Re: [Zope] FSSession problems...

2000-09-18 Thread Ayhan Ergul


I am also experiencing the problem of two different users sharing the same
session inadvertently. However, in my case, I can disqualify a few things
that were previously discussed as possible reasons why this happens and
add some more info:

- Zope is running without Apache
- Clients have different SessionUID's assigned (2580309312979106
vs. 26209573571042815)
- Clients are netscape on linux running on the same computer as zope
vs. netscape on nt4 in the same local network as the other (with no
caching in between).
- I have the two browsers open and I can freely modify page on one, reload
the same page on the other and see the updates reflected.

Any clues appreciated.

Ayhan


On Tue, 29 Aug 2000, Curtis Maloney wrote:
 On Tue, 29 Aug 2000, Pavlos Christoforou wrote:
  On Mon, 28 Aug 2000, Curtis Maloney wrote:
   /dtml-if
  
   This was aparently working fine for quite some time (about a month
of
   public usage), until last week.  We have examined logs, and seen
that one
   person accidentaly used the system under someone elses ReturnerID,
and
   then rectified their mistake.
 
  If he did rectify the mistake then that should not have resulted in a
  problem. In any case the problem should have been isolated to that
user
  only. Could it be that the cookie is cached somewhere? I am not
familiar
  with the underlying pricinciples of the apache Proxy directives.
 
 
 The user 'rectified' the problem by submitting the request again under
their 
 own ID.  I don't know when/how they noticed, and am not able to contact
them 
 for further comment.
 
 As for the cookie being cached, I don't know.  It is possible, as I
said, 
 that Apache is causing problems.  ProxyForward means that when a URL
matches 
 a rule, it will be 'forwarded' to another server, and the returned page 
 issued as if from Apache.
 
 From the benchmarks I've seen, this is the fastest way to run
Zope.  However, 
 I can see how it could confuse Zope into thinking two different users 
 requests are from the same machine, since all the requests are coming
from 
 Apache.  However, I am hoping (going to check on this, of course
:)  that the 
 smart folks at Apache have made it 'proxy' properly, to avoid this sort
of 
 problem.
 
  Pavlos
 
 Curtis



___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )




Re: [Zope] FSSession problems...

2000-08-30 Thread Hung Jung Lu

Curtis,

Could you describe how often does the problem happen? How many session users 
goes to the site? You mentioned about a month of public usage. During that 
month, did you have one single incident? How many sessions happened during 
that month?

All key-based session management systems are intrinsically unsafe, since 
other people can tap into your session, with non-zero probability, if the 
key-length is finite. The only hope is to make the key long enough, so even 
if the hacker has a supercomputer, it would still take him/her the age of 
the universe to crack into your website. One thing I mentioned to Pavlos 
(and/or Anthony Baxter?) before is that the key lengths of their cookies are 
a bit too short. For my HappySession product (another session management 
product, which is RAM based), I cranked up the key length to 128 
alphanumeric char key, exactly because I wanted no key collision for a long 
long time. :)

Another thing I observed during the development of HappySession was that on 
Linux (and Debian) server systems, I had problem with deleting the cookies 
of the clients. (No problem with NT server.) At the end, I chose not to 
delete cookies but instead setting their values to blank, when the session 
expires. It was a weird problem, I did not know why I couldn't delete client 
cookies (maybe it was a mistake on my part), but I chose the simple way out 
by setting the cookie to blank. And it worked fine. So instead of detecting 
the presence of the cookie alone, I detected the presence AND whether the 
cookie was blank.

regards,

Hung Jung

_
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.

Share information about yourself, create your own public profile at 
http://profiles.msn.com.


___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )




Re: [Zope] FSSession problems...

2000-08-30 Thread Curtis Maloney

On Thu, 31 Aug 2000, Hung Jung Lu wrote:
 Curtis,

 Could you describe how often does the problem happen? How many session
 users goes to the site? You mentioned about a month of public usage. During
 that month, did you have one single incident? How many sessions happened
 during that month?

So far, we have one recorded incident, and one anecdotal (from internal) 
incident.  I am having some more extensive testing done soon, so we can try 
to pin down further the exact circumstances which cause this problem.

The site is used for issuing product return authorities, and so far, over 160 
RAs have been issued.  Yes, it is a fairly low traffic site.  Session data is 
retained between visits (a side effect, but a welcome one), so I really 
cannot be sure of how many sessions were used.

 All key-based session management systems are intrinsically unsafe, since
 other people can tap into your session, with non-zero probability, if the
 key-length is finite. The only hope is to make the key long enough, so even
 if the hacker has a supercomputer, it would still take him/her the age of
 the universe to crack into your website. One thing I mentioned to Pavlos
 (and/or Anthony Baxter?) before is that the key lengths of their cookies
 are a bit too short. For my HappySession product (another session
 management product, which is RAM based), I cranked up the key length to 128
 alphanumeric char key, exactly because I wanted no key collision for a long
 long time. :)

Well, yes and no.  This really depends on the sensitivity of your data, and 
how likely it is for someone to try to crack your site.  In this case, both 
are fairly low, so the key strength is fine, IMHO.

 regards,

 Hung Jung


___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )




Re: [Zope] FSSession problems...

2000-08-29 Thread Curtis Maloney

On Tue, 29 Aug 2000, Pavlos Christoforou wrote:
 On Mon, 28 Aug 2000, Curtis Maloney wrote:
  /dtml-if
 
  This was aparently working fine for quite some time (about a month of
  public usage), until last week.  We have examined logs, and seen that one
  person accidentaly used the system under someone elses ReturnerID, and
  then rectified their mistake.

 If he did rectify the mistake then that should not have resulted in a
 problem. In any case the problem should have been isolated to that user
 only. Could it be that the cookie is cached somewhere? I am not familiar
 with the underlying pricinciples of the apache Proxy directives.


The user 'rectified' the problem by submitting the request again under their 
own ID.  I don't know when/how they noticed, and am not able to contact them 
for further comment.

As for the cookie being cached, I don't know.  It is possible, as I said, 
that Apache is causing problems.  ProxyForward means that when a URL matches 
a rule, it will be 'forwarded' to another server, and the returned page 
issued as if from Apache.

From the benchmarks I've seen, this is the fastest way to run Zope.  However, 
I can see how it could confuse Zope into thinking two different users 
requests are from the same machine, since all the requests are coming from 
Apache.  However, I am hoping (going to check on this, of course :)  that the 
smart folks at Apache have made it 'proxy' properly, to avoid this sort of 
problem.

 Pavlos

Curtis

___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )




Re: [Zope] FSSession problems...

2000-08-28 Thread Pavlos Christoforou

On Mon, 28 Aug 2000, Curtis Maloney wrote:

 /dtml-if
 
 This was aparently working fine for quite some time (about a month of public 
 usage), until last week.  We have examined logs, and seen that one person 
 accidentaly used the system under someone elses ReturnerID, and then 
 rectified their mistake.

If he did rectify the mistake then that should not have resulted in a
problem. In any case the problem should have been isolated to that user
only. Could it be that the cookie is cached somewhere? I am not familiar
with the underlying pricinciples of the apache Proxy directives. 


Pavlos


___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )




Re: [Zope] FSSession problems...

2000-08-27 Thread Curtis Maloney

On Fri, 25 Aug 2000, Pavlos Christoforou wrote:
 On Fri, 25 Aug 2000, Curtis Maloney wrote:
  Greetings,
 
  I'm using FSSession to store login details about visitors to our site. 
  It is important that users only be able to see their own data (of
  course).
 
  Today, however, I find out that some mistakes have been happening. 
  People are finding themselves logged in when they haven't yet, and others
  finding they're logged in as someone else.  This is, obivously, a
  problem.
 
  I cannot see how this could be happening, since the Session ID is stored
  in a cookie, which should be unique to the client.

 This is very weird indeed. Nobody has ever reported a similar problem. Can
 you send me the DTML method that calls the FSSession?

Yes.  Very weird.  I'm not doing anything fancy.  dtml-call FSSession is in 
the standard_html_header.  Once the users name/password has been verified 
from the db, i use:

dtml-call "FSSession.set('ReturnerID',ReturnerID)"

to set the value, and test if the user is logged in with :

dtml-if "FSSession.has_key('ReturnerID')"

Logging out works fine, with:

dtml-if "FSSession.has_key('ReturnerID')"
  dtml-call "FSSession.delete('ReturnerID')"
/dtml-if

This was aparently working fine for quite some time (about a month of public 
usage), until last week.  We have examined logs, and seen that one person 
accidentaly used the system under someone elses ReturnerID, and then 
rectified their mistake.

 Pavlos


I really would rather continue using FSSession, as it has worked fine for me 
in the past, and I find it very simle to use.  It would also save me from 
having to totaly rewrite the site. (o8

Then again, I am considering using Zope level user authentication in the next 
revision of this site, but that is already planned to be a major overhaul.

Really, I just want to know what's going wrong...

Have a better one,
Curtis

___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )




Re: [Zope] FSSession problems...

2000-08-27 Thread Curtis Maloney

On Sat, 26 Aug 2000, Timothy Wilson wrote:
 On Fri, 25 Aug 2000, Curtis Maloney wrote:
  Today, however, I find out that some mistakes have been happening. 
  People are finding themselves logged in when they haven't yet, and others
  finding they're logged in as someone else.  This is, obivously, a
  problem.

 Warning! Shot in the dark ahead. :-)

 Is it possible that your visitors who are experiencing this problem are
 sitting behind a proxy that is improperly caching their cookies. I've seen
 something like this where you could log in to zope.org, go to a different
 machine and find that you were logged in there too.


Not something I hadn't considered.  But I dismissed it fairly quickly, as I 
saw the behaviour displayed on two machines in house, which do not use a 
proxy.

What I _have_ considered, tho, is that Apache, which is set in ProxyForward 
mode, might be confusing the issue somewhat.

 -Tim

Curtis.

___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )




Re: [Zope] FSSession problems...

2000-08-25 Thread Curtis Maloney

On Fri, 25 Aug 2000, Curtis Maloney wrote:
 Greetings,

 I'm using FSSession to store login details about visitors to our site.  It
 is important that users only be able to see their own data (of course).

 Today, however, I find out that some mistakes have been happening.  People
 are finding themselves logged in when they haven't yet, and others finding
 they're logged in as someone else.  This is, obivously, a problem.

 I cannot see how this could be happening, since the Session ID is stored in
 a cookie, which should be unique to the client.

 I am using:

 Zope 2.1.6 on Solaris 2.7
 FSSession 0.4.0



Further details:

Some internal testins has shown that is User A logs in with IE, and User B 
opens the page fresh (from another machine) they will be logged in as User A.

But if User A logs in with NS, this doesn't happen.

I am really confused as to what's going on


My only thoughts are that FSSession is perhaps getting confused by Apache, 
but surely it would re-issue the same Session ID the request came in with?

Curtis

___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )




Re: [Zope] FSSession problems...

2000-08-25 Thread Pavlos Christoforou

On Fri, 25 Aug 2000, Curtis Maloney wrote:

 Greetings,
 
 I'm using FSSession to store login details about visitors to our site.  It is 
 important that users only be able to see their own data (of course).
 
 Today, however, I find out that some mistakes have been happening.  People 
 are finding themselves logged in when they haven't yet, and others finding 
 they're logged in as someone else.  This is, obivously, a problem.
 
 I cannot see how this could be happening, since the Session ID is stored in a 
 cookie, which should be unique to the client.
 
This is very weird indeed. Nobody has ever reported a similar problem. Can
you send me the DTML method that calls the FSSession? 

Pavlos


___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )




Re: [Zope] FSSession problems...

2000-08-25 Thread Timothy Wilson

On Fri, 25 Aug 2000, Curtis Maloney wrote:

 Today, however, I find out that some mistakes have been happening.  People 
 are finding themselves logged in when they haven't yet, and others finding 
 they're logged in as someone else.  This is, obivously, a problem.

Warning! Shot in the dark ahead. :-)

Is it possible that your visitors who are experiencing this problem are
sitting behind a proxy that is improperly caching their cookies. I've seen
something like this where you could log in to zope.org, go to a different
machine and find that you were logged in there too.

-Tim

--
Tim Wilson  | Visit Sibley online: | Check out:
Henry Sibley HS | http://www.isd197.k12.mn.us/ | http://www.zope.org/
W. St. Paul, MN |  | http://slashdot.org/
[EMAIL PROTECTED] |   dtml-var pithy_quote | http://linux.com/


___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )