Re: SV: [Zope-dev] Small Alert - Temp Solution - more...
Stefane Fermigier (www.nuxeo.com) sent this answer this morning. -- Message transmis -- Subject: [[EMAIL PROTECTED]: Apache Week issue 287] Date: Sat, 16 Mar 2002 08:12:53 +0100 From: Stefane Fermigier <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] - Forwarded message from Apache Week <[EMAIL PROTECTED]> - Proxy users thinking of upgrading to Apache 1.3.23 should be aware that there is a bug ([5]PR#9655) in the handling of responses which set more than one cookie, and may wish to wait for the 1.3.24 release before upgrading. - End forwarded message - -- Stéfane Fermigier, Tel: +33 (0)6 63 04 12 77 (mobile). http://nuxeo.com/ & http://portalux.com/ & http://aful.org/ "Amazon: we patent the dot in .com" --- -- Jean-Paul Smets-Solanes <[EMAIL PROTECTED]> - Nexedi (CEO) GPG Fingerprint: 40FF FA78 75AA 680D 8BB4 EEF9 539A 79CC CB8E 5F01 ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: SV: [Zope-dev] Small Alert - Temp Solution - more...
Le Samedi 9 Mars 2002 23:04, Dieter Maurer a écrit : > Jean-Paul Smets writes: > > ... TCPWatch dumps demonstrating cookie problem for "__ac" cookie ... > > When I read the dumps correct then *ALL* Apache + "__ac" dumps > lack the "__ac" cookie whether or nor VHM is used. > Thus, I would say, VHM is out of suspicion. I agree. > Now, Apache + Zope via "mod_proxy" is Zope via Medusa. > I do not expect Zope to behave differently when Apache is there. > As Zope (+ medusa) alone has the "__ac" cookie, this may indicate > an Apache problem. > You can verify that by using TCPWatch between Apache und Zope > (rather than between your browser and Apache). > OK. I'll test this. > > > Dieter > > ___ > Zope-Dev maillist - [EMAIL PROTECTED] > http://lists.zope.org/mailman/listinfo/zope-dev > ** No cross posts or HTML encoding! ** > (Related lists - > http://lists.zope.org/mailman/listinfo/zope-announce > http://lists.zope.org/mailman/listinfo/zope ) -- Jean-Paul Smets-Solanes <[EMAIL PROTECTED]> - Nexedi (CEO) GPG Fingerprint: 40FF FA78 75AA 680D 8BB4 EEF9 539A 79CC CB8E 5F01 ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: SV: [Zope-dev] Small Alert - Temp Solution - more...
Jean-Paul Smets writes: > ... TCPWatch dumps demonstrating cookie problem for "__ac" cookie ... When I read the dumps correct then *ALL* Apache + "__ac" dumps lack the "__ac" cookie whether or nor VHM is used. Thus, I would say, VHM is out of suspicion. Now, Apache + Zope via "mod_proxy" is Zope via Medusa. I do not expect Zope to behave differently when Apache is there. As Zope (+ medusa) alone has the "__ac" cookie, this may indicate an Apache problem. You can verify that by using TCPWatch between Apache und Zope (rather than between your browser and Apache). Dieter ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: SV: [Zope-dev] Small Alert - Probably Apache / mod-rewrite
Hi,
I did a few more tests. Apparently, this cookie issue
- happens in proxy mode
- does not happen in CGI mode
Of course, it is required to delete all cookies stored in the browser once
the __ac cookie has been successfully set in CGI mode
I have enclose an excerpt of my Apache config which shows various tests.
JPS.
DocumentRoot /home/jp/public_html/erp5/
ServerName erp5.org
ServerAlias www.erp5.org
#ProxyPass /
http://localhost:9673/VirtualHostBase/http/www.erp5.org:80/erp5/VirtualHostRoot/
RewriteEngine on
RewriteCond %{HTTP:Authorization} ^(.*)
#RewriteRule ^/(.*)
http://localhost:9673/VirtualHostBase/http/www.erp5.org:80/erp5/VirtualHostRoot/$1
[L,P]
#RewriteRule ^/(.*) http://localhost:9673/erp5/$1 [L,P]
#RewriteRule ^/(.*)
http://localhost:9673/VirtualHostBase/http/www.erp5.org:80/erp5/VirtualHostRoot/$1
[L,P]
RewriteRule ^/(.*)
/usr/lib/cgi-bin/Zope/VirtualHostBase/http/www.erp5.org:80/erp5/VirtualHostRoot/$1
[e=HTTP_CGI_AUTHORIZATION:%1,t=application/x-httpd-cgi,l]
--
Jean-Paul Smets-Solanes <[EMAIL PROTECTED]> - Nexedi (CEO)
GPG Fingerprint: 40FF FA78 75AA 680D 8BB4 EEF9 539A 79CC CB8E 5F01
___
Zope-Dev maillist - [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists -
http://lists.zope.org/mailman/listinfo/zope-announce
http://lists.zope.org/mailman/listinfo/zope )
Re: SV: [Zope-dev] Small Alert - Temp Solution - more...
Le Mercredi 6 Mars 2002 22:35, Dieter Maurer a écrit : > Jean-Paul Smets writes: > > I could find out that certain cookie names work, some others do not > > > > Works > > > > Really strange. > > Could you use "tcpwatch" (or another TCP logger) to see whether > the Zope response contains the cookie header. If not, this would > be a Zope problem we could debug. If so, we have to look elsewhere. Here is the information. 5 cases are shown - Use of Apache + RewriteRule + VHM (CMF auth. cookie is __ac_erp5) - Use of Apache + RewriteRule + VHM (CMF auth. cookie is __ac) - Use of Medusa (CMF auth. cookie is __ac) - Use of Apache + RewriteRule w/o VHM (CMF auth. cookie is __ac_erp5) - Use of Apache + RewriteRule w/o VHM (CMF auth. cookie is __ac) The scenario is - go to http://www.erp5.org/login_form - look at what happens with tcpdump after filing the form and posting it In all cases, this leads to a login success. However, if the auth. cookie is not set (which happens in cases where Apache is used and aut. cookie is __ac), then we are in trouble... You will see that the Set-Cookie is different in the 5 cases My conclusion for now is that something could be wrong with the Apache rewriting process. Regards, JPS. Apache VHM Config DocumentRoot /home/jp/public_html/erp5/ ServerName erp5.org ServerAlias www.erp5.org RewriteEngine On RewriteRule ^/(.*) http://localhost:9673/VirtualHostBase/http/www.erp5.org:80/erp5/VirtualHostRoot/$1 [L,P] #RewriteRule ^/(.*) http://localhost:9673/erp5/$1 [L,P] __ac_erp5 + Apache + VHM 0x 4500 05dc 03cb 4000 3306 bbb5 d42b ed44E.@.3+.D 0x0010 c0a8 0083 0050 9843 a89d dbe3 a856 a8fb.P.C.V.. 0x0020 8010 1b00 1eda 0101 080a 0212 d894 0x0030 01f9 4691 4854 5450 2f31 2e31 2032 3030..F.HTTP/1.1.200 0x0040 204f 4b0d 0a44 6174 653a 2053 6174 2c20.OK..Date:.Sat,. 0x0050 3039 204d 6172 2032 3030 3220 3133 3a3309.Mar.2002.13:3 0x0060 353a 3533 2047 4d54 0d0a 5365 7276 65725:53.GMT..Server 0x0070 3a20 4170 6163 6865 2f31 2e33 2e32 3320:.Apache/1.3.23. 0x0080 2855 6e69 7829 2044 6562 6961 6e20 474e(Unix).Debian.GN 0x0090 552f 4c69 6e75 780d 0a43 6f6e 7465 6e74U/Linux..Content 0x00a0 2d4c 656e 6774 683a 2035 3734 340d 0a43-Length:.5744..C 0x00b0 6f6e 7465 6e74 2d54 7970 653a 2074 6578ontent-Type:.tex 0x00c0 742f 6874 6d6c 0d0a 4574 6167 3a20 0d0at/html..Etag:... 0x00d0 5365 742d 436f 6f6b 6965 3a20 5f5f 6163Set-Cookie:.__ac 0x00e0 5f65 7270 353d 2261 6e41 3659 5852 6862_erp5="anA6YXRhb 0x00f0 4746 7525 3041 223b 2050 6174 683d 2f0dGFu%0A";.Path=/. 0x0100 0a58 2d43 6163 6865 3a20 4d49 5353 2066.X-Cache:.MISS.f 0x0110 726f 6d20 6572 7035 2e6f 7267 0d0a 4b65rom.erp5.org..Ke 0x0120 6570 2d41 6c69 7665 3a20 7469 6d65 6f75ep-Alive:.timeou 0x0130 743d 3135 2c20 6d61 783d 3130 300d 0a43t=15,.max=100..C 0x0140 6f6e 6e65 6374 696f 6e3a 204b 6565 702donnection:.Keep- 0x0150 416c 6976 650d 0a0d 0a20 0a0a 3c68 746dAlive..< 0x0170 7469 746c 653e 4552 5035 2043 6f6d 6d75title>ERP5.Commu 0x0180 6e69 7479 3a20 4552 5035 2043 6f6d 6d75nity:.ERP5.Commu 0x0190 6e69 7479 3c2f 7469 746c 653e 0a20 203cnity...< __ac + Apache + VHM 0x 4500 05dc 4d68 4000 3306 7218 d42b ed44E...Mh@.3.r..+.D 0x0010 c0a8 0083 0050 9845 b6c0 6432 b5b6 2c45.P.E..d2..,E 0x0020 8010 1b00 53bb 0101 080a 0213 29c6S.). 0x0030 01f9 97c1 4854 5450 2f31 2e31 2032 3030HTTP/1.1.200 0x0040 204f 4b0d 0a44 6174 653a 2053 6174 2c20.OK..Date:.Sat,. 0x0050 3039 204d 6172 2032 3030 3220 3133 3a3309.Mar.2002.13:3 0x0060 393a 3231 2047 4d54 0d0a 5365 7276 65729:21.GMT..Server 0x0070 3a20 4170 6163 6865 2f31 2e33 2e32 3320:.Apache/1.3.23. 0x0080 2855 6e69 7829 2044 6562 6961 6e20 474e(Unix).Debian.GN 0x0090 552f 4c69 6e75 780d 0a43 6f6e 7465 6e74U/Linux..Content 0x00a0 2d4c 656e 6774 683a 2035 3734 340d 0a43-Length:.5744..C 0x00b0 6f6e 7465 6e74 2d54 7970 653a 2074 6578ontent-Type:.tex 0x00c0 742f 6874 6d6c 0d0a 4574 6167 3a20 0d0at/html..Etag:... 0x00d0 5365 742d 436f 6f6b 6965 3a20 5f5f 6163Set-Cookie:.__ac 0x00e0 5f6e 616d 653d 226a 7022 3b20 4578 7069_name="jp";.Expi 0x00f0 7265 733d 5375 6e2c 2030 3920 4d61 7220res=Sun,.09.Mar. 0x0100 3230 3033 2031 333a 3339 3a32 3220 474d2003.13:39:22.GM 0x0110 543b 2050 6174 683d 2f0d 0a58 2d43 6163T;.Path=/..X-Cac 0x0120 6865 3a20 4d49 5353 2066 726f 6d20 6572he:.MISS.from.er 0x0130 7035 2e6f 7267 0d0a 4b65 6570 2d41 6c69p5.org..Keep-Ali 0x0140 7665 3a20 7469 6d65 6f75 743d 3135 2c20ve:.timeout=15,. 0x0
Re: SV: [Zope-dev] Small Alert - Temp Solution - more...
Jean-Paul Smets writes: > I could find out that certain cookie names work, some others do not > > Works > > Really strange. Could you use "tcpwatch" (or another TCP logger) to see whether the Zope response contains the cookie header. If not, this would be a Zope problem we could debug. If so, we have to look elsewhere. Dieter ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: SV: [Zope-dev] Small Alert - Temp Solution - more...
Jean-Paul Smets wrote: > I could find out that certain cookie names work, some others do not > > Works > > __ac_ > __ac_ra > __ac_rak1 > __ac_nex1 > __ac_erp5 > > Does not work > > __ac > __ac_rack1 > __ac_rack12 > > Really strange. What browser are you using? Strange things like this happen for me occasionally after a Mozilla upgrade, but I just delete the cookies for the site and everything goes back to normal. I figure someone at Netscape is just fiddling with the cookie code. :-) OTOH, the only way a loop on the login page can happen is if you're not allowed to access the login page, or perhaps one of its images. Maybe something is caching authentication in a non-thread-safe way. In fact, the last hotfix addressed something like this, didn't it? Shane ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: SV: [Zope-dev] Small Alert - Temp Solution - more...
I could find out that certain cookie names work, some others do not Works __ac_ __ac_ra __ac_rak1 __ac_nex1 __ac_erp5 Does not work __ac __ac_rack1 __ac_rack12 Really strange. JPS. -- Jean-Paul Smets-Solanes <[EMAIL PROTECTED]> - Nexedi (CEO) GPG Fingerprint: 40FF FA78 75AA 680D 8BB4 EEF9 539A 79CC CB8E 5F01 ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: SV: [Zope-dev] Small Alert - Temp Solution
I started debugging Zope. I found that the various methods in CookieCrumbler are called and should normally set a cookie for auth_cookie. However, under VHM operation, this does not happen when auth_cookie == '__ac' I changed the name of the authentication cookie to __ac_erp5 in the CMF (www.erp5.org is the site I am working on). Everything works fine now. I have absolutely no idea what it can mean. As a reminder, I had no problems for 6 months and suddenly, after a small upgrade, all this strange behaviour started. JPS. -- Jean-Paul Smets-Solanes <[EMAIL PROTECTED]> - Nexedi (CEO) GPG Fingerprint: 40FF FA78 75AA 680D 8BB4 EEF9 539A 79CC CB8E 5F01 ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: SV: [Zope-dev] Small Alert
Here are the news - whener the CMF is access through a VHM, only one cookie is set (__ac_name) and we get a loop on the login page - whenever the CMF is accessed directly (in my case through an ssh tunnel pointing to the root of the zope) two cookies are set (__ac=anA6YXRhbGFu%0A and __ac_name) More to follow. JPS. (sorry for being so slow, I am sick and had to go to the doctor). -- Jean-Paul Smets-Solanes <[EMAIL PROTECTED]> - Nexedi (CEO) GPG Fingerprint: 40FF FA78 75AA 680D 8BB4 EEF9 539A 79CC CB8E 5F01 ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: SV: [Zope-dev] Small Alert
Le Mardi 5 Mars 2002 15:15, vous avez écrit : > > I just upgraded this morning a Debian Woody server with Zope 2.5. The > > upgrade has resulted in all my CMF (which use SiteRoot or > > VirtualHostMonster) to refuse any authentication. > > > > Without SiteRoot or VirtualHostMonster, everything is fine. > > I have had this problem (and a few others, some fixed in CVS) with VHM > for some time now. Everything is fine on 8080, but fails using VHM. > > Since noone else experienced it, I thougt that it was something local > here... > > /Magnus I moved everything from SiteRoot to VHM. It does not change anything. Standard sites are OK in terms of authentication. CMF sites fail. I have the impression something wrong happens in the portal_membership tool. JPS. ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
