12:37 p.m.
Hi,
Thanks Omer for the hint!
Following merge of several patches HttpOnly cookie patch[1], and the new
theme[2] (I guess), the login stopped working.
The frontend is doing basic authentication against the restapi and attempt to
move the cookie(?)? But it sending the cookie without http only marker.
I do not fully understand the logic, but it may parse the cookie manually in
order to do so?
Our cookies must have HttpOnly markers so this probably need to be solved at
the component which sends the cookie without the HttpOnly.
For now, people that experiencing this, please revert[1] until we can sort it
out.
Thanks,
Alon
[1] http://gerrit.ovirt.org/#/c/25915/
[2] http://gerrit.ovirt.org/#/c/24594/
12:41 p.m.
New subject: Login is failing at master due to cookie hell
On 05/07/2014 12:37 PM, Alon Bar-Lev wrote:
Hi,
Thanks Omer for the hint!
Following merge of several patches HttpOnly cookie patch[1], and the new
theme[2] (I guess), the login stopped working.
The frontend is doing basic authentication against the restapi and attempt to
move the cookie(?)? But it sending the cookie without http only marker.
I do not fully understand the logic, but it may parse the cookie manually in
order to do so?
Our cookies must have HttpOnly markers so this probably need to be solved at
the component which sends the cookie without the HttpOnly.
For now, people that experiencing this, please revert[1] until we can sort it
out.
I think its better to revert [1] till this has a fix
Thanks,
Alon
[1] http://gerrit.ovirt.org/#/c/25915/
[2] http://gerrit.ovirt.org/#/c/24594/
_______________________________________________
Devel mailing list
Devel(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/devel
12:42 p.m.
New subject: Login is failing at master due to cookie hell
On 05/07/2014 12:41 PM, Roy Golan wrote:
On 05/07/2014 12:37 PM, Alon Bar-Lev wrote:
> Hi,
>
> Thanks Omer for the hint!
>
> Following merge of several patches HttpOnly cookie patch[1], and the new
> theme[2] (I guess), the login stopped working.
>
> The frontend is doing basic authentication against the restapi and
> attempt to
> move the cookie(?)? But it sending the cookie without http only marker.
> I do not fully understand the logic, but it may parse the cookie
> manually in
> order to do so?
>
> Our cookies must have HttpOnly markers so this probably need to be
> solved at
> the component which sends the cookie without the HttpOnly.
>
> For now, people that experiencing this, please revert[1] until we can
> sort it
> out.
I think its better to revert [1] till this has a fix
I mean to revert it in gerrit. and not locally by each developer
>
> Thanks,
> Alon
>
> [1] http://gerrit.ovirt.org/#/c/25915/
> [2] http://gerrit.ovirt.org/#/c/24594/
> _______________________________________________
> Devel mailing list
> Devel(a)ovirt.org
> http://lists.ovirt.org/mailman/listinfo/devel
_______________________________________________
Devel mailing list
Devel(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/devel
12:43 p.m.
New subject: Login is failing at master due to cookie hell
----- Original Message -----
From: "Roy Golan" <rgolan(a)redhat.com>
To: devel(a)ovirt.org
Sent: Wednesday, May 7, 2014 12:42:34 PM
Subject: Re: [ovirt-devel] Login is failing at master due to cookie hell
On 05/07/2014 12:41 PM, Roy Golan wrote:
> On 05/07/2014 12:37 PM, Alon Bar-Lev wrote:
>> Hi,
>>
>> Thanks Omer for the hint!
>>
>> Following merge of several patches HttpOnly cookie patch[1], and the new
>> theme[2] (I guess), the login stopped working.
>>
>> The frontend is doing basic authentication against the restapi and
>> attempt to
>> move the cookie(?)? But it sending the cookie without http only marker.
>> I do not fully understand the logic, but it may parse the cookie
>> manually in
>> order to do so?
>>
>> Our cookies must have HttpOnly markers so this probably need to be
>> solved at
>> the component which sends the cookie without the HttpOnly.
>>
>> For now, people that experiencing this, please revert[1] until we can
>> sort it
>> out.
>
> I think its better to revert [1] till this has a fix
I mean to revert it in gerrit. and not locally by each developer
please do... you have permissions, right?
>>
>> Thanks,
>> Alon
>>
>> [1] http://gerrit.ovirt.org/#/c/25915/
>> [2] http://gerrit.ovirt.org/#/c/24594/
>> _______________________________________________
>> Devel mailing list
>> Devel(a)ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/devel
>
> _______________________________________________
> Devel mailing list
> Devel(a)ovirt.org
> http://lists.ovirt.org/mailman/listinfo/devel
_______________________________________________
Devel mailing list
Devel(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/devel
1:28 p.m.
New subject: Login is failing at master due to cookie hell
On 05/07/2014 11:37 AM, Alon Bar-Lev wrote:
Hi,
Thanks Omer for the hint!
Following merge of several patches HttpOnly cookie patch[1], and the new
theme[2] (I guess), the login stopped working.
The frontend is doing basic authentication against the restapi and attempt to
move the cookie(?)? But it sending the cookie without http only marker.
I do not fully understand the logic, but it may parse the cookie manually in
order to do so?
Our cookies must have HttpOnly markers so this probably need to be solved at
the component which sends the cookie without the HttpOnly.
For now, people that experiencing this, please revert[1] until we can sort it
out.
Thanks,
Alon
From ReportModel:
public ReportModel(String baseUrl) {
String sessionID = Cookies.getCookie("JSESSIONID"); //$NON-NLS-1$
reportUrl = baseUrl + "/flow.html" +
"?viewAsDashboardFrame=false"; //$NON-NLS-1$ //$NON-NLS-2$
paramsMap.setParameter("sessionID", sessionID); //$NON-NLS-1$
paramsMap.setParameter("_flowId", "viewReportFlow");
//$NON-NLS-1$ //$NON-NLS-2$
paramsMap.setParameter("active_hosts_select", //$NON-NLS-1$
"AND+delete_date+IS+NULL"); //$NON-NLS-1$
String currentLocale =
LocaleInfo.getCurrentLocale().getLocaleName();
paramsMap.setParameter("userLocale",
(currentLocale.equals("default") ? "en_US" : currentLocale));
//$NON-NLS-1$ //$NON-NLS-2$ //$NON-NLS-3$
}
This code gets the value of the JSESSIONID cookie, which is now
forbidden, the net result is NPE that blocks the rest of the process.
Why wasn't this detected during the verification of the change that made
the cookies HTTP only?
--
Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta
3ºD, 28016 Madrid, Spain
Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red Hat S.L.
1:39 p.m.
New subject: Login is failing at master due to cookie hell
----- Original Message -----
From: "Juan Hernandez" <jhernand(a)redhat.com>
To: "Alon Bar-Lev" <alonbl(a)redhat.com>, "Vojtech Szocs"
<vszocs(a)redhat.com>, "Alexander Wels" <awels(a)redhat.com>
Cc: devel(a)linode01.ovirt.org
Sent: Wednesday, May 7, 2014 1:28:51 PM
Subject: Re: [ovirt-devel] Login is failing at master due to cookie hell
On 05/07/2014 11:37 AM, Alon Bar-Lev wrote:
> Hi,
>
> Thanks Omer for the hint!
>
> Following merge of several patches HttpOnly cookie patch[1], and the new
> theme[2] (I guess), the login stopped working.
>
> The frontend is doing basic authentication against the restapi and attempt
> to
> move the cookie(?)? But it sending the cookie without http only marker.
>
> I do not fully understand the logic, but it may parse the cookie manually
> in
> order to do so?
>
> Our cookies must have HttpOnly markers so this probably need to be solved
> at
> the component which sends the cookie without the HttpOnly.
>
> For now, people that experiencing this, please revert[1] until we can sort
> it
> out.
>
> Thanks,
> Alon
>
From ReportModel:
public ReportModel(String baseUrl) {
String sessionID = Cookies.getCookie("JSESSIONID"); //$NON-NLS-1$
reportUrl = baseUrl + "/flow.html" +
"?viewAsDashboardFrame=false"; //$NON-NLS-1$ //$NON-NLS-2$
paramsMap.setParameter("sessionID", sessionID); //$NON-NLS-1$
paramsMap.setParameter("_flowId", "viewReportFlow");
//$NON-NLS-1$ //$NON-NLS-2$
paramsMap.setParameter("active_hosts_select", //$NON-NLS-1$
"AND+delete_date+IS+NULL"); //$NON-NLS-1$
String currentLocale =
LocaleInfo.getCurrentLocale().getLocaleName();
paramsMap.setParameter("userLocale",
(currentLocale.equals("default") ? "en_US" : currentLocale));
//$NON-NLS-1$ //$NON-NLS-2$ //$NON-NLS-3$
}
This code gets the value of the JSESSIONID cookie, which is now
forbidden, the net result is NPE that blocks the rest of the process.
Thank you for this info.
Why wasn't this detected during the verification of the change
that made
the cookies HTTP only?
I am unsure, but it did login when verified by me at least when it was written before the
long delay of merging. so something must created side effect, which is good.
Oved, we should get the session id from using a servlet to echo it back.
Thanks,
Alon
3852
days inactive
3852
days old
5 comments
3 participants
participants (3)
-
Alon Bar-Lev -
Juan Hernandez -
Roy Golan