[LON-CAPA-admin] cookie invalid

[Stuart Raeburn]

Hi,

> Some how when the session is transferred from the lonbalancer to the access
> server, a different ip address is reported to the access server. This is
> the only clue I can find as to why the student cannot get to the roles
> page. Maybe it is a red herring. So question is has anyone seen this
> behavior before? Also, why is the ip address different?

Looking at the lonbalancer code in LON-CAPA 2.10.1, I see that  
$ENV{'REMOTE_ADDR'}, as reported by the client browser, needs to be  
consistent across two stages in the LON-CAPA log-in process involving  
a lonbalancer.

$ENV{'REMOTE_ADDR'} is retrieved from the client request as follows:

(a) from the submission of log-in information to /adm/login on the lonbalancer
(b) from the page reload included in the response from the  
/adm/switchserver browser's refresh within the meta tag:
<meta http-equiv="Refresh" content="0.5";  
url=http://<otherserver>/adm/login" />

where <otherserver> is the hostname of the LON-CAPA server which will  
host the user's session after transfer from the lonbalancer server.

See lines 81-84 of /home/httpd/lib/perl/Apache/migrateuser.pm ...

if ($data{'ip'} ne $ENV{'REMOTE_ADDR'} || !defined($data{'username'}) ||
     !defined($data{'domain'}) ) {
     return &goto_login($r);
}

$data{'ip'} is retrieved (by migrateuser.pm on the target server) from  
the frozen hash stored in /home/httpd/perl/tmp (identified by token).   
The frozen hash on the target server will have originally been stored  
by /home/httpd/lib/perl/Apache/switchserver.pm running on the  
lonbalancer server.

In the case of connections through a cellular network, the comparison  
between $data{'ip'} and $ENV{'REMOTE_ADDR'} could fail if the service  
provider is using multiple gateways with multiple IP addresses, and  
the particular gateway used for a student's wireless connection  
changes between a client browser's calls to /adm/login and  
/adm/migrateuser.


Stuart Raeburn
LON-CAPA Academic Consortium

Quoting hkng <hkng at fsu.edu>:

> Hi,
>
> I posted this question before but never got any response. When student
> login using a portable device (like iPad) and using the cellular network to
> the lonbalancer, the student is be authenticated and is then transferred to
> one of the access server. However, the session immediately got kick back to
> the lonbalancer, and because the system uses SSO, it immediately transfers
> the session back to the access server. It forms an endless loop and the
> student never get to the roles page.
>
> Checking the logs this is what I can determine.
>
> In the activities log, there are lots of sequential entries like
>
> 1379531706:fsua0:Switch Server to fsua2 with role <ip address> almost
> always coming from mobile-xxx-mycingular.net
>
> Checking the lonbalancer log (under /var/log/httpd) there are entries like
>
> ssl_access_log:ip address - - [18/Sep/2013:15:23:31 -0400] "GET
> /adm/roles?ticket=ST-1954238-wIoLGFGIQacDNCdcsrXy-casprd2 HTTP/1.1" 200
> 11318
>
> ssl_error_log:[Wed Sep 18 15:10:33 2013] [error] access to
> /home/httpd/html/adm/switchserver failed for <ip address>, reason: Cookie
> not valid
>
> In the access server log, there is no entries with the ip address but there
> are entries with the username like
>
> access_log:<different ip address from lonbalancer> - -
> [18/Sep/2013:15:10:32 -0400] "GET /adm/login HTTP/1.1" 200 2795 "
> http://loncapa2.fsu.edu/adm/login?domain=fsu&username=xxxxx&token=24824_128_186_7_151_9"
> "Mozilla/5.0 (iPhone; CPU iPhone OS 6_1_3 like Mac OS X) AppleWebKit/536.26
> (KHTML, like Gecko) Version/6.0 Mobile/10B329 Safari/8536.25"
>
> Some how when the session is transferred from the lonbalancer to the access
> server, a different ip address is reported to the access server. This is
> the only clue I can find as to why the student cannot get to the roles
> page. Maybe it is a red herring. So question is has anyone seen this
> behavior before? Also, why is the ip address different?
>
> Any pointers?
>
> Thanks,
> -hk
>