Problems with cookies for persistence and services

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Problems with cookies for persistence and services

bwallis42
This post was updated on .
We are running a recent build of 2018.1 but this was also the case in 2017.2.
We are running Orbeon and our persistence layer and other services in the
Wildfly 11 application server which utilises Undertow for the servlet
container, not Tomcat (and all running with Java JDK 8)

We are having authentication issues with our persistence layer calls and
with REST calls for HTTP Services within forms.
 
We have the following setting in our properties-local.xml

    <property as="xs:string" name="oxf.http.forward-cookies" value="JSESSIONID JSESSIONIDSSO" />

which is required for authentication to work for our persistence layer
implementation and also for calling services from within the forms.

The problem we are seeing is that we are getting two cookie headers in the
requests and also invalid values in the cookie headers.

According to RFC 6265

5.4.  The Cookie Header

   The user agent includes stored cookies in the Cookie HTTP request
   header.

   When the user agent generates an HTTP request, the user agent MUST
   NOT attach more than one Cookie header field.

When orbeon calls our persistence layer we are seeing two cookie headers
like this (this is from the Wildfly server logging but we have verified this
using wireshark)

header=Cookie=JSESSIONID=Kz5Je0HO7hnerqhcvVNaXVpUkR8E_MDsLgcj18Ei.localhost; JSESSIONIDSSO=FWy49jHiViz-UYWy4nBXJhwGw7NCNVf2OygJy82g
header=Cookie=JSESSIONID=NO_pDGhF7yIRgWWEo667cUSzulU_FYQd-OYCg-cs.localhost

There are two JSESSIONID cookies and they are not the same value which
doesn't make sense to me.

and when an HTTP service from within the form is called we see either a
single header like this

header=Cookie=JSESSIONID=Kz5Je0HO7hnerqhcvVNaXVpUkR8E_MDsLgcj18Ei.localhost; JSESSIONIDSSO=FWy49jHiViz-UYWy4nBXJhwGw7NCNVf2OygJy82g, JSESSIONID=Ze5aEtB1DgDf9CK06K1SJSyw6emMKbHQ5k8k3fPR.localhost

or sometimes two cookie headers one of which has the second two cookies in
it.

Both these scenarios have two JSESSIONID cookies but the second one is
separated with a "," instead of a ";" so what happens is we get a
JSESSIONIDSSO value of

FWy49jHiViz-UYWy4nBXJhwGw7NCNVf2OygJy82g, JSESSIONID

which doesn't work at all.


I think this is a bug in Orbeon. There should only ever be a single cookie
header in any request, the separator should be ";" and there should only
ever be one instance of each cookie.

thanks
brian wallis...
Reply | Threaded
Open this post in threaded view
|

Re: Problems with cookies for persistence and services

bwallis42
(I just edited the post to fix the missing raw bits, I seem to have problems
getting them right!)

--
Sent from: http://discuss.orbeon.com/

--
You received this message because you are subscribed to the Google Groups "Orbeon Forms" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: Problems with cookies for persistence and services

Alessandro  Vernet
Administrator
Hi Brian,

While trying to reproduce the issue you're describing, I noticed that we're
incorrectly adding the string "null as a prefix and suffix to the forwarded
cookie in case the properties below are not set (i.e. left empty).

oxf.http.forward-cookies.session.prefix
oxf.http.forward-cookies.session.suffix

I created issue #3648 (see link below), and fixed the problem, so the fix
will be in 2018.1, as well as 2017.2.3.

https://github.com/orbeon/orbeon-forms/issues/3648

However, what you're reporting here, having 2 `JSESSIONID`, is something
different. I am also seeing this, but didn't get to spend enough time
investigating this to figure why it is happening. I'll try to come back to
this later this week and will follow-up here when I have something new.

Alex

-----
--
Follow Orbeon on Twitter: @orbeon
Follow me on Twitter: @avernet
--
Sent from: http://discuss.orbeon.com/

--
You received this message because you are subscribed to the Google Groups "Orbeon Forms" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
--
Follow Orbeon on Twitter: @orbeon
Follow me on Twitter: @avernet
Reply | Threaded
Open this post in threaded view
|

Re: Problems with cookies for persistence and services

bwallis42
Hi Alex,
  Any update on this issue? It is affecting one of our customer test
installations.

I'm not 100% sure this is causing the problem we are seeing but it is likely
that the extra JSESSIONID is the problem.

thanks,
brian...


--
Sent from: http://discuss.orbeon.com/

--
You received this message because you are subscribed to the Google Groups "Orbeon Forms" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: Problems with cookies for persistence and services

Alessandro  Vernet
Administrator
Hi Brian,

Not yet, but it's on my list. From what I've seen, one of the 2 `JSESSIONID`
is the correct one, so you would hope that the app server picks it up and
ignores the other one, but it seems like it might not be the case with
WildFly, and there should be that "other" `JSESSIONID` anyway. I'll post an
update here when I get to do spend more time investigating this one.

Alex

-----
--
Follow Orbeon on Twitter: @orbeon
Follow me on Twitter: @avernet
--
Sent from: http://discuss.orbeon.com/

--
You received this message because you are subscribed to the Google Groups "Orbeon Forms" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
--
Follow Orbeon on Twitter: @orbeon
Follow me on Twitter: @avernet
Reply | Threaded
Open this post in threaded view
|

Re: Problems with cookies for persistence and services

Alessandro  Vernet
Administrator
Hi Brian,

I am looking at this again, and first reproduced it, but noticed I had the
browser send 2 `JSESSIONID`. Looking at the situation with the Chrome Dev
Tools, one was for `/orbeon` and the other for `/orbeon/` (notice the
additional slash at the end of the path). I'm not sure how I got to have
those 2 cookies, but after removing them and reloading the page, I have just
1 cookie in the browser:

<http://discuss.orbeon.com/file/t119778/Cookies_in_Chrome.png>

…and that cookie gets properly sent to the implementation of the persistence
API:

<http://discuss.orbeon.com/file/t119778/Headers_for_implementation_of_the_persistence_API.png>

As you can see, I am just using the built-in MySQL, but for this testing, so
it goes through a "real" HTTP request, I excluded the MySQL path from the
"internal paths" by setting the first property below. Also, instead of using
Wireshark, I used Charles (a proxy), so instructed Orbeon Forms to go
through that proxy with the following 2 properties.



So it doesn't look like I'm able to reproduce the issue. Are you getting 2
`JSESSIONID` if you follow the steps above? If not, but do in another
situation, how should I modify those steps to reproduce the issue?

Alex

-----
--
Follow Orbeon on Twitter: @orbeon
Follow me on Twitter: @avernet
--
Sent from: http://discuss.orbeon.com/

--
You received this message because you are subscribed to the Google Groups "Orbeon Forms" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
--
Follow Orbeon on Twitter: @orbeon
Follow me on Twitter: @avernet