Item1306: When your IP address changes after authentication you cannot reauthenticate and server may crash
Priority: Urgent
Current State: Closed
Released In: 1.0.4
Target Release: patch
Applies To: Engine
Component:
Branches:
We have seen in Foswiki that when the IP address changes the client will be asked to re-authenticate. This is per design and OK.
But when you try the re-auth fails.
With recent code and maybe because I have asserts on the server crashes
Software error:
Use of uninitialized value in string eq at /var/www/Release01x00/core/lib/Foswiki/LoginManager/Session.pm line 42.
For help, please send mail to the webmaster (root@localhost), giving this error message and the time and date of the error.
Software error:
[Mon Mar 16 13:45:15 2009] view: Use of uninitialized value in string eq at /var/www/Release01x00/core/lib/Foswiki/LoginManager/Session.pm line 42.
at /usr/lib/perl5/5.8.8/CGI/Carp.pm line 314
CGI::Carp::realdie('[Mon Mar 16 13:45:15 2009] view: Use of uninitialized value i...') called at /usr/lib/perl5/5.8.8/CGI/Carp.pm line 400
CGI::Carp::die('Use of uninitialized value in string eq at /var/www/Release01...') called at /var/www/Release01x00/core/lib/Foswiki.pm line 154
Foswiki::__ANON__('Use of uninitialized value in string eq at /var/www/Release01...') called at /var/www/Release01x00/core/lib/Foswiki/LoginManager/Session.pm line 42
Foswiki::LoginManager::Session::_ip_matches('Foswiki::LoginManager::Session=HASH(0x8df162c)') called at /usr/lib/perl5/vendor_perl/5.8.8/CGI/Session.pm line 730
CGI::Session::load('Foswiki::LoginManager::Session', 'undef', 'Foswiki::Request=HASH(0x8b40098)', 'HASH(0x89396fc)') called at /var/www/Release01x00/core/lib/Foswiki/LoginManager/Session.pm line 29
Foswiki::LoginManager::Session::load('Foswiki::LoginManager::Session', 'undef', 'Foswiki::Request=HASH(0x8b40098)', 'HASH(0x89396fc)') called at /usr/lib/perl5/vendor_perl/5.8.8/CGI/Session.pm line 59
CGI::Session::new('Foswiki::LoginManager::Session', 'undef', 'Foswiki::Request=HASH(0x8b40098)', 'HASH(0x89396fc)') called at /var/www/Release01x00/core/lib/Foswiki/LoginManager.pm line 322
Foswiki::LoginManager::loadSession('Foswiki::LoginManager::TemplateLogin=HASH(0x8da2538)', 'undef') called at /var/www/Release01x00/core/lib/Foswiki/Users.pm line 100
Foswiki::Users::new('Foswiki::Users', 'Foswiki=HASH(0x87246cc)') called at /var/www/Release01x00/core/lib/Foswiki.pm line 1352
Foswiki::new('Foswiki', 'undef', 'Foswiki::Request=HASH(0x8b40098)', 'HASH(0x8b31b6c)') called at /var/www/Release01x00/core/lib/Foswiki/UI.pm line 170
Foswiki::UI::execute('Foswiki::Request=HASH(0x8b40098)', 'CODE(0x8b3fdf8)', 'view', 1) called at /var/www/Release01x00/core/lib/Foswiki/UI.pm line 120
Foswiki::UI::handleRequest('Foswiki::Request=HASH(0x8b40098)') called at /var/www/Release01x00/core/lib/Foswiki/Engine/CGI.pm line 26
Foswiki::Engine::CGI::run('Foswiki::Engine::CGI=HASH(0x892e44c)') called at /var/www/Release01x00/core/bin/view line 45
For help, please send mail to the webmaster (root@localhost), giving this error message and the time and date of the error.
The correct behaviour when IP matching is turned on in configure is that the client is asked to reauthenticate and this should result in a fresh new session (session file on server and cookie in client). The old session simply needs to be discarded.
--
KennethLavrsen - 16 Mar 2009
Interesting problem.
In TWiki 4.2.4 the cfg{Sessions}{UseIPMatching} = 1 does not seem to work. I can change the IP and my authentication is still valid.
In Foswiki this now works BUT if your IP changed the only way to reauthenticate is to close the browser. Foswiki needs to drop the session.
What I have learned so far is that the CGI::Session script calls Foswiki::LoginManager::Session::__ip_matches with $_[0]->{_DATA}->{_SESSION_REMOTE_ADDR} undefined after you try to reauthenticate. This gives warnings in the apache error log and craches with asserts enabled.
So this it inself needs to be fixed.
But I assume we still have the problem with old hanging session. If the IP is found to mismatch and cfg{Sessions}{UseIPMatching} = 1 we need to wipe the old session. When the browser reauthenticates he can then succeed. Now the result is that it looks like you authenticate but you never get logged in.
To reproduce this without changing IP address do this
- View any page and login
- Find your sesssion file in working/tmp and hack the file changing the IP address in the session file.
- View the page again (refresh).
- Note you are no longer logged in - which is correct
- You now get a new session file stored and it does not contain any IP address. This seems plain wrong. Error in CGI::Session maybe?
- Try to refresh again. Still you are not authenticated but you continue having a cookie file without remote IP address. It is from this moment the $_[0]->{_DATA}->{_SESSION_REMOTE_ADDR} becomes undefined
- Login using the login link in left bar - new cookie file is made, still without IP address and still causing $_[0]->{_DATA}->{_SESSION_REMOTE_ADDR} to be undefined.
- Note that you are still not authenticated when you return
- Study the apache error log
--
KennethLavrsen - 17 Mar 2009
This is a bug in CGI::Session, as shown by its bug tracker:
http://rt.cpan.org/Public/Bug/Display.html?id=29138
We have to update the version we're currently shipping with Foswiki, and also the DEPENDENCIES.
--
OlivierRaginel - 18 Mar 2009
Update of MANIFEST forgotten. Two files need to be removed.
--
KennethLavrsen - 18 Mar 2009