[LON-CAPA-admin] cookie invalid

hkng hkng at fsu.edu
Fri Sep 20 10:49:59 EDT 2013 

Thanks Stuart,

Is it "safe" to remove $data{'ip'} ne $ENV{'REMOTE_ADDR'} temporarily until
a solution can be found? In the past, this problem occurs infrequently but
now I see it very often each day.

Regards,
-hk



H. K. Ng
Associate Professor of Physics
Department of Physics
Florida State University
Tallahassee, FL 32306-4350


On Thu, Sep 19, 2013 at 5:42 PM, Stuart Raeburn <raeburn at msu.edu> wrote:

> Hi,
>
>
>  Some how when the session is transferred from the lonbalancer to the
>> access
>> server, a different ip address is reported to the access server. This is
>> the only clue I can find as to why the student cannot get to the roles
>> page. Maybe it is a red herring. So question is has anyone seen this
>> behavior before? Also, why is the ip address different?
>>
>
> Looking at the lonbalancer code in LON-CAPA 2.10.1, I see that
> $ENV{'REMOTE_ADDR'}, as reported by the client browser, needs to be
> consistent across two stages in the LON-CAPA log-in process involving a
> lonbalancer.
>
> $ENV{'REMOTE_ADDR'} is retrieved from the client request as follows:
>
> (a) from the submission of log-in information to /adm/login on the
> lonbalancer
> (b) from the page reload included in the response from the
> /adm/switchserver browser's refresh within the meta tag:
> <meta http-equiv="Refresh" content="0.5"; url=http://<otherserver>/adm/**login"
> />
>
> where <otherserver> is the hostname of the LON-CAPA server which will host
> the user's session after transfer from the lonbalancer server.
>
> See lines 81-84 of /home/httpd/lib/perl/Apache/mi**grateuser.pm<http://migrateuser.pm>...
>
> if ($data{'ip'} ne $ENV{'REMOTE_ADDR'} || !defined($data{'username'}) ||
>     !defined($data{'domain'}) ) {
>     return &goto_login($r);
> }
>
> $data{'ip'} is retrieved (by migrateuser.pm on the target server) from
> the frozen hash stored in /home/httpd/perl/tmp (identified by token).  The
> frozen hash on the target server will have originally been stored by
> /home/httpd/lib/perl/Apache/sw**itchserver.pm <http://switchserver.pm>running on the lonbalancer server.
>
> In the case of connections through a cellular network, the comparison
> between $data{'ip'} and $ENV{'REMOTE_ADDR'} could fail if the service
> provider is using multiple gateways with multiple IP addresses, and the
> particular gateway used for a student's wireless connection changes between
> a client browser's calls to /adm/login and /adm/migrateuser.
>
>
>
> Stuart Raeburn
> LON-CAPA Academic Consortium
>
> Quoting hkng <hkng at fsu.edu>:
>
>  Hi,
>>
>> I posted this question before but never got any response. When student
>> login using a portable device (like iPad) and using the cellular network
>> to
>> the lonbalancer, the student is be authenticated and is then transferred
>> to
>> one of the access server. However, the session immediately got kick back
>> to
>> the lonbalancer, and because the system uses SSO, it immediately transfers
>> the session back to the access server. It forms an endless loop and the
>> student never get to the roles page.
>>
>> Checking the logs this is what I can determine.
>>
>> In the activities log, there are lots of sequential entries like
>>
>> 1379531706:fsua0:Switch Server to fsua2 with role <ip address> almost
>> always coming from mobile-xxx-mycingular.net
>>
>> Checking the lonbalancer log (under /var/log/httpd) there are entries like
>>
>> ssl_access_log:ip address - - [18/Sep/2013:15:23:31 -0400] "GET
>> /adm/roles?ticket=ST-1954238-**wIoLGFGIQacDNCdcsrXy-casprd2 HTTP/1.1" 200
>> 11318
>>
>> ssl_error_log:[Wed Sep 18 15:10:33 2013] [error] access to
>> /home/httpd/html/adm/**switchserver failed for <ip address>, reason:
>> Cookie
>> not valid
>>
>> In the access server log, there is no entries with the ip address but
>> there
>> are entries with the username like
>>
>> access_log:<different ip address from lonbalancer> - -
>> [18/Sep/2013:15:10:32 -0400] "GET /adm/login HTTP/1.1" 200 2795 "
>> http://loncapa2.fsu.edu/adm/**login?domain=fsu&username=**
>> xxxxx&token=24824_128_186_7_**151_9<http://loncapa2.fsu.edu/adm/login?domain=fsu&username=xxxxx&token=24824_128_186_7_151_9>
>> "
>> "Mozilla/5.0 (iPhone; CPU iPhone OS 6_1_3 like Mac OS X)
>> AppleWebKit/536.26
>> (KHTML, like Gecko) Version/6.0 Mobile/10B329 Safari/8536.25"
>>
>> Some how when the session is transferred from the lonbalancer to the
>> access
>> server, a different ip address is reported to the access server. This is
>> the only clue I can find as to why the student cannot get to the roles
>> page. Maybe it is a red herring. So question is has anyone seen this
>> behavior before? Also, why is the ip address different?
>>
>> Any pointers?
>>
>> Thanks,
>> -hk
>>
>>
> ______________________________**_________________
> LON-CAPA-admin mailing list
> LON-CAPA-admin at mail.lon-capa.**org <LON-CAPA-admin at mail.lon-capa.org>
> http://mail.lon-capa.org/**mailman/listinfo/lon-capa-**admin<http://mail.lon-capa.org/mailman/listinfo/lon-capa-admin>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.lon-capa.org/pipermail/lon-capa-admin/attachments/20130920/2138068d/attachment.html>

More information about the LON-CAPA-admin mailing list