So I found the root cause of the issue. It turns out there was a bug in Python on how it handles cookies with square brackets ([, ]) in the values.
http://bugs.python.org/issue22931 https://code.djangoproject.com/ticket/24492 The s_vi cookie that was affecting our environment had those square brackets. Something interesting is if we try to create a cookie from within Web2py with a square bracket, Web2py will encapsulate the value with quotes and the bug will not take effect. This was fixed in Python 2.7.10 (https://hg.python.org/cpython/raw-file/15c95b7d81dc/Misc/NEWS). Brian On Friday, August 21, 2015 at 9:10:27 AM UTC-7, Brian Nguyen wrote: > > Hello Massimo, > > We have found the root cause of the issue and are able to reproduce it > 100%. > > It seems that one of the websites we use at our company generates Adobe > tracking cookies that cause Web2py forms to stop working. > > The Adobe cookies in questions are: > s_vi > s_fid > s_cc > s_sq > > Since these cookies have a broader domain, they end up in my web2py app > when users go to the culprit site. > > I'll have to investigate how these cookies interfere with web2py forms. > > EDIT: > So here's my hypothesis of what's happening. According to the Web2py > documentation under the workflow section for the core, it states: > > "Before calling the action, a few things happen: if the request header > contains a session cookie for the app, the session object is retrieved; if > not, a session id is created (but the session file is not saved until > later); an execution environment for the request is created; models are > executed in this environment." > > Since some of the Adobe cookies are session cookies, could Web2py be > detecting these Adobe session cookies and not handle the session properly? > > Do we have any mechanisms in Web2py to limit the scope of the cookie > domain for our app? > > Thank you, > Brian > > On Thursday, August 20, 2015 at 10:19:55 PM UTC-7, Massimo Di Pierro wrote: >> >> Is there a proxy or a load balancer? Can you reproduce it without tornado? >> >> On Thursday, 20 August 2015 14:13:44 UTC-5, Brian Nguyen wrote: >>> >>> Hello all, >>> >>> I've been running into this issue lately where ALL forms would clear >>> when the submit button is clicked. >>> >>> I understand how CSRF may cause these symptoms and need your help. >>> >>> It seems to happen to random users using any browser. Although it >>> doesn't affect all browsers simultaneously. >>> >>> The odd thing is, it also affects the Web2py Administrator Interface >>> password form and forms from other apps on the same server. >>> >>> We can't trigger the issue 100%, but we can mimic the problem by >>> blocking cookies to our app. Opening multiple tabs to the form and >>> submitting on an older tab also mimics the issue, but eventually fixes >>> itself on next submit when testing on a working environment. >>> >>> The workaround for the issue seems to be clearing all the cookies & >>> cache or running in incognito/private mode. However, the issue may >>> eventually return. >>> >>> In my tests, it seems that only a single formkey can be stored in >>> session when the problem is present. When we refresh the page, it still has >>> only one new formkey. In a working environment, we can refresh the page and >>> have up to 10 formkeys stored in session. >>> >>> Based on our workaround, I've noticed that the session_id_(name) cookie >>> would not be generated automatically. Although we do have a session_id and >>> session_filename for the user. Also, the session_file will show as None. >>> >>> Server Configuration: >>> Web2py 2.11.2 >>> Tornado Webserver >>> >>> User Configuration: >>> Chrome >>> Firefox >>> IE 8 >>> >>> All browser versions may vary. The cookie and security settings have >>> been confirmed to be wide open. >>> >>> Affected forms: >>> Web2py Administrator Interface >>> Auth (default/user) >>> Custom forms (with and without passing session to forms.accept) >>> >>> I've spent countless hours lurking the Web2py resources for a solution, >>> but I just can't figure this one out. :( >>> >>> Thank you, >>> Brian >>> >> -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
