Re: [Webware-discuss] Session Issue bug found
Sophana wrote: > Christoph Zwerschke a écrit : >> Maybe we should make '/' the default CookiePath again instead of None >> (automatic determination)? This is less secure, but at least it will >> always work (Microsoft policy ;-) This issue has already caused too much >> confusion in the past. >> > Could you tell us more about this security problem? The problem with the session cookie path is explained in this document: http://www.net-security.org/dl/articles/cookie_path.pdf -- Christoph - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ ___ Webware-discuss mailing list Webware-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/webware-discuss
Re: [Webware-discuss] Session Issue bug found
Christoph Zwerschke a écrit : > Sophana wrote: > >> I reverted to 0.9.2 because of the cookie clear bug which I couldn't >> find a workaround. >> > > If you provide a test case for that bug, I'll try to fix it in the next > version. > > >>> But this would be redirected to /wk/wk/* and not work anyway? >>> >> No, in my case I only redirect / (^/$) with [PT] rewriting (Pass Through) >> Other urls are not redirected. >> > > >> Here is the rewrite rule (apache 2): >> >> RewriteEngine on >> RewriteRule ^/$ /wk/Main [PT] >> > > Ok. I thought you used something like > > RewriteRule ^/(.*) /wk/$1 [L,PT] > > In your case, since you have to servlet paths, you need to use the least > common path, i.e. set CookiePath explicitly to '/'. > > Maybe we should make '/' the default CookiePath again instead of None > (automatic determination)? This is less secure, but at least it will > always work (Microsoft policy ;-) This issue has already caused too much > confusion in the past. > > Could you tell us more about this security problem? - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ ___ Webware-discuss mailing list Webware-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/webware-discuss
Re: [Webware-discuss] Session Issue bug found
Sophana wrote: > I reverted to 0.9.2 because of the cookie clear bug which I couldn't > find a workaround. If you provide a test case for that bug, I'll try to fix it in the next version. >> But this would be redirected to /wk/wk/* and not work anyway? > No, in my case I only redirect / (^/$) with [PT] rewriting (Pass Through) > Other urls are not redirected. > Here is the rewrite rule (apache 2): > > RewriteEngine on > RewriteRule ^/$ /wk/Main [PT] Ok. I thought you used something like RewriteRule ^/(.*) /wk/$1 [L,PT] In your case, since you have to servlet paths, you need to use the least common path, i.e. set CookiePath explicitly to '/'. Maybe we should make '/' the default CookiePath again instead of None (automatic determination)? This is less secure, but at least it will always work (Microsoft policy ;-) This issue has already caused too much confusion in the past. -- Christoph - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ ___ Webware-discuss mailing list Webware-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/webware-discuss
Re: [Webware-discuss] Session Issue bug found
Christoph Zwerschke a écrit : > Sorry for the late answer, I was offline was some weeks. > > sophana wrote: > >> Now looking at firefox cookie list, when I go to my server root url, I >> get a SID cookie with the path set to // >> > > This is a bug. It should only be '/'. I have already fixed it in the > trunk. Can you try again with the HTTPRequest module from SVN? > http://svn.w4py.org/Webware/trunk/WebKit/HTTPRequest.py > > I reverted to 0.9.2 because of the cookie clear bug which I couldn't find a workaround. I'll try when I get some time on the devel server. >> When I go to another /wk/* url I get another cookie >> > > But this would be redirected to /wk/wk/* and not work anyway? > > No, in my case I only redirect / (^/$) with [PT] rewriting (Pass Through) Other urls are not redirected. >> I think the default cookie path should not depend on the path before >> going through mod_rewrite but the destination path : /wk/ >> > > The problem is that the cookie path is evaluated by the browser, so you > need to set it to the path *before* rewriting takes place. > > Can you let me know whether the latest HTTPRequest module solves the > problem? If not, can you send me your Apache config so I can reproduce > the problem? > > As I said I reverted. Here is the rewrite rule (apache 2): RewriteEngine on RewriteRule ^/$ /wk/Main [PT] Thanks for your support. - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ ___ Webware-discuss mailing list Webware-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/webware-discuss
Re: [Webware-discuss] Session Issue bug found
Sorry for the late answer, I was offline was some weeks. sophana wrote: > Now looking at firefox cookie list, when I go to my server root url, I > get a SID cookie with the path set to // This is a bug. It should only be '/'. I have already fixed it in the trunk. Can you try again with the HTTPRequest module from SVN? http://svn.w4py.org/Webware/trunk/WebKit/HTTPRequest.py > When I go to another /wk/* url I get another cookie But this would be redirected to /wk/wk/* and not work anyway? > I think the default cookie path should not depend on the path before > going through mod_rewrite but the destination path : /wk/ The problem is that the cookie path is evaluated by the browser, so you need to set it to the path *before* rewriting takes place. Can you let me know whether the latest HTTPRequest module solves the problem? If not, can you send me your Apache config so I can reproduce the problem? -- Christoph - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ ___ Webware-discuss mailing list Webware-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/webware-discuss
Re: [Webware-discuss] Session Issue bug found
Christoph Zwerschke a écrit : > Concerning the sessions, this may have to do with the more secure > default cookie path for Webware. It will be probably using '/wk' now, > while you had been using '/'. If you still experience problems with the > cookies, you can set a fixed cookie path in 0.9.4, setting > 'SessionCookiePath'. But the default setting should work fine normally. > I made some investigation on the session problem, there seems to be a bug with 0.9.4 and mod rewrite. As I said earlier, I use mod_rewrite just to map / to /wk/ and nothing else. This means that I have /wk/Servlets paths public. Now looking at firefox cookie list, when I go to my server root url, I get a SID cookie with the path set to // When I go to another /wk/* url I get another cookie with the path set to /wk/ This make 2 separate webware sessions! everytime I come back to /, the webware session is reset... With my other 0.9.2 webware, I get only one cookie set to / Using 'SessionCookiePath' to '/' seem to fix the problem... I think the default cookie path should not depend on the path before going through mod_rewrite but the destination path : /wk/ I still can't reproduce the AppServer freeze. But I corrected a memory leak in my code. Will try to go again in production... - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ ___ Webware-discuss mailing list Webware-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/webware-discuss
