Warning: Can't synchronize with repository "(default)" (/home/git/ome.git does not appear to be a Git repository.). Look in the Trac log for more information.
Notice: In order to edit this ticket you need to be either: a Product Owner, The owner or the reporter of the ticket, or, in case of a Task not yet assigned, a team_member"

Task #11771 (closed)

Opened 8 years ago

Closed 8 years ago

BUG: Independent OMERO.web instances on separate ports use the same session cookie

Reported by: spli Owned by: atarkowska
Priority: major Milestone: 5.0.0
Component: Web Version: 4.4.9
Keywords: n.a. Cc:
Resources: n.a. Referenced By: n.a.
References: n.a. Remaining Time: n.a.
Sprint: n.a.

Description

This is very intermittent, but I've seen it a few times.

General pattern seems to be restart OMERO (server and web) with a web session still active. Occasionally when the server is back up reconnecting causes the following error:

Traceback (most recent call last):

  File "/home/omero-sab/OMERO-CURRENT/lib/python/django/core/handlers/base.py", line 178, in get_response
    response = middleware_method(request, response)

  File "/home/omero-sab/OMERO-CURRENT/lib/python/django/contrib/sessions/middleware.py", line 28, in process_response
    if request.session.get_expire_at_browser_close():

  File "/home/omero-sab/OMERO-CURRENT/lib/python/django/contrib/sessions/backends/base.py", line 252, in get_expire_at_browser_close
    if self.get('_session_expiry') is None:

  File "/home/omero-sab/OMERO-CURRENT/lib/python/django/contrib/sessions/backends/base.py", line 64, in get
    return self._session.get(key, default)

  File "/home/omero-sab/OMERO-CURRENT/lib/python/django/contrib/sessions/backends/base.py", line 195, in _get_session
    self._session_cache = self.load()

  File "/home/omero-sab/OMERO-CURRENT/lib/python/django/contrib/sessions/backends/file.py", line 50, in load
    session_file = open(self._key_to_file(), "rb")

  File "/home/omero-sab/OMERO-CURRENT/lib/python/django/contrib/sessions/backends/file.py", line 43, in _key_to_file
    "Invalid characters in session key")

SuspiciousOperation: Invalid characters in session key


<WSGIRequest
GET:<QueryDict: {}>,
POST:<QueryDict: {}>,
COOKIES:{'phpbb3_a9mfv_k': 'd197145da91a0c00',
 'phpbb3_a9mfv_sid': '82a246ec13b64f0b1079842c73fbb64a',
 'phpbb3_a9mfv_u': '2883',
 'sessionid': 'x8unm2lhri4374lag4kr2pxsdinmi5kx',
 'style_cookie': 'printonly'},
META:{'CONTENT_LENGTH': '',
 'CONTENT_TYPE': '',
 'HTTPS': '',
 'HTTP_ACCEPT': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
 'HTTP_ACCEPT_ENCODING': 'gzip, deflate',
 'HTTP_ACCEPT_LANGUAGE': 'en-gb,en;q=0.5',
 'HTTP_CONNECTION': 'keep-alive',
 'HTTP_COOKIE': 'style_cookie=printonly; phpbb3_a9mfv_k=d197145da91a0c00; phpbb3_a9mfv_u=2883; phpbb3_a9mfv_sid=82a246ec13b64f0b1079842c73fbb64a; sessionid=x8unm2lhri4374lag4kr2pxsdinmi5kx',
 'HTTP_DNT': '1',
 'HTTP_HOST': 'omero4-demo.openmicroscopy.org',
 'HTTP_USER_AGENT': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:25.0) Gecko/20100101 Firefox/25.0',
 'PATH_INFO': u'/webclient/',
 'QUERY_STRING': '',
 'REQUEST_METHOD': 'GET',
 'SCRIPT_NAME': u'',
 'SERVER_NAME': 'ome-c6100-3',
 'SERVER_PORT': '80',
 'SERVER_PROTOCOL': 'HTTP/1.1',
 'wsgi.errors': <flup.server.fcgi_base.TeeOutputStream object at 0x40aa150>,
 'wsgi.input': <flup.server.fcgi_base.InputStream object at 0x4099f90>,
 'wsgi.multiprocess': True,
 'wsgi.multithread': False,
 'wsgi.run_once': False,
 'wsgi.url_scheme': 'http',
 'wsgi.version': (1, 0)}>

Removing the sessionid cookie in the browser fixes things.

Change History (14)

comment:1 Changed 8 years ago by spli

I think the restart maybe a red herring, I suspect it's something to do with multiple separate OMERO.web instances running on different ports on the same server- is the sessionid cookie tied to a particular port?

comment:2 Changed 8 years ago by spli

To reproduce: Install two separate OMERO.server/OMERO.web instances on the same host, under different ports. I think it might have to be a 4.4 server and a 5.0 server.

Log in to one e.g. the 5.0 OMERO.web, then go to the 4.4 OMERO.web- you'll get the above exception.

E.g.
https://omero4-demo.openmicroscopy.org:1443/
and
https://omero4-demo.openmicroscopy.org/

comment:3 Changed 8 years ago by aknab

Most likely reason: The develop branch now includes Django 1.6, and sessions are no longer compatible with Django 1.3.

comment:4 Changed 8 years ago by aknab

Django 1.6 creates session cookie names made up of letters a-z and digits 0-9. Django 1.3 only allows letters a-f and digits 0-9.

Going from 1.3 to 1.6 (e.g. through an upgrade) therefore should not cause any issues, but going backwards will require the session cookie to be removed.

comment:5 Changed 8 years ago by spli

  • Summary changed from BUG: SuspiciousOperation: Invalid characters in session key to BUG: Independent OMERO.web instances on separate ports use the same session cookie

The OMERO.web servers are running on completely different ports, so shouldn't there be two independent session cookies?

comment:7 Changed 8 years ago by jamoore

Worth warning about that in our docs then?

comment:8 Changed 8 years ago by spli

Would it be possible to handle the exception and delete the session key so a user can still login?

comment:9 Changed 8 years ago by aknab

Probably, by adding a custom exception middleware (https://docs.djangoproject.com/en/dev/topics/http/middleware/#process_exception) - is this happening often enough though to warrant that?

comment:10 Changed 8 years ago by spli

It happens quite often since I'm switching between two servers on omero4-demo. Unlikely to be a problem for non-developers though.

comment:11 Changed 8 years ago by spli

See also #11281

comment:12 Changed 8 years ago by atarkowska

  • Milestone changed from Unscheduled to 5.0.0
  • Owner changed from web-team@… to atarkowska

comment:13 Changed 8 years ago by jburel

  • Priority changed from minor to major

comment:14 Changed 8 years ago by wmoore

  • Resolution set to wontfix
  • Status changed from new to closed

To fix the issue we'd have to handle it in OMERO 4.4, since that's where the problem occurs, and I don't think this is bad enough to justify a 4.4.11.

Note: See TracTickets for help on using tickets. You may also have a look at Agilo extensions to the ticket.

1.3.13-PRO © 2008-2011 Agilo Software all rights reserved (this page was served in: 0.65794 sec.)

We're Hiring!