I am using AuthKit-0.4.0dev_r95 Everything was going well in my test environ where the server and client are on the same box, but a problem has surfaced when I moved it to production on a remote box.
Production network flow: user -> internet -> firewall -> nat httpd reverse proxy -> pylons app Web app flow: 1. A user enters the correct username and password 2. My code sets request.environ['paste.auth_tkt.set_user'](username) 3. The user is redirect_to(request.environ['HTTP_REFERER']) 4. Since this landing page is a restricted area, the @validate decorator is triggered again. (a good thing) 5. AuthKit takes the users cookie value and compares to a recalculation of what it should be. (a good thing) Result: "BadTicket: Digest signature is not correct Expected:" (not a good thing) The debug log gave me idea of what might be happening. The original cookie was generated using the httpd reverse proxy IP and the recalculation is using the remote client IP. They do not match. When the cookie middleware is first called it prints to the log with These cookies were found: [] Our cookie 'auth_tkt' value is therefore '' Remote addr '64.233.167.99', value '', include_ip True BUT, the next 3 debug log lines show the httpd reverse proxy IP being used in the calculations to SET the user cookie. It appears that the value is not passed to the function, it decides to use its own. calculate_digest(ip='192.168.100.1', timestamp=... encode_ip_timestamp(ip='192.168.100.1', timestamp=... Calculating the digest ip '192.168.100.1'... A few lines later in the log, the recalculation used to verify the cookie shows it using the expected client remote address. parse_ticket(secret=... calculate_digest(ip='64.233.167.99'... encode_ip_timestamp(ip='64.233.167.99'... BadTicket: Digest signature is not correct Expected: What am I doing wrong here? FOOTNOTE: Full disclosure: I did make one source code change in my cookie.py. In the function, calculate_digest, I changed the userid to a string. For some reason the function fails if the userid is unicode; leaving me without AuthKit altogether. I am pretty sure that this does not affect the setting or recalculation of cookie digests, because everyone uses the same code. - digest0 = md5.new(encode_ip_timestamp(ip, timestamp) + - secret + userid + '\0' + tokens + - '\0' + user_data).hexdigest() + digest0 = md5.new(encode_ip_timestamp(ip, timestamp) + + secret + str(userid) + '\0' + tokens + + '\0' + user_data).hexdigest() -- michael --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To post to this group, send email to pylons-discuss@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/pylons-discuss?hl=en -~----------~----~----~----~------~----~------~--~---