[LON-CAPA-admin] cookie invalid

hkng hkng at fsu.edu
Sat Sep 21 08:09:45 EDT 2013 

Hi,

Is it possible to have the lonbalancer hosts the session if different IP
address is detected? The reason is so that I don't have add another server
with SSO.

Thanks,
-hk


On Friday, September 20, 2013, Stuart Raeburn wrote:

> Hi hk,
>
>  Is it "safe" to remove $data{'ip'} ne $ENV{'REMOTE_ADDR'} temporarily
>> until
>> a solution can be found?
>>
>
> Personally, I would not do that.
>
> The IP check has been a part of /adm/migrateuser since rev 1.1.  However,
> the current process needs improvement.
>
> As regards your specific situation where users are accessing LON-CAPA via
> a cellular network, my preference would be to require re-authentication,
> but have that occur on the server selected to host the session in order to
> avoid a repeat of the use of /adm/switchserver and then /adm/migrateuser
> (in which their could be yet another client IP change).
>
> Depending on how SSO is configured, a SSO-authenticated user might not
> need to re-authenticate, if you are able to verify the user's SSO
> credentials on your regular access servers, as well as on your lonbalancer
> server.  It looks as though you currently use CAS single sign on for both
> loncapa.fsu.edu and loncapa10.fsu.edu.
>
> Anyway I have assigned myself a bug for this --
> http://bugs.loncapa.org/show_**bug.cgi?id=6675<http://bugs.loncapa.org/show_bug.cgi?id=6675>and will work on it today.
>
>
> Stuart
>
> Stuart Raeburn
> LON-CAPA Academic Consortium
>
>
> Quoting hkng <hkng at fsu.edu>:
>
>  Thanks Stuart,
>>
>> Is it "safe" to remove $data{'ip'} ne $ENV{'REMOTE_ADDR'} temporarily
>> until
>> a solution can be found? In the past, this problem occurs infrequently but
>> now I see it very often each day.
>>
>> Regards,
>> -hk
>>
>>
>>
>> H. K. Ng
>> Associate Professor of Physics
>> Department of Physics
>> Florida State University
>> Tallahassee, FL 32306-4350
>>
>>
>> On Thu, Sep 19, 2013 at 5:42 PM, Stuart Raeburn <raeburn at msu.edu> wrote:
>>
>>  Hi,
>>>
>>>
>>>  Some how when the session is transferred from the lonbalancer to the
>>>
>>>> access
>>>> server, a different ip address is reported to the access server. This is
>>>> the only clue I can find as to why the student cannot get to the roles
>>>> page. Maybe it is a red herring. So question is has anyone seen this
>>>> behavior before? Also, why is the ip address different?
>>>>
>>>>
>>> Looking at the lonbalancer code in LON-CAPA 2.10.1, I see that
>>> $ENV{'REMOTE_ADDR'}, as reported by the client browser, needs to be
>>> consistent across two stages in the LON-CAPA log-in process involving a
>>> lonbalancer.
>>>
>>> $ENV{'REMOTE_ADDR'} is retrieved from the client request as follows:
>>>
>>> (a) from the submission of log-in information to /adm/login on the
>>> lonbalancer
>>> (b) from the page reload included in the response from the
>>> /adm/switchserver browser's refresh within the meta tag:
>>> <meta http-equiv="Refresh" content="0.5";  url=http://
>>> <otherserver>/adm/****login"
>>> />
>>>
>>> where <otherserver> is the hostname of the LON-CAPA server which will
>>> host
>>> the user's session after transfer from the lonbalancer server.
>>>
>>> See lines 81-84 of  /home/httpd/lib/perl/Apache/**mi**grateuser.pm<
>>> http://**migrateuser.pm <http://migrateuser.pm>>...
>>>
>>> if ($data{'ip'} ne $ENV{'REMOTE_ADDR'} || !defined($data{'username'}) ||
>>>     !defined($data{'domain'}) ) {
>>>     return &goto_login($r);
>>> }
>>>
>>> $data{'ip'} is retrieved (by migrateuser.pm on the target server) from
>>> the frozen hash stored in /home/httpd/perl/tmp (identified by token).
>>>  The
>>> frozen hash on the target server will have originally been stored by
>>> /home/httpd/lib/perl/Apache/**sw**itchserver.pm  <http://switchserver.pm
>>> >**running on the lonbalancer server.
>>>
>>> In the case of connections through a cellular network, the comparison
>>> between $data{'ip'} and $ENV{'REMOTE_ADDR'} could fail if the service
>>> provider is using multiple gateways with multiple IP addresses, and the
>>> particular gateway used for a student's wireless connection changes
>>> between
>>> a client browser's calls to /adm/login and /adm/migrateuser.
>>>
>>>
>>>
>>> Stuart Raeburn
>>> LON-CAPA Academic Consortium
>>>
>>> Quoting hkng <hkng at fsu.edu>:
>>>
>>>  Hi,
>>>
>>>>
>>>> I posted this question before but never got any response. When student
>>>> login using a portable device (like iPad) and using the cellular network
>>>> to
>>>> the lonbalancer, the student is be authenticated and is then transferred
>>>> to
>>>> one of the access server. However, the session immediately got kick back
>>>> to
>>>> the lonbalancer, and because the system uses SSO, it immediately
>>>> transfers
>>>> the session back to the access server. It forms an endless loop and the
>>>> student never get to the roles page.
>>>>
>>>> Checking the logs this is what I can determine.
>>>>
>>>> In the activities log, there are lots of sequential entries like
>>>>
>>>> 1379531706:fsua0:Switch Server to fsua2 with role <ip address> almost
>>>> always coming from mobile-xxx-mycingular.net
>>>>
>>>> Checking the lonbalancer log (under /var/log/httpd) there are entries
>>>> like
>>>>
>>>> ssl_access_log:ip address - - [18/Sep/2013:15:23:31 -0400] "GET
>>>> /adm/roles?ticket=ST-1954238-****wIoLGFGIQacDNCdcsrXy-casprd2
>>>> HTTP/1.1" 200
>>>> 11318
>>>>
>>>> ssl_error_log:[Wed Sep 18 15:10:33 2013] [error] access to
>>>> /home/httpd/html/adm/****switchserver failed for <ip address>, reason:
>>>> Cookie
>>>> not valid
>>>>
>>>> In the access server log, there is no entries with the ip address but
>>>> there
>>>> are entries with the username like
>>>>
>>>> access_log:<different ip address from lonbalancer> - -
>>>> [18/Sep/2013:15:10:32 -0400] "GET /adm/login HTTP/1.1" 200 2795 "
>>>> http://loncapa2.fsu.edu/adm/****login?domain=fsu&username=**<http://loncapa2.fsu.edu/adm/**login?domain=fsu&username=**>
>>>> xxxxx&token=24824_128_186_7_****151_9<http://loncapa2.fsu.edu/**
>>>> adm/login?domain=fsu&username=**xxxxx&token=24824_128_186_7_**151_9<http://loncapa2.fsu.edu/adm/login?domain=fsu&username=xxxxx&token=24824_128_186_7_151_9>
>>>> >
>>>> "
>>>> "Mozilla/5.0 (iPhone; CPU iPhone OS 6_1_3 like Mac OS X)
>>>> AppleWebKit/536.26
>>>> (KHTML, like Gecko) Version/6.0 Mobile/10B329 Safari/8536.25"
>>>>
>>>> Some how when the session is transferred from the lonbalancer to the
>>>> access
>>>> server, a different ip address is reported to the access server. This is
>>>> the only clue I can find as to why the student cannot get to the roles
>>>> page. Maybe it is a red herring. So question is has anyone seen this
>>>> behavior before? Also, why is the ip address different?
>>>>
>>>> Any pointers?
>>>>
>>>> Thanks,
>>>> -hk
>>>>
>>>>
>>>>  ______________________________****_________________
>>> LON-CAPA-admin mailing list
>>> LON-CAPA-admin at mail.lon-capa.****org <LON-CAPA-admin at mail.lon-capa.org>
>>> http://mail.lon-capa.org/****mailman/listinfo/lon-capa-****admin<http://mail.lon-capa.org/**mailman/listinfo/lon-capa-**admin>
>>> <http://mail.lon-capa.**org/mailman/listinfo/lon-capa-**admin<http://mail.lon-capa.org/mailman/listinfo/lon-capa-admin>
>>> >
>>>
>>
> ______________________________**_________________
> LON-CAPA-admin mailing list
> LON-CAPA-admin at mail.lon-capa.org
> http://mail.lon-capa.org/**mailman/listinfo/lon-capa-**admin<http://mail.lon-capa.org/mailman/listinfo/lon-capa-admin>
>
>
>

-- 
H. K. Ng
Associate Professor of Physics
Department of Physics
Florida State University
Tallahassee, FL 32306-4350
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.lon-capa.org/pipermail/lon-capa-admin/attachments/20130921/0caf4bf3/attachment.html>

More information about the LON-CAPA-admin mailing list