[ovirt-devel] Login is failing at master due to cookie hell

Alon Bar-Lev alonbl at redhat.com
Wed May 7 10:39:26 UTC 2014



----- Original Message -----
> From: "Juan Hernandez" <jhernand at redhat.com>
> To: "Alon Bar-Lev" <alonbl at redhat.com>, "Vojtech Szocs" <vszocs at redhat.com>, "Alexander Wels" <awels at redhat.com>
> Cc: devel at linode01.ovirt.org
> Sent: Wednesday, May 7, 2014 1:28:51 PM
> Subject: Re: [ovirt-devel] Login is failing at master due to cookie hell
> 
> On 05/07/2014 11:37 AM, Alon Bar-Lev wrote:
> > Hi,
> > 
> > Thanks Omer for the hint!
> > 
> > Following merge of several patches HttpOnly cookie patch[1], and the new
> > theme[2] (I guess), the login stopped working.
> > 
> > The frontend is doing basic authentication against the restapi and attempt
> > to
> > move the cookie(?)? But it sending the cookie without http only marker.
> >  
> > I do not fully understand the logic, but it may parse the cookie manually
> > in
> > order to do so?
> > 
> > Our cookies must have HttpOnly markers so this probably need to be solved
> > at
> > the component which sends the cookie without the HttpOnly.
> > 
> > For now, people that experiencing this, please revert[1] until we can sort
> > it
> > out.
> > 
> > Thanks,
> > Alon
> > 
> 
> From ReportModel:
> 
>     public ReportModel(String baseUrl) {
>         String sessionID = Cookies.getCookie("JSESSIONID"); //$NON-NLS-1$
> 
>         reportUrl = baseUrl + "/flow.html" +
> "?viewAsDashboardFrame=false"; //$NON-NLS-1$ //$NON-NLS-2$
>         paramsMap.setParameter("sessionID", sessionID); //$NON-NLS-1$
>         paramsMap.setParameter("_flowId", "viewReportFlow");
> //$NON-NLS-1$ //$NON-NLS-2$
>         paramsMap.setParameter("active_hosts_select", //$NON-NLS-1$
>                "AND+delete_date+IS+NULL"); //$NON-NLS-1$
> 
>         String currentLocale =
> LocaleInfo.getCurrentLocale().getLocaleName();
>         paramsMap.setParameter("userLocale",
> (currentLocale.equals("default") ? "en_US" : currentLocale));
> //$NON-NLS-1$ //$NON-NLS-2$ //$NON-NLS-3$
>     }
> 
> This code gets the value of the JSESSIONID cookie, which is now
> forbidden, the net result is NPE that blocks the rest of the process.
> 

Thank you for this info.

> Why wasn't this detected during the verification of the change that made
> the cookies HTTP only?

I am unsure, but it did login when verified by me at least when it was written before the long delay of merging. so something must created side effect, which is good.

Oved, we should get the session id from using a servlet to echo it back.

Thanks,
Alon



More information about the Devel mailing list