Skip to Content.
Sympa Menu

en - [sympa-users] wwsympa "ignoring unknown session cookie"

Subject: The mailing list for listmasters using Sympa

List archive

[sympa-users] wwsympa "ignoring unknown session cookie"

Chronological Thread  
    < Chronological >       < Thread >
  • From: Aaron Wyatt <address@concealed>
  • To: "<address@concealed>" <address@concealed>
  • Subject: [sympa-users] wwsympa "ignoring unknown session cookie"
  • Date: Thu, 6 Jun 2013 20:35:34 +0000
Hi folks-

I'm working on a problem I'm having with a sympa 6.1.17 install.  The problem isn't really a problem, but rather expected and programmed behavior, however I'm looking for a way do disable the feature.

I've put together a summary of the problem below, including a description, cause, and known solutions.  The basic gist of it is that unsecured http session cookies can pretty easily become out of sync between  wwsympa and the client.  This causes the session to be renewed and forces the user to re-auth.  The solution is to use SSL which doesn't require the session cookies to keep changing.

So here' s my problem:  Our sympa CAS sits behind an F5 load balancer which does SSL termination for the CAS.  What that means is that the load balancer holds onto the server certificate and handles all the https encryption/decryption.  It then passes the decrypted http traffic back and forth between the CAS and itself.  This means, as far as wwsympa is concerned, all traffic coming to it is over unsecured http, even though between the client and the load balancer, all web traffic is https.  If you login click on a list and then double-click the link to administer a list, you immediately get logged out.  As far as I can tell, this is because the session cookie ID is out of sync between the client request and the server response.

What I'd like to do is be able to do is disable the feature that keeps chaining the session cookie ID for http.  Does anyone know if this is possible?

aaron

PS-- Not sure if this list supports rich-text/html in emails so I apologize if the details below don't render correctly.

_______________________________
Aaron Wyatt
Application Systems Administrator
Boston College IT Services
address@concealed
617.552.1278
_______________________________

HTTP Sessions Being Dropped/Renewed

Issue Description

  • When clicking links in succession too quickly, user gets logged out of sympa.
  • Issue reports in the log as "ignoring unknown session cookie" (see below). 
  • As you can see in the log entries, session cookie changes between clicks of links and local client session cookie has not been updated to reflect new session cookie given out by sympa.
Jun  6 11:34:02 trenchant01 wwsympa[16903]: info [robot lists.bc.edu] [session 95117434161507] [client 136.167.3.74] [user stark.xythos@bc.edu] [list c21-test] main::do_admin() do_admin
Jun  6 11:34:04 trenchant01 wwsympa[16903]: info [robot lists.bc.edu] [session 78971679287553] [client 136.167.3.74] [user stark.xythos@bc.edu] [list c21-test] main::do_info() do_info
Jun  6 11:34:06 trenchant01 wwsympa[16903]: info SympaSession::new() SympaSession::new ignoring unknown session cookie '78971679287553'
Jun  6 11:34:06 trenchant01 wwsympa[16903]: info [robot lists.bc.edu] [session 96853166699223] [client 136.167.3.74] [list c21-test] main::prevent_visibility_bypass() visibility: List must remain hidden. Returning "home" to prevent visibility bypass
Jun  6 11:34:06 trenchant01 wwsympa[16903]: err [robot lists.bc.edu] [session 96853166699223] [client 136.167.3.74] [list c21-test] main::check_action_parameters() user not logged in
Jun  6 11:34:06 trenchant01 wwsympa[16903]: info [robot lists.bc.edu] [session 96853166699223] [client 136.167.3.74] [list c21-test] main::do_loginrequest() do_loginrequest
Jun  6 11:34:07 trenchant01 wwsympa[16903]: info SympaSession::new() SympaSession::new ignoring unknown session cookie '78971679287553'
Jun  6 11:34:07 trenchant01 wwsympa[16903]: info [robot lists.bc.edu] [session 29947709900162] [client 136.167.3.74] [list c21-test] main::prevent_visibility_bypass() visibility: List must remain hidden. Returning "home" to prevent visibility bypass
Jun  6 11:34:07 trenchant01 wwsympa[16903]: err [robot lists.bc.edu] [session 29947709900162] [client 136.167.3.74] [list c21-test] main::check_action_parameters() user not logged in

Issue Cause

  • This is a documented behavior of sympa (see below).
  • When using unsecured http sympa keeps changing the session cookie id in order to help prevent session hijacking.  
  • This behavior is exposed when clicking on links in rapid succession.
  • Mentioned in Sympa change log:  http://svn.cru.fr/sympa/branches/sympa-dkim/ChangeLog
------------------------------------------------------------------------
r5452 | sympa-authors | 2009-01-23 14:22:06 +0100 (ven 23 jan 2009) | 4 lignes
Chemins modifiés :
   M /trunk/wwsympa/SympaSession.pm
   M /trunk/wwsympa/wwsympa.fcgi
 
[bug] solve a bug related to infinite redirection loop when using automatic redirection to CAS server
[change] now session id cookie is not renewed when using SSL. Renewal of session id cookie is a protection agains session hijacking. It is not usefull if session cookie is use only in a ssl session. Because this method may cause user to lost there session when they hit several links very quickly, we limit it to http.
  • Because we are using SSL termination at the load balancer sympa talks to the VIP from the CAS over unsecured http
  • Note also that sympa sees all sessions as if they originated from the VIP (see below).
mysql> select * from session_table;
 data_session date_session email_session hit_session id_session remote_addr_session robot_session start_date_session
;is_family_owner="";redirect_url="http://lists.bc.edu/sympa/admin/c21-test";data=""" 1370532846 nobody 1 1336851574280 136.167.3.74 lists.bc.edu 1370532846
;is_family_owner="";redirect_url="http://lists.bc.edu/sympa/info/stark_info";data=""" 1370527934 nobody 1 18473843359124 136.167.3.74 lists.bc.edu 1370527934
;is_family_owner="";redirect_url="http://lists.bc.edu/sympa/admin/c21-test";data=""" 1370532847 nobody 1 26012894828480 136.167.3.74 lists.bc.edu 1370532847
;is_family_owner="";redirect_url="http://lists.bc.edu/sympa/help/admin";data=""" 1370527312 nobody 12 27255736609225 136.167.3.74 lists.bc.edu 1370525114
;auth="ldap";archive_sniffer="false";is_family_owner="";unauthenticated_email="";lang="en";redirect_url="http://lists.bc.edu/sympa/info/stark_info";data=""";arc_mode="thrd" 1370527933 address@concealed 12 34876391872631 136.167.3.74 lists.bc.edu 1370526656
;auth="ldap";is_family_owner="";unauthenticated_email="";lang="en";redirect_url="http://lists.bc.edu/sympa/blacklist/stark_info";data=""" 1370526655 address@concealed 8 53212761841397 136.167.3.74 lists.bc.edu 1370526485
;auth="ldap";archive_sniffer="false";is_family_owner="";unauthenticated_email="";lang="en";redirect_url="http://lists.bc.edu/sympa/info/c21-test";data=""" 1370532844 address@concealed 7 54596885309686 136.167.3.74 lists.bc.edu 1370532824
;auth="ldap";is_family_owner="";unauthenticated_email="";lang="en";redirect_url="http://lists.bc.edu/sympa/review/stark_info";data=""" 1370526484 address@concealed 7 5900135804820 136.167.3.74 lists.bc.edu 1370526407
 

Issue Resolution

  • The problem can be resolved by using SSL
  • We can force SSL by disabling F5 termination
  • ?






  • [sympa-users] wwsympa "ignoring unknown session cookie", Aaron Wyatt, 06/06/2013

Archive powered by MHonArc 2.6.19+.

Top of Page