Login stops working until cookies are cleared
|
|
|
masonoise
()
Login stops working until cookies are cleared
|
|
||||||||||||
|
We've been having a strange problem, which still remains after upgrading to the latest 3.3.1 version. It doesn't happen all the time, but every so often one of us will try to login to our Plone installation and the login page will just reload after entering name/password. There's no error or warning, no sign of what's going on; the login just silently fails and sends the user back to the login page again. If the user goes into their browser and clears the cookies used by Plone (__k*), then the login will work again for a while. Then after a day or two, or sometimes longer, it will stop working again until cookies are cleared.
Has anyone else encountered this or have any ideas about how to fix it? It's driving everyone crazy, understandably. Thanks for any suggestions. |
||||||||||||||
|
Dieter Maurer
()
Re: Login stops working until cookies are cleared
|
|
||||||||||||
|
masonoise wrote at 2009-11-5 09:07 -0800:
> >We've been having a strange problem, which still remains after upgrading to >the latest 3.3.1 version. It doesn't happen all the time, but every so often >one of us will try to login to our Plone installation and the login page >will just reload after entering name/password. There's no error or warning, >no sign of what's going on; the login just silently fails and sends the user >back to the login page again. If the user goes into their browser and clears >the cookies used by Plone (__k*), then the login will work again for a >while. Then after a day or two, or sometimes longer, it will stop working >again until cookies are cleared. > >Has anyone else encountered this or have any ideas about how to fix it? It's >driving everyone crazy, understandably. I have not encountered such a situation. Your description suggests that there is some cookie which contains a problematic value that is not reset properly. PlonePAS usually stores the information about a successful authentication via its so called "session plugin". Despite its name, this plugin does not use the normal Plone session object but instead uses its own cookie, properly secured, to indicate a successful authentication. I had to fight a bit with this plugin -- therefore, I do not fully trust it. Maybe, you check whether its cookie uses a name you must manually clear. Otherwise, you can make a larger search over the Plone sources to locate this cookie. When you find it, this will give you a valuable hint about the component causing your problem. And as usual: debugging may allow to finally understand the problem -- although it may be difficult to debug a productive instance. -- Dieter ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Plone-Users mailing list [hidden email] https://lists.sourceforge.net/lists/listinfo/plone-users |
||||||||||||||
|
PriusGeek
()
Re: Login stops working until cookies are cleared
|
|
||||||||||||
|
I have encountered this on a 3.2.1 installation. I have a corporate
internet site and multiple plone customer portals running on the same machine. The internet site is accessed via http (http:// www.domain.com) and the plone site via https (using VHM, https://www.domain.com/plonesite) to the same machine. The internet site is tied into google analytics via some plugins from Salesforce.com. (note that everything worked without a problem until I implemented Salesforce.com web lead generation on the internet site) There is a page on the Internet site that allows users to select their Plone portal and link to it for login. What I think was happening was a cookie conflict between the Google cookies and the Plone login cookies. It appeared that it happened if the referring domain from the Internet site was the same as the Plone site. If I put in the URL from a machine outside of the hosting domain, I think it worked OK. What I found was that if I deleted the google cookies, plone worked fine, until I tried it a second time. I have no idea exactly what was going on, but I was able to work around the problem by creating a CNAME in DNS for the plone site with a different domain name from the internet site. This sounds convoluted, but basically, http://www.domain.com and https://domain.com both pointed to the same box. I created a new domain called domain1 and pointed it to the same machine. If there were any links on the internet site that linked to the plone site, I forced it to use the https://domain1.com form and the problem went away. In my case, it appeared to have something to do with Google analytics and the referring site/url being in the same domain as the plone site. As soon as I made them different, the problem went away. You probably have nothing like this, but maybe this will help trigger something similar. If you have google analytics and/or Salesforce.com web lead integration running, try turning it off and see if the problem changes. Good Luck! Gray On Nov 9, 1:41 am, "Dieter Maurer" <[hidden email]> wrote: > masonoise wrote at 2009-11-5 09:07 -0800: > > > > >We've been having a strange problem, which still remains after upgrading to > >the latest 3.3.1 version. It doesn't happen all the time, but every so often > >one of us will try to login to our Plone installation and the login page > >will just reload after entering name/password. There's no error or warning, > >no sign of what's going on; the login just silently fails and sends the user > >back to the login page again. If the user goes into their browser and clears > >the cookies used by Plone (__k*), then the login will work again for a > >while. Then after a day or two, or sometimes longer, it will stop working > >again until cookies are cleared. > > >Has anyone else encountered this or have any ideas about how to fix it? It's > >driving everyone crazy, understandably. > > I have not encountered such a situation. > > Your description suggests that there is some cookie which contains > a problematic value that is not reset properly. > > PlonePAS usually stores the information about a successful authentication > via its so called "session plugin". Despite its name, this plugin > does not use the normal Plone session object but instead uses > its own cookie, properly secured, to indicate a successful authentication. > I had to fight a bit with this plugin -- therefore, I do not fully trust it. > Maybe, you check whether its cookie uses a name you must manually clear. > > Otherwise, you can make a larger search over the Plone sources > to locate this cookie. When you find it, this will give you > a valuable hint about the component causing your problem. > > And as usual: debugging may allow to finally understand the problem -- although > it may be difficult to debug a productive instance. > > -- > Dieter > > ------------------------------------------------------------------------------ > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day > trial. Simplify your report design, integration and deployment - and focus on > what you do best, core application coding. Discover what's new with > Crystal Reports now. http://p.sf.net/sfu/bobj-july > _______________________________________________ > Plone-Users mailing list > [hidden email]://lists.sourceforge.net/lists/listinfo/plone-users ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Plone-Users mailing list [hidden email] https://lists.sourceforge.net/lists/listinfo/plone-users |
||||||||||||||
|
Steven H
()
Re: Login stops working until cookies are cleared
|
|
||||||||||||
|
In reply to this post
by masonoise
Hi
We recently rebuilt part of our Plone 3.1.2 cluster under Debian Lenny 64 bit and used the Debian supplied Python. This has been showing a similar cookie-related issue with failed logins. The other systems, running Debian Etch 32 bit and a local Python, have not. I'm in the process of investigating. The issue seemed to be related to a WebTrends tracking cookie (WT_FPC) with an almost 10 year life. The cookie was being attached to a higher level domain (le.ac.uk, while Plone is at www2.le.ac.uk) by another web server. The cookie doesn't always cause the failure, but every failure I've investigated had the cookie present and deleting it cleared the problem. Steven ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Plone-Users mailing list [hidden email] https://lists.sourceforge.net/lists/listinfo/plone-users |
||||||||||||||
|
|
Dieter Maurer
()
Re: Login stops working until cookies are cleared
|
|
||||||||||||
|
Steven H wrote at 2009-11-10 04:06 -0800:
> ... >We recently rebuilt part of our Plone 3.1.2 cluster under Debian Lenny >64 bit and used the Debian supplied Python. This has been showing a >similar cookie-related issue with failed logins. The other systems, >running Debian Etch 32 bit and a local Python, have not. > >I'm in the process of investigating. The issue seemed to be related to >a WebTrends tracking cookie (WT_FPC) with an almost 10 year life. The >cookie was being attached to a higher level domain (le.ac.uk, while >Plone is at www2.le.ac.uk) by another web server. The cookie doesn't >always cause the failure, but every failure I've investigated had the >cookie present and deleting it cleared the problem. As it is unlikely that Plone uses a cookie of this name, this would indicate a severe cookie bug in either Zope or the browser. I would try to check the "cookies" request header (using either a TCP logger or "firebug") when the problem occurs to find out which cookie information the browser sends and whether this is wrong or interpreted badly by Zope. -- Dieter ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Plone-Users mailing list [hidden email] https://lists.sourceforge.net/lists/listinfo/plone-users |
||||||||||||||
|
|
Steven H
()
Re: Login stops working until cookies are cleared
|
|
||||||||||||
|
I have now seen cases where the WebTrends tracking cookie (WT_FPC) was
not present, but Google Analytics tracking cookies were. Removing the Google cookies made the problem go away. ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Plone-Users mailing list [hidden email] https://lists.sourceforge.net/lists/listinfo/plone-users |
||||||||||||||
|
|
Dieter Maurer
()
Re: Login stops working until cookies are cleared
|
|
||||||||||||
|
Steven H wrote at 2009-11-12 02:07 -0800:
>I have now seen cases where the WebTrends tracking cookie (WT_FPC) was >not present, but Google Analytics tracking cookies were. Removing the >Google cookies made the problem go away. A long while back, an Apache cookie problem had caused similar effects (aparently, Apache lost some cookies for requests containing too many cookie definitions). I do not expect that you see now the Apache problem (because the bug in Apache was fixed long ago) but maybe, the cause is similar (cookie information lost somewhere under some conditions). You may try to determine the exact requests arriving at Plone by means of a tcp logger (e.g. "etherreal", "wireshark", "tcpdump", ...) and verify whether the problem is in the cookie definitions arriving at Plone. -- Dieter ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Plone-Users mailing list [hidden email] https://lists.sourceforge.net/lists/listinfo/plone-users |
||||||||||||||
|
|
Steven H
()
Re: Login stops working until cookies are cleared
|
|
||||||||||||
|
Thanks Dieter for the helpful hints.
I'm in the middle of a debug session where I've managed to capture this bug. So far it looks as if the HTTP_COOKIES header is sometimes missing from the request. I'm trying to determine if it's going missing in early ZOPE processing or before ZOPE in Apache, Squid or Pound. It would be worth comparing versions - we're using Debian Lenny 64 bit with the packaged versions of Apache 2 (2.2.9-10+lenny4), Squid (2.7.STABLE3-4.1) and Pound (2.4.3-1) except that Squid has a patch to prevent it hanging with certain HTTP headers. Steven On Nov 14, 7:24 am, "Dieter Maurer" <[hidden email]> wrote: > Steven H wrote at 2009-11-12 02:07 -0800: > > >I have now seen cases where the WebTrends tracking cookie (WT_FPC) was > >not present, but Google Analytics tracking cookies were. Removing the > >Google cookies made the problem go away. > > A long while back, an Apache cookie problem had caused similar > effects (aparently, Apache lost some cookies for requests containing > too many cookie definitions). I do not expect that you see > now the Apache problem (because the bug in Apache was fixed long ago) > but maybe, the cause is similar (cookie information lost somewhere > under some conditions). You may try to determine the exact requests > arriving at Plone by means of a tcp logger (e.g. "etherreal", "wireshark", > "tcpdump", ...) and verify whether the problem is in the cookie definitions > arriving at Plone. > > -- > Dieter > > ------------------------------------------------------------------------------ > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day > trial. Simplify your report design, integration and deployment - and focus on > what you do best, core application coding. Discover what's new with > Crystal Reports now. http://p.sf.net/sfu/bobj-july > _______________________________________________ > Plone-Users mailing list > [hidden email]://lists.sourceforge.net/lists/listinfo/plone-users ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Plone-Users mailing list [hidden email] https://lists.sourceforge.net/lists/listinfo/plone-users |
||||||||||||||
|
|
Steven H
()
Re: Login stops working until cookies are cleared
|
|
||||||||||||
|
I this case, it looks as if it's pound that's not sending the cookie header through. Steven On Nov 18, 3:51 pm, Steven H <[hidden email]> wrote: > Thanks Dieter for the helpful hints. > > I'm in the middle of a debug session where I've managed to capture > this bug. So far it looks as if the HTTP_COOKIES header is sometimes > missing from the request. I'm trying to determine if it's going > missing in early ZOPE processing or before ZOPE in Apache, Squid or > Pound. > > It would be worth comparing versions - we're using Debian Lenny 64 bit > with the packaged versions of Apache 2 (2.2.9-10+lenny4), Squid > (2.7.STABLE3-4.1) and Pound (2.4.3-1) except that Squid has a patch to > prevent it hanging with certain HTTP headers. > > Steven > > On Nov 14, 7:24 am, "Dieter Maurer" <[hidden email]> wrote: > > > > > Steven H wrote at 2009-11-12 02:07 -0800: > > > >I have now seen cases where the WebTrends tracking cookie (WT_FPC) was > > >not present, but Google Analytics tracking cookies were. Removing the > > >Google cookies made the problem go away. > > > A long while back, an Apache cookie problem had caused similar > > effects (aparently, Apache lost some cookies for requests containing > > too many cookie definitions). I do not expect that you see > > now the Apache problem (because the bug in Apache was fixed long ago) > > but maybe, the cause is similar (cookie information lost somewhere > > under some conditions). You may try to determine the exact requests > > arriving at Plone by means of a tcp logger (e.g. "etherreal", "wireshark", > > "tcpdump", ...) and verify whether the problem is in the cookie definitions > > arriving at Plone. > > > -- > > Dieter > > > ------------------------------------------------------------------------------ > > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day > > trial. Simplify your report design, integration and deployment - and focus on > > what you do best, core application coding. Discover what's new with > > Crystal Reports now. http://p.sf.net/sfu/bobj-july > > _______________________________________________ > > Plone-Users mailing list > > [hidden email]://lists.sourceforge.net/lists/listinfo/plone-users > > ------------------------------------------------------------------------------ > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day > trial. Simplify your report design, integration and deployment - and focus on > what you do best, core application coding. Discover what's new with > Crystal Reports now. http://p.sf.net/sfu/bobj-july > _______________________________________________ > Plone-Users mailing list > [hidden email]://lists.sourceforge.net/lists/listinfo/plone-users ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Plone-Users mailing list [hidden email] https://lists.sourceforge.net/lists/listinfo/plone-users |
||||||||||||||
|
|
Steven H
()
Re: Login stops working until cookies are cleared
|
|
||||||||||||
|
The version of pound we were using has a reduced buffer size from earlier versions (1024 rather than 2048) - see discussion at http://www.apsis.ch/pound/pound_list/archive/2008/2008-02/1203715523000/index_html?fullMode=1#1203952046000 When the cookies header became too big, it was no longer forwarded to Plone. A configure option allows the buffer size to be adjusted (we have set it to 4096). When the package is rebuilt, all works as it should. Clearly, the more tracking cookies that are in use the more likely you are to exceed the limit. We had Google and Yahoo tracking cookies in active use, plus WebTrends from some old configuration, and a cookie to handle Google Search Appliance integration. Plone authentication and cut and paste add further cookies. Steven On Nov 19, 9:47 am, Steven H <[hidden email]> wrote: > I this case, it looks as if it's pound that's not sending the cookie > header through. > > Steven > > On Nov 18, 3:51 pm, Steven H <[hidden email]> wrote: > > > > > Thanks Dieter for the helpful hints. > > > I'm in the middle of a debug session where I've managed to capture > > this bug. So far it looks as if the HTTP_COOKIES header is sometimes > > missing from the request. I'm trying to determine if it's going > > missing in early ZOPE processing or before ZOPE in Apache, Squid or > > Pound. > > > It would be worth comparing versions - we're using Debian Lenny 64 bit > > with the packaged versions of Apache 2 (2.2.9-10+lenny4), Squid > > (2.7.STABLE3-4.1) and Pound (2.4.3-1) except that Squid has a patch to > > prevent it hanging with certain HTTP headers. > > > Steven > > > On Nov 14, 7:24 am, "Dieter Maurer" <[hidden email]> wrote: > > > > Steven H wrote at 2009-11-12 02:07 -0800: > > > > >I have now seen cases where the WebTrends tracking cookie (WT_FPC) was > > > >not present, but Google Analytics tracking cookies were. Removing the > > > >Google cookies made the problem go away. > > > > A long while back, an Apache cookie problem had caused similar > > > effects (aparently, Apache lost some cookies for requests containing > > > too many cookie definitions). I do not expect that you see > > > now the Apache problem (because the bug in Apache was fixed long ago) > > > but maybe, the cause is similar (cookie information lost somewhere > > > under some conditions). You may try to determine the exact requests > > > arriving at Plone by means of a tcp logger (e.g. "etherreal", "wireshark", > > > "tcpdump", ...) and verify whether the problem is in the cookie definitions > > > arriving at Plone. > > > > -- > > > Dieter > > > > ------------------------------------------------------------------------------ > > > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day > > > trial. Simplify your report design, integration and deployment - and focus on > > > what you do best, core application coding. Discover what's new with > > > Crystal Reports now. http://p.sf.net/sfu/bobj-july > > > _______________________________________________ > > > Plone-Users mailing list > > > [hidden email]://lists.sourceforge.net/lists/listinfo/plone-users > > > ------------------------------------------------------------------------------ > > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day > > trial. Simplify your report design, integration and deployment - and focus on > > what you do best, core application coding. Discover what's new with > > Crystal Reports now. http://p.sf.net/sfu/bobj-july > > _______________________________________________ > > Plone-Users mailing list > > [hidden email]://lists.sourceforge.net/lists/listinfo/plone-users > > ------------------------------------------------------------------------------ > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day > trial. Simplify your report design, integration and deployment - and focus on > what you do best, core application coding. Discover what's new with > Crystal Reports now. http://p.sf.net/sfu/bobj-july > _______________________________________________ > Plone-Users mailing list > [hidden email]://lists.sourceforge.net/lists/listinfo/plone-users ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Plone-Users mailing list [hidden email] https://lists.sourceforge.net/lists/listinfo/plone-users |
||||||||||||||
|
|
Dieter Maurer
()
Re: Login stops working until cookies are cleared
|
|
||||||||||||
|
In reply to this post
by Steven H
Steven H wrote at 2009-11-18 07:51 -0800:
>Thanks Dieter for the helpful hints. > >I'm in the middle of a debug session where I've managed to capture >this bug. So far it looks as if the HTTP_COOKIES header is sometimes >missing from the request. I'm trying to determine if it's going >missing in early ZOPE processing or before ZOPE in Apache, Squid or >Pound. The correct name in "REQUEST.environ" is "HTTP_COOKIE" (without "S"). It is unlikely, that Zope loses this special entry unless it loses all other "HTTP_*" entries as well, because "HTTP_COOKIE" is not treated specially from other HTTP request headers -- only at a later stage, "HTTP_COOKIE" is translated into "request.cookies". -- Dieter ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Plone-Users mailing list [hidden email] https://lists.sourceforge.net/lists/listinfo/plone-users |
||||||||||||||
| Free Embeddable Forum Powered by Nabble | Help |
