I am using AuthKit-0.4.0dev_r95
Everything was going well in my test environ where the server and
client are on the same box, but a problem has surfaced when I moved it
to production on a remote box.
Production network flow:
user -> internet -> firewall -> nat httpd reverse proxy -> pylons app
Web app flow:
1. A user enters the correct username and password
2. My code sets request.environ['paste.auth_tkt.set_user'](username)
3. The user is redirect_to(request.environ['HTTP_REFERER'])
4. Since this landing page is a restricted area, the @validate decorator
is triggered again. (a good thing)
5. AuthKit takes the users cookie value and compares to a recalculation
of what it should be. (a good thing)
Result: "BadTicket: Digest signature is not correct Expected:"
(not a good thing)
The debug log gave me idea of what might be happening.
The original cookie was generated using the httpd reverse proxy IP and
the recalculation is using the remote client IP. They do not match.
When the cookie middleware is first called it prints to the log with
These cookies were found: []
Our cookie 'auth_tkt' value is therefore ''
Remote addr '64.233.167.99', value '', include_ip True
BUT, the next 3 debug log lines show the httpd reverse proxy IP being
used in the calculations to SET the user cookie. It appears that the
value is not passed to the function, it decides to use its own.
calculate_digest(ip='192.168.100.1', timestamp=...
encode_ip_timestamp(ip='192.168.100.1', timestamp=...
Calculating the digest ip '192.168.100.1'...
A few lines later in the log, the recalculation used to verify the
cookie shows it using the expected client remote address.
parse_ticket(secret=...
calculate_digest(ip='64.233.167.99'...
encode_ip_timestamp(ip='64.233.167.99'...
BadTicket: Digest signature is not correct Expected:
What am I doing wrong here?
FOOTNOTE:
Full disclosure: I did make one source code change in my cookie.py. In
the function, calculate_digest, I changed the userid to a string. For
some reason the function fails if the userid is unicode; leaving me
without AuthKit altogether. I am pretty sure that this does not affect
the setting or recalculation of cookie digests, because everyone uses
the same code.
- digest0 = md5.new(encode_ip_timestamp(ip, timestamp) +
- secret + userid + '\0' + tokens +
- '\0' + user_data).hexdigest()
+ digest0 = md5.new(encode_ip_timestamp(ip, timestamp) +
+ secret + str(userid) + '\0' + tokens +
+ '\0' + user_data).hexdigest()
--
michael
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"pylons-discuss" group.
To post to this group, send email to pylons-discuss@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/pylons-discuss?hl=en
-~----------~----~----~----~------~----~------~--~---
