look like it
could generate duplicates
>>> to me, but that would be rare and
unpredictable.
>>
>> Ya, sorry. Multiple. It's generating one session
id, storing values
>> under that ID, then creating a new session id and
then sending that as
>> the cookie. So when the browser returns that
cookie none of the
>> session data is there.
>
> I think I see what's happening.
Try changing Catalyst::Plugin::Session::finalize() to this:
sub finalize {
my $c = shift;
$c->NEXT::finalize(_);
$c->finalize_session;
}
Just flipped the calls so it finalizes last. Seems to fix
it.
I still think it might be a good idea to keep track of
whether
the finalize has happened and raise an exception if it's
used.
Maurice
_______________________________________________
List: Catalystlists.rawmode.org
Listinfo: ht
tp://lists.rawmode.org/mailman/listinfo/catalyst
Searchable archive: http://www.mail-
archive.com/catalystlists.rawmode.org/
Dev site: http://dev.catalyst.per
l.org/
|
|
| Re: Duplicate session ids |
|
2007-05-26 18:00:19 |
On Sat, May 26, 2007 at 03:00:31PM -0700, mla wrote:
> The problem is that the finalize() process calls the
> Catalyst::Plugin::Session->finalize_session before
finalize_cookies()
> is called.
>
> And finalize_session() calls
$c->_clear_session_instance_data after
> saving.
>
> So by the time your finalize_cookies() is called, the
session has
> been saved and cleared. When you call $c->session in
finalize_cookies(),
> it's unaware that the session ever existed, so a new
one is created.
Ah, I see. This is new behavior at some point -- just not
sure when
or what I upgraded to make it show up. Just could not log
into the
application.
Took a few hours to just figure out it was my access of the
session in
finalize cookies that was causing the problem. Amazing what
a thirst
for a cold beverage that can generate.
> I don't know what the proper fix is. I'm still trying
to understand
> the whole process flow. Maybe $c->session should
raise an exception
> if it's already been saved. And then should the session
try to finalize
> later (dunno if that's even possible).
Yes, it's a bit of a task winding through all the modules
and recent
check-ins looking for what change caused the problem. I
still have a
stray debugging statement I added that I need to track down.
;) I was
really wishing for some fine grain debugging statements
already in the
code I could turn on so I could see the flow of the session
management
process during the request. Even some comments in the code
would be
helpful. I just have not had time to get back to it.
--
Bill Moseley
moseleyhank.org
_______________________________________________
List: Catalystlists.rawmode.org
Listinfo: ht
tp://lists.rawmode.org/mailman/listinfo/catalyst
Searchable archive: http://www.mail-
archive.com/catalystlists.rawmode.org/
Dev site: http://dev.catalyst.per
l.org/
|
|
| Re: Duplicate session ids |
|
2007-07-08 22:03:45 |
On Sat, May 26, 2007 at 03:49:23PM -0700, mla wrote:
> Try changing Catalyst::Plugin::Session::finalize() to
this:
>
> sub finalize {
> my $c = shift;
>
> $c->NEXT::finalize(_);
> $c->finalize_session;
> }
>
> Just flipped the calls so it finalizes last. Seems to
fix it.
That's what .16 now has.
But, if finalize calls finalize_headers then calling
finalize_session
after that is too late to get the cookies in the response.
Which is
why I'm not seeing a cookie in the response.
Well, I get a cookie sent on the first request. I assume
that's
because my first request is asking for session info (when
there is not
yet) which ends up calling set_session_id and that calls
update_session_cookie.
But once I have a cookie (and thus a session) no more
cookies are
sent.
The problem I had was I wanted access to the session data
while
processing cookies which by that time the session data had
been
cleared.[1]
Should it be like this instead?
sub finalize {
my $c = shift;
$c->finalize_session;
$c->NEXT::finalize(_);
$c->_clear_session_instance_data;
}
sub finalize_session {
my $c = shift;
$c->NEXT::finalize_session;
$c->_save_session_id;
$c->_save_session;
$c->_save_flash;
$c->_save_session_expires;
}
[1] The result was when I tried to access the session a new
session
would then be created -- so my session id was ever-changing
and I
could never log in.
--
Bill Moseley
moseleyhank.org
_______________________________________________
List: Catalystlists.rawmode.org
Listinfo: ht
tp://lists.rawmode.org/mailman/listinfo/catalyst
Searchable archive: http://www.mail-
archive.com/catalystlists.rawmode.org/
Dev site: http://dev.catalyst.per
l.org/
|
|
[1-10]
|
|