guess the usual "keep python updated to the last release" comes in handy also this time ...
On Monday, August 31, 2015 at 8:34:10 PM UTC+2, Brian Nguyen wrote: > > So I found the root cause of the issue. > > It turns out there was a bug in Python on how it handles cookies with > square brackets ([, ]) in the values. > > http://bugs.python.org/issue22931 > https://code.djangoproject.com/ticket/24492 > > The s_vi cookie that was affecting our environment had those square > brackets. Something interesting is if we try to create a cookie from within > Web2py with a square bracket, Web2py will encapsulate the value with quotes > and the bug will not take effect. > > This was fixed in Python 2.7.10 ( > https://hg.python.org/cpython/raw-file/15c95b7d81dc/Misc/NEWS). > > Brian > > On Friday, August 21, 2015 at 9:10:27 AM UTC-7, Brian Nguyen wrote: >> >> Hello Massimo, >> >> We have found the root cause of the issue and are able to reproduce it >> 100%. >> >> It seems that one of the websites we use at our company generates Adobe >> tracking cookies that cause Web2py forms to stop working. >> >> The Adobe cookies in questions are: >> s_vi >> s_fid >> s_cc >> s_sq >> >> Since these cookies have a broader domain, they end up in my web2py app >> when users go to the culprit site. >> >> I'll have to investigate how these cookies interfere with web2py forms. >> >> EDIT: >> So here's my hypothesis of what's happening. According to the Web2py >> documentation under the workflow section for the core, it states: >> >> "Before calling the action, a few things happen: if the request header >> contains a session cookie for the app, the session object is retrieved; if >> not, a session id is created (but the session file is not saved until >> later); an execution environment for the request is created; models are >> executed in this environment." >> >> Since some of the Adobe cookies are session cookies, could Web2py be >> detecting these Adobe session cookies and not handle the session properly? >> >> Do we have any mechanisms in Web2py to limit the scope of the cookie >> domain for our app? >> >> Thank you, >> Brian >> >> On Thursday, August 20, 2015 at 10:19:55 PM UTC-7, Massimo Di Pierro >> wrote: >>> >>> Is there a proxy or a load balancer? Can you reproduce it without >>> tornado? >>> >>> On Thursday, 20 August 2015 14:13:44 UTC-5, Brian Nguyen wrote: >>>> >>>> Hello all, >>>> >>>> I've been running into this issue lately where ALL forms would clear >>>> when the submit button is clicked. >>>> >>>> I understand how CSRF may cause these symptoms and need your help. >>>> >>>> It seems to happen to random users using any browser. Although it >>>> doesn't affect all browsers simultaneously. >>>> >>>> The odd thing is, it also affects the Web2py Administrator Interface >>>> password form and forms from other apps on the same server. >>>> >>>> We can't trigger the issue 100%, but we can mimic the problem by >>>> blocking cookies to our app. Opening multiple tabs to the form and >>>> submitting on an older tab also mimics the issue, but eventually fixes >>>> itself on next submit when testing on a working environment. >>>> >>>> The workaround for the issue seems to be clearing all the cookies & >>>> cache or running in incognito/private mode. However, the issue may >>>> eventually return. >>>> >>>> In my tests, it seems that only a single formkey can be stored in >>>> session when the problem is present. When we refresh the page, it still >>>> has >>>> only one new formkey. In a working environment, we can refresh the page >>>> and >>>> have up to 10 formkeys stored in session. >>>> >>>> Based on our workaround, I've noticed that the session_id_(name) cookie >>>> would not be generated automatically. Although we do have a session_id and >>>> session_filename for the user. Also, the session_file will show as None. >>>> >>>> Server Configuration: >>>> Web2py 2.11.2 >>>> Tornado Webserver >>>> >>>> User Configuration: >>>> Chrome >>>> Firefox >>>> IE 8 >>>> >>>> All browser versions may vary. The cookie and security settings have >>>> been confirmed to be wide open. >>>> >>>> Affected forms: >>>> Web2py Administrator Interface >>>> Auth (default/user) >>>> Custom forms (with and without passing session to forms.accept) >>>> >>>> I've spent countless hours lurking the Web2py resources for a solution, >>>> but I just can't figure this one out. :( >>>> >>>> Thank you, >>>> Brian >>>> >>> -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
