Re: SuspiciousOperation: User tampered with session cookie
Although old, I'd like to point out that at least in my case this wasn't a Dapper + PHP5 issue, it was a Deb + PHP5 issue, so the problem seems to lie with the PHP5/Django pairing. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users -~--~~~~--~~--~--~---
Re: SuspiciousOperation: User tampered with session cookie
Patrick J. Anderson wrote: > On Tue, 27 Jun 2006 23:30:56 -0500, Patrick .J. Anderson wrote: > > > Malcolm Tredinnick wrote: > >> [quoted text muted] > > > > Hi, Malcolm > > > > Yes, I noticed that too. Perhaps it would be good if I tested this > > behaviour on another distro, but I don't want to resetup my development > > machine again. Maybe someone with a distro other than Ubuntu Dapper > > could compare the session_keys in django_sessions table with mod_python > > as well as builtin server, and see if this is also happening. > > > > Patrick > > > > > > > Well, I reinstalled Fedora Core 5 and setup django-trunk. There is no > problem with FC5, so I suspect that there's something wrong with Ubuntu > Dapper here. > > Here's my session_key after logging into admin using mod_python: > > 21d78b3bd4da4a79bd7f02c038c0707d On Ubuntu Dapper php5 seems to be the culprit. If you disable php5 (sudo a2dismod php5) you will discover that mod_python suddenly starts calculating md5 properly and this bug will disappear. A bug report has been filed with Ubuntu, so hopefully they will fix it soon. https://launchpad.net/distros/ubuntu/+source/libapache2-mod-python/+bug/54135 cheers, Anton --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users -~--~~~~--~~--~--~---
Re: SuspiciousOperation: User tampered with session cookie
On Tue, 27 Jun 2006 23:30:56 -0500, Patrick .J. Anderson wrote: > Malcolm Tredinnick wrote: >> [quoted text muted] > > Hi, Malcolm > > Yes, I noticed that too. Perhaps it would be good if I tested this > behaviour on another distro, but I don't want to resetup my development > machine again. Maybe someone with a distro other than Ubuntu Dapper > could compare the session_keys in django_sessions table with mod_python > as well as builtin server, and see if this is also happening. > > Patrick > > > Well, I reinstalled Fedora Core 5 and setup django-trunk. There is no problem with FC5, so I suspect that there's something wrong with Ubuntu Dapper here. Here's my session_key after logging into admin using mod_python: 21d78b3bd4da4a79bd7f02c038c0707d --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users -~--~~~~--~~--~--~---
Re: SuspiciousOperation: User tampered with session cookie
Malcolm Tredinnick wrote: > On Tue, 2006-06-27 at 23:09 -0500, Patrick .J. Anderson wrote: >> Jacob Kaplan-Moss wrote: >>> Hi Patrick -- >>> >>> What happens when you clear out your sessions table? >>> >>> FYI, there's nothing about Ubuntu versus mod_python that would/could >>> cause this (I use both). >>> >>> Jacob >>> >> I cleared the session table and tried to login using my >> apache/mod_python virtual host setup. This is the session_key I get: >> >> 0abcebfdaff71c28a368d8bd >> >> >> When I log in using the development server, I can login successfully and >> the session_key I see is: >> >> 6b668c51d7d4fddd89c14e14e0569417 >> >> >> These are obviously very different, particularly the 0s in the beginning >> of the session_key from mod_python. > > One common thing that I noticed between your current problem (which > looks a lot like Nikolaus Shlemm's md5 sum problem) and the original > problem Nikolaus demonstrated on the mod_python list is that you are > both using a reasonably recent Ubuntu installation. No idea why that > will contribute (or even if it is a differentiating factor), but it's > something to note. > > Malcolm > > > > > Hi, Malcolm Yes, I noticed that too. Perhaps it would be good if I tested this behaviour on another distro, but I don't want to resetup my development machine again. Maybe someone with a distro other than Ubuntu Dapper could compare the session_keys in django_sessions table with mod_python as well as builtin server, and see if this is also happening. Patrick --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users -~--~~~~--~~--~--~---
Re: SuspiciousOperation: User tampered with session cookie
On Tue, 2006-06-27 at 23:09 -0500, Patrick .J. Anderson wrote: > Jacob Kaplan-Moss wrote: > > Hi Patrick -- > > > > What happens when you clear out your sessions table? > > > > FYI, there's nothing about Ubuntu versus mod_python that would/could > > cause this (I use both). > > > > Jacob > > > > > > > > I cleared the session table and tried to login using my > apache/mod_python virtual host setup. This is the session_key I get: > > 0abcebfdaff71c28a368d8bd > > > When I log in using the development server, I can login successfully and > the session_key I see is: > > 6b668c51d7d4fddd89c14e14e0569417 > > > These are obviously very different, particularly the 0s in the beginning > of the session_key from mod_python. One common thing that I noticed between your current problem (which looks a lot like Nikolaus Shlemm's md5 sum problem) and the original problem Nikolaus demonstrated on the mod_python list is that you are both using a reasonably recent Ubuntu installation. No idea why that will contribute (or even if it is a differentiating factor), but it's something to note. Malcolm --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users -~--~~~~--~~--~--~---
Re: SuspiciousOperation: User tampered with session cookie
Jacob Kaplan-Moss wrote: > Hi Patrick -- > > What happens when you clear out your sessions table? > > FYI, there's nothing about Ubuntu versus mod_python that would/could > cause this (I use both). > > Jacob > > > > I cleared the session table and tried to login using my apache/mod_python virtual host setup. This is the session_key I get: 0abcebfdaff71c28a368d8bd When I log in using the development server, I can login successfully and the session_key I see is: 6b668c51d7d4fddd89c14e14e0569417 These are obviously very different, particularly the 0s in the beginning of the session_key from mod_python. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users -~--~~~~--~~--~--~---
Re: SuspiciousOperation: User tampered with session cookie
Nikolaus Schlemm wrote: >> I've heard that the problem might be related to md5 hashing (someone >> just recently posted it here in the groups with the same error >> message). I looked at the django code and that where that error message >> is thrown and it seemed to confirm that, but I don't know why this >> happens. > simply try generating the reference hashes provided at the end of the md5 > rfc[1] within a django-view - if they are not calculated correctly, you might > want to switch from md5 to sha for a quick workaround and possibly follow the > thread on the modpy mailinglist[2]. > > another solution might be something along the lines of the patch I posted > earlier[3] - but of course, I don't know whether or when this will make it in > into django ;) > > [1] http://www.ietf.org/rfc/rfc1321.txt > [2] http://modpython.org/pipermail/mod_python/2006-June/021482.html > [3] > http://groups.google.com/group/django-users/browse_thread/thread/eeb44c894342d6f7/4b951b6d3a8644dd Hmm, I don't want to modify the framework code and start creating this sort of workarounds since I use django-trunk... I guess I'll have to wait until this problem is resolved, though I thought Django was for developers with deadlines :) Well, this makes me a little cautious in using the framework for my web development. Sad, 'cause I liked it. But I'll dig for more info and try to find a solution --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users -~--~~~~--~~--~--~---
Re: SuspiciousOperation: User tampered with session cookie
Hi Patrick -- What happens when you clear out your sessions table? FYI, there's nothing about Ubuntu versus mod_python that would/could cause this (I use both). Jacob --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users -~--~~~~--~~--~--~---
Re: SuspiciousOperation: User tampered with session cookie
Patrick .J. Anderson wrote: > [EMAIL PROTECTED] wrote: >> Clear the cookies in your browser and the problem will go away. >> >> > clearing the cookies doesn't help (I guess you answered that one). > > hmm, i don't know exactly what to do here, as I haven't tampered with > anything. I'll try to recreate the project (extra work, but maybe it'll > work) > > > > > I recreated the project using django-admin.py (of course, I restored my models and database), but still experience this behaviour and error messsages when I try to log in to admin section. Weird, as everything I have in my settings.py file is new and I obviously haven't tampered with the session. If this is a problem with mod_python in Ubuntu, I'll have to switch back to FC5 where things 'worked'. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users -~--~~~~--~~--~--~---
Re: SuspiciousOperation: User tampered with session cookie
[EMAIL PROTECTED] wrote: > Clear the cookies in your browser and the problem will go away. > > > > > clearing the cookies doesn't help (I guess you answered that one). hmm, i don't know exactly what to do here, as I haven't tampered with anything. I'll try to recreate the project (extra work, but maybe it'll work) --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users -~--~~~~--~~--~--~---
Re: SuspiciousOperation: User tampered with session cookie
Am Dienstag, 27. Juni 2006 19:25 schrieb [EMAIL PROTECTED]: > Clear the cookies in your browser and the problem will go away. unfortunately that won't solve this problem - possibly another one ;) -- cheers, Nikl --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users -~--~~~~--~~--~--~---
Re: SuspiciousOperation: User tampered with session cookie
Clear the cookies in your browser and the problem will go away. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users -~--~~~~--~~--~--~---
Re: SuspiciousOperation: User tampered with session cookie
> I've heard that the problem might be related to md5 hashing (someone > just recently posted it here in the groups with the same error > message). I looked at the django code and that where that error message > is thrown and it seemed to confirm that, but I don't know why this > happens. simply try generating the reference hashes provided at the end of the md5 rfc[1] within a django-view - if they are not calculated correctly, you might want to switch from md5 to sha for a quick workaround and possibly follow the thread on the modpy mailinglist[2]. another solution might be something along the lines of the patch I posted earlier[3] - but of course, I don't know whether or when this will make it in into django ;) [1] http://www.ietf.org/rfc/rfc1321.txt [2] http://modpython.org/pipermail/mod_python/2006-June/021482.html [3] http://groups.google.com/group/django-users/browse_thread/thread/eeb44c894342d6f7/4b951b6d3a8644dd -- cheers, Nikl --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users -~--~~~~--~~--~--~---
Re: SuspiciousOperation: User tampered with session cookie
On 6/27/06, Patrick J. Anderson <[EMAIL PROTECTED]> wrote: > > I've heard that the problem might be related to md5 hashing (someone > just recently posted it here in the groups with the same error > message). I suspect that it is. I've run into the same problem when I inadvertently changed the SECRET_KEY setting. Joseph --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users -~--~~~~--~~--~--~---
Re: SuspiciousOperation: User tampered with session cookie
Hmm, I haven't changed domains. I simply took my previous setup on Fedora Core 5 with apache+mod_python and put it on Ubuntu Dapper with apache+mod_python. I've heard that the problem might be related to md5 hashing (someone just recently posted it here in the groups with the same error message). I looked at the django code and that where that error message is thrown and it seemed to confirm that, but I don't know why this happens. Could there be a bug with mod_python? I simply don't know, but would appreciate someone more experienced looking into it. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users -~--~~~~--~~--~--~---
Re: SuspiciousOperation: User tampered with session cookie
Did your domain change? I have seen this error when I was working on myDomainOne and then started the same app under myDomainTwo. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users -~--~~~~--~~--~--~---
Re: SuspiciousOperation: User tampered with session cookie.
I've no idea why, but after building my own version of Apache 2.0.54 everything works just fine (earlier I was using Apache from official deb's). I used ./configure --enable-so --with-mpm=worker (just in case if anybody would need this).
