Task #11771 (closed)
Opened 10 years ago
Closed 10 years ago
BUG: Independent OMERO.web instances on separate ports use the same session cookie
| Reported by: | spli | Owned by: | atarkowska |
|---|---|---|---|
| Priority: | major | Milestone: | 5.0.0 |
| Component: | Web | Version: | 4.4.9 |
| Keywords: | n.a. | Cc: | |
| Resources: | n.a. | Referenced By: | n.a. |
| References: | n.a. | Remaining Time: | n.a. |
| Sprint: | n.a. |
Description
This is very intermittent, but I've seen it a few times.
General pattern seems to be restart OMERO (server and web) with a web session still active. Occasionally when the server is back up reconnecting causes the following error:
Traceback (most recent call last):
File "/home/omero-sab/OMERO-CURRENT/lib/python/django/core/handlers/base.py", line 178, in get_response
response = middleware_method(request, response)
File "/home/omero-sab/OMERO-CURRENT/lib/python/django/contrib/sessions/middleware.py", line 28, in process_response
if request.session.get_expire_at_browser_close():
File "/home/omero-sab/OMERO-CURRENT/lib/python/django/contrib/sessions/backends/base.py", line 252, in get_expire_at_browser_close
if self.get('_session_expiry') is None:
File "/home/omero-sab/OMERO-CURRENT/lib/python/django/contrib/sessions/backends/base.py", line 64, in get
return self._session.get(key, default)
File "/home/omero-sab/OMERO-CURRENT/lib/python/django/contrib/sessions/backends/base.py", line 195, in _get_session
self._session_cache = self.load()
File "/home/omero-sab/OMERO-CURRENT/lib/python/django/contrib/sessions/backends/file.py", line 50, in load
session_file = open(self._key_to_file(), "rb")
File "/home/omero-sab/OMERO-CURRENT/lib/python/django/contrib/sessions/backends/file.py", line 43, in _key_to_file
"Invalid characters in session key")
SuspiciousOperation: Invalid characters in session key
<WSGIRequest
GET:<QueryDict: {}>,
POST:<QueryDict: {}>,
COOKIES:{'phpbb3_a9mfv_k': 'd197145da91a0c00',
'phpbb3_a9mfv_sid': '82a246ec13b64f0b1079842c73fbb64a',
'phpbb3_a9mfv_u': '2883',
'sessionid': 'x8unm2lhri4374lag4kr2pxsdinmi5kx',
'style_cookie': 'printonly'},
META:{'CONTENT_LENGTH': '',
'CONTENT_TYPE': '',
'HTTPS': '',
'HTTP_ACCEPT': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'HTTP_ACCEPT_ENCODING': 'gzip, deflate',
'HTTP_ACCEPT_LANGUAGE': 'en-gb,en;q=0.5',
'HTTP_CONNECTION': 'keep-alive',
'HTTP_COOKIE': 'style_cookie=printonly; phpbb3_a9mfv_k=d197145da91a0c00; phpbb3_a9mfv_u=2883; phpbb3_a9mfv_sid=82a246ec13b64f0b1079842c73fbb64a; sessionid=x8unm2lhri4374lag4kr2pxsdinmi5kx',
'HTTP_DNT': '1',
'HTTP_HOST': 'omero4-demo.openmicroscopy.org',
'HTTP_USER_AGENT': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:25.0) Gecko/20100101 Firefox/25.0',
'PATH_INFO': u'/webclient/',
'QUERY_STRING': '',
'REQUEST_METHOD': 'GET',
'SCRIPT_NAME': u'',
'SERVER_NAME': 'ome-c6100-3',
'SERVER_PORT': '80',
'SERVER_PROTOCOL': 'HTTP/1.1',
'wsgi.errors': <flup.server.fcgi_base.TeeOutputStream object at 0x40aa150>,
'wsgi.input': <flup.server.fcgi_base.InputStream object at 0x4099f90>,
'wsgi.multiprocess': True,
'wsgi.multithread': False,
'wsgi.run_once': False,
'wsgi.url_scheme': 'http',
'wsgi.version': (1, 0)}>
Removing the sessionid cookie in the browser fixes things.
Change History (14)
comment:1 Changed 10 years ago by spli
comment:2 Changed 10 years ago by spli
To reproduce: Install two separate OMERO.server/OMERO.web instances on the same host, under different ports. I think it might have to be a 4.4 server and a 5.0 server.
Log in to one e.g. the 5.0 OMERO.web, then go to the 4.4 OMERO.web- you'll get the above exception.
E.g.
https://omero4-demo.openmicroscopy.org:1443/
and
https://omero4-demo.openmicroscopy.org/
comment:3 Changed 10 years ago by aknab
Most likely reason: The develop branch now includes Django 1.6, and sessions are no longer compatible with Django 1.3.
comment:4 Changed 10 years ago by aknab
Django 1.6 creates session cookie names made up of letters a-z and digits 0-9. Django 1.3 only allows letters a-f and digits 0-9.
Going from 1.3 to 1.6 (e.g. through an upgrade) therefore should not cause any issues, but going backwards will require the session cookie to be removed.
comment:5 Changed 10 years ago by spli
- Summary changed from BUG: SuspiciousOperation: Invalid characters in session key to BUG: Independent OMERO.web instances on separate ports use the same session cookie
The OMERO.web servers are running on completely different ports, so shouldn't there be two independent session cookies?
comment:6 Changed 10 years ago by aknab
comment:7 Changed 10 years ago by jamoore
Worth warning about that in our docs then?
comment:8 Changed 10 years ago by spli
Would it be possible to handle the exception and delete the session key so a user can still login?
comment:9 Changed 10 years ago by aknab
Probably, by adding a custom exception middleware (https://docs.djangoproject.com/en/dev/topics/http/middleware/#process_exception) - is this happening often enough though to warrant that?
comment:10 Changed 10 years ago by spli
It happens quite often since I'm switching between two servers on omero4-demo. Unlikely to be a problem for non-developers though.
comment:11 Changed 10 years ago by spli
See also #11281
comment:12 Changed 10 years ago by atarkowska
- Milestone changed from Unscheduled to 5.0.0
- Owner changed from web-team@… to atarkowska
comment:13 Changed 10 years ago by jburel
- Priority changed from minor to major
comment:14 Changed 10 years ago by wmoore
- Resolution set to wontfix
- Status changed from new to closed
To fix the issue we'd have to handle it in OMERO 4.4, since that's where the problem occurs, and I don't think this is bad enough to justify a 4.4.11.
I think the restart maybe a red herring, I suspect it's something to do with multiple separate OMERO.web instances running on different ports on the same server- is the sessionid cookie tied to a particular port?