Task #11771 (closed)
Opened 10 years ago
Closed 10 years ago
BUG: Independent OMERO.web instances on separate ports use the same session cookie
Reported by: | spli | Owned by: | atarkowska |
---|---|---|---|
Priority: | major | Milestone: | 5.0.0 |
Component: | Web | Version: | 4.4.9 |
Keywords: | n.a. | Cc: | |
Resources: | n.a. | Referenced By: | n.a. |
References: | n.a. | Remaining Time: | n.a. |
Sprint: | n.a. |
Description
This is very intermittent, but I've seen it a few times.
General pattern seems to be restart OMERO (server and web) with a web session still active. Occasionally when the server is back up reconnecting causes the following error:
Traceback (most recent call last): File "/home/omero-sab/OMERO-CURRENT/lib/python/django/core/handlers/base.py", line 178, in get_response response = middleware_method(request, response) File "/home/omero-sab/OMERO-CURRENT/lib/python/django/contrib/sessions/middleware.py", line 28, in process_response if request.session.get_expire_at_browser_close(): File "/home/omero-sab/OMERO-CURRENT/lib/python/django/contrib/sessions/backends/base.py", line 252, in get_expire_at_browser_close if self.get('_session_expiry') is None: File "/home/omero-sab/OMERO-CURRENT/lib/python/django/contrib/sessions/backends/base.py", line 64, in get return self._session.get(key, default) File "/home/omero-sab/OMERO-CURRENT/lib/python/django/contrib/sessions/backends/base.py", line 195, in _get_session self._session_cache = self.load() File "/home/omero-sab/OMERO-CURRENT/lib/python/django/contrib/sessions/backends/file.py", line 50, in load session_file = open(self._key_to_file(), "rb") File "/home/omero-sab/OMERO-CURRENT/lib/python/django/contrib/sessions/backends/file.py", line 43, in _key_to_file "Invalid characters in session key") SuspiciousOperation: Invalid characters in session key <WSGIRequest GET:<QueryDict: {}>, POST:<QueryDict: {}>, COOKIES:{'phpbb3_a9mfv_k': 'd197145da91a0c00', 'phpbb3_a9mfv_sid': '82a246ec13b64f0b1079842c73fbb64a', 'phpbb3_a9mfv_u': '2883', 'sessionid': 'x8unm2lhri4374lag4kr2pxsdinmi5kx', 'style_cookie': 'printonly'}, META:{'CONTENT_LENGTH': '', 'CONTENT_TYPE': '', 'HTTPS': '', 'HTTP_ACCEPT': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 'HTTP_ACCEPT_ENCODING': 'gzip, deflate', 'HTTP_ACCEPT_LANGUAGE': 'en-gb,en;q=0.5', 'HTTP_CONNECTION': 'keep-alive', 'HTTP_COOKIE': 'style_cookie=printonly; phpbb3_a9mfv_k=d197145da91a0c00; phpbb3_a9mfv_u=2883; phpbb3_a9mfv_sid=82a246ec13b64f0b1079842c73fbb64a; sessionid=x8unm2lhri4374lag4kr2pxsdinmi5kx', 'HTTP_DNT': '1', 'HTTP_HOST': 'omero4-demo.openmicroscopy.org', 'HTTP_USER_AGENT': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:25.0) Gecko/20100101 Firefox/25.0', 'PATH_INFO': u'/webclient/', 'QUERY_STRING': '', 'REQUEST_METHOD': 'GET', 'SCRIPT_NAME': u'', 'SERVER_NAME': 'ome-c6100-3', 'SERVER_PORT': '80', 'SERVER_PROTOCOL': 'HTTP/1.1', 'wsgi.errors': <flup.server.fcgi_base.TeeOutputStream object at 0x40aa150>, 'wsgi.input': <flup.server.fcgi_base.InputStream object at 0x4099f90>, 'wsgi.multiprocess': True, 'wsgi.multithread': False, 'wsgi.run_once': False, 'wsgi.url_scheme': 'http', 'wsgi.version': (1, 0)}>
Removing the sessionid cookie in the browser fixes things.
Change History (14)
comment:1 Changed 10 years ago by spli
comment:2 Changed 10 years ago by spli
To reproduce: Install two separate OMERO.server/OMERO.web instances on the same host, under different ports. I think it might have to be a 4.4 server and a 5.0 server.
Log in to one e.g. the 5.0 OMERO.web, then go to the 4.4 OMERO.web- you'll get the above exception.
E.g.
https://omero4-demo.openmicroscopy.org:1443/
and
https://omero4-demo.openmicroscopy.org/
comment:3 Changed 10 years ago by aknab
Most likely reason: The develop branch now includes Django 1.6, and sessions are no longer compatible with Django 1.3.
comment:4 Changed 10 years ago by aknab
Django 1.6 creates session cookie names made up of letters a-z and digits 0-9. Django 1.3 only allows letters a-f and digits 0-9.
Going from 1.3 to 1.6 (e.g. through an upgrade) therefore should not cause any issues, but going backwards will require the session cookie to be removed.
comment:5 Changed 10 years ago by spli
- Summary changed from BUG: SuspiciousOperation: Invalid characters in session key to BUG: Independent OMERO.web instances on separate ports use the same session cookie
The OMERO.web servers are running on completely different ports, so shouldn't there be two independent session cookies?
comment:6 Changed 10 years ago by aknab
comment:7 Changed 10 years ago by jamoore
Worth warning about that in our docs then?
comment:8 Changed 10 years ago by spli
Would it be possible to handle the exception and delete the session key so a user can still login?
comment:9 Changed 10 years ago by aknab
Probably, by adding a custom exception middleware (https://docs.djangoproject.com/en/dev/topics/http/middleware/#process_exception) - is this happening often enough though to warrant that?
comment:10 Changed 10 years ago by spli
It happens quite often since I'm switching between two servers on omero4-demo. Unlikely to be a problem for non-developers though.
comment:11 Changed 10 years ago by spli
See also #11281
comment:12 Changed 10 years ago by atarkowska
- Milestone changed from Unscheduled to 5.0.0
- Owner changed from web-team@… to atarkowska
comment:13 Changed 10 years ago by jburel
- Priority changed from minor to major
comment:14 Changed 10 years ago by wmoore
- Resolution set to wontfix
- Status changed from new to closed
To fix the issue we'd have to handle it in OMERO 4.4, since that's where the problem occurs, and I don't think this is bad enough to justify a 4.4.11.
I think the restart maybe a red herring, I suspect it's something to do with multiple separate OMERO.web instances running on different ports on the same server- is the sessionid cookie tied to a particular port?