Item1306: When your IP address changes after authentication you cannot reauthenticate and server may crash

pencil
Priority: Urgent
Current State: Closed
Released In: 1.0.4
Target Release: patch
Applies To: Engine
Component:
Branches:
Reported By: KennethLavrsen
Waiting For:
Last Change By: KennethLavrsen
We have seen in Foswiki that when the IP address changes the client will be asked to re-authenticate. This is per design and OK.

But when you try the re-auth fails.

With recent code and maybe because I have asserts on the server crashes

Software error:

Use of uninitialized value in string eq at /var/www/Release01x00/core/lib/Foswiki/LoginManager/Session.pm line 42.

For help, please send mail to the webmaster (root@localhost), giving this error message and the time and date of the error.
Software error:

[Mon Mar 16 13:45:15 2009] view: Use of uninitialized value in string eq at /var/www/Release01x00/core/lib/Foswiki/LoginManager/Session.pm line 42.
 at /usr/lib/perl5/5.8.8/CGI/Carp.pm line 314
   CGI::Carp::realdie('[Mon Mar 16 13:45:15 2009] view: Use of uninitialized value i...') called at /usr/lib/perl5/5.8.8/CGI/Carp.pm line 400
   CGI::Carp::die('Use of uninitialized value in string eq at /var/www/Release01...') called at /var/www/Release01x00/core/lib/Foswiki.pm line 154
   Foswiki::__ANON__('Use of uninitialized value in string eq at /var/www/Release01...') called at /var/www/Release01x00/core/lib/Foswiki/LoginManager/Session.pm line 42
   Foswiki::LoginManager::Session::_ip_matches('Foswiki::LoginManager::Session=HASH(0x8df162c)') called at /usr/lib/perl5/vendor_perl/5.8.8/CGI/Session.pm line 730
   CGI::Session::load('Foswiki::LoginManager::Session', 'undef', 'Foswiki::Request=HASH(0x8b40098)', 'HASH(0x89396fc)') called at /var/www/Release01x00/core/lib/Foswiki/LoginManager/Session.pm line 29
   Foswiki::LoginManager::Session::load('Foswiki::LoginManager::Session', 'undef', 'Foswiki::Request=HASH(0x8b40098)', 'HASH(0x89396fc)') called at /usr/lib/perl5/vendor_perl/5.8.8/CGI/Session.pm line 59
   CGI::Session::new('Foswiki::LoginManager::Session', 'undef', 'Foswiki::Request=HASH(0x8b40098)', 'HASH(0x89396fc)') called at /var/www/Release01x00/core/lib/Foswiki/LoginManager.pm line 322
   Foswiki::LoginManager::loadSession('Foswiki::LoginManager::TemplateLogin=HASH(0x8da2538)', 'undef') called at /var/www/Release01x00/core/lib/Foswiki/Users.pm line 100
   Foswiki::Users::new('Foswiki::Users', 'Foswiki=HASH(0x87246cc)') called at /var/www/Release01x00/core/lib/Foswiki.pm line 1352
   Foswiki::new('Foswiki', 'undef', 'Foswiki::Request=HASH(0x8b40098)', 'HASH(0x8b31b6c)') called at /var/www/Release01x00/core/lib/Foswiki/UI.pm line 170
   Foswiki::UI::execute('Foswiki::Request=HASH(0x8b40098)', 'CODE(0x8b3fdf8)', 'view', 1) called at /var/www/Release01x00/core/lib/Foswiki/UI.pm line 120
   Foswiki::UI::handleRequest('Foswiki::Request=HASH(0x8b40098)') called at /var/www/Release01x00/core/lib/Foswiki/Engine/CGI.pm line 26
   Foswiki::Engine::CGI::run('Foswiki::Engine::CGI=HASH(0x892e44c)') called at /var/www/Release01x00/core/bin/view line 45

For help, please send mail to the webmaster (root@localhost), giving this error message and the time and date of the error. 

The correct behaviour when IP matching is turned on in configure is that the client is asked to reauthenticate and this should result in a fresh new session (session file on server and cookie in client). The old session simply needs to be discarded.

-- KennethLavrsen - 16 Mar 2009

Interesting problem.

In TWiki 4.2.4 the cfg{Sessions}{UseIPMatching} = 1 does not seem to work. I can change the IP and my authentication is still valid.

In Foswiki this now works BUT if your IP changed the only way to reauthenticate is to close the browser. Foswiki needs to drop the session.

What I have learned so far is that the CGI::Session script calls Foswiki::LoginManager::Session::__ip_matches with $_[0]->{_DATA}->{_SESSION_REMOTE_ADDR} undefined after you try to reauthenticate. This gives warnings in the apache error log and craches with asserts enabled.

So this it inself needs to be fixed.

But I assume we still have the problem with old hanging session. If the IP is found to mismatch and cfg{Sessions}{UseIPMatching} = 1 we need to wipe the old session. When the browser reauthenticates he can then succeed. Now the result is that it looks like you authenticate but you never get logged in.

To reproduce this without changing IP address do this

  • View any page and login
  • Find your sesssion file in working/tmp and hack the file changing the IP address in the session file.
  • View the page again (refresh).
  • Note you are no longer logged in - which is correct
  • You now get a new session file stored and it does not contain any IP address. This seems plain wrong. Error in CGI::Session maybe?
  • Try to refresh again. Still you are not authenticated but you continue having a cookie file without remote IP address. It is from this moment the $_[0]->{_DATA}->{_SESSION_REMOTE_ADDR} becomes undefined
  • Login using the login link in left bar - new cookie file is made, still without IP address and still causing $_[0]->{_DATA}->{_SESSION_REMOTE_ADDR} to be undefined.
  • Note that you are still not authenticated when you return
  • Study the apache error log

-- KennethLavrsen - 17 Mar 2009

This is a bug in CGI::Session, as shown by its bug tracker: http://rt.cpan.org/Public/Bug/Display.html?id=29138

We have to update the version we're currently shipping with Foswiki, and also the DEPENDENCIES.

-- OlivierRaginel - 18 Mar 2009

Update of MANIFEST forgotten. Two files need to be removed.

-- KennethLavrsen - 18 Mar 2009

ItemTemplate edit

Summary When your IP address changes after authentication you cannot reauthenticate and server may crash
ReportedBy KennethLavrsen
Codebase
SVN Range Foswiki-1.0.0, Thu, 08 Jan 2009, build 1878
AppliesTo Engine
Component
Priority Urgent
CurrentState Closed
WaitingFor
Checkins distro:75d523fcecba distro:808e105120f2 distro:f8107e0e9307 distro:7a6c006243b0 distro:f67b568613a3 distro:2d440c018501
TargetRelease patch
ReleasedIn 1.0.4
Topic revision: r12 - 19 Mar 2009, KennethLavrsen
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy