tickets #40025
closedcookies sent by {www,news,lizards,bugzilla,forums}.o.o break freeipa.i.o.o login, paste.o.o and specific links on monitor.o.o
0%
Description
When trying to log in to https://freeipa.infra.opensuse.org we get an error "Your session has expired. Please re-login.". The workaround is to use a private (anonymous) browser window
UPDATE: the problem has been identified, it is on MF-IT side who have been contacted already. Also, more services are known to break due to the same issue, see below
Updated by cboltz over 5 years ago
Looks like this is caused by a cookie that gets set by news.o.o:
curl -v https://news.opensuse.org/ >/dev/null
[...]
< Set-Cookie: TbBx5iTmnWSKRFA@=v18zFvAA@@H51; Domain=.opensuse.org; Path=/
If you don't read the news.o.o often enough - www.o.o and bugzilla send out similar cookies :-(
Deleting this cookie (notice the somewhat unusual name which includes an @) helps - unless you visit news.o.o or www.o.o again and get a fresh cookie.
Note that this cookie causes more damage - it also breaks paste.o.o (which is way worse than breaking freeipa) and some detail pages on monitor.o.o.
Updated by tampakrap over 5 years ago
- Subject changed from logging in to https://freeipa.i.o.o fails with session expired error to cookies sent by {www,news,bugzilla}.o.o break freeipa.i.o.o login, paste.o.o and specific links on monitor.o.o
- Assignee set to cboltz
So far the following services are known to send cookies that break other services:
- bugzilla.o.o
- news.o.o
- www.o.o
The workaround for the services that break is to either find the bad cookies and delete them, or use a private browser window.
The services that have been identified to break so far are:
- https://freeipa.infra.opensuse.org login gives "Your session has expired. Please re-login."
- https://paste.opensuse.org shows "Disallowed Key Characters.". Extra workaround is to use https://susepaste.org (which is also what the susepaste package is using either way)
- specific links in icinga eg https://monitor.opensuse.org/pnp4nagios/index.php/graph?host=anna.infra.opensuse.org&srv=Check_MK show "Disallowed key characters in global data."
See also https://lists.opensuse.org/opensuse-web/2018-08/msg00008.html and https://bugzilla.opensuse.org/show_bug.cgi?id=1104971
cboltz has already contacted MF-IT to fix the cookies, still waiting for their reply
Updated by tampakrap over 5 years ago
- Description updated (diff)
- Private changed from Yes to No
Updated by cboltz over 5 years ago
- Subject changed from cookies sent by {www,news,bugzilla}.o.o break freeipa.i.o.o login, paste.o.o and specific links on monitor.o.o to cookies sent by {www,news,bugzilla,forums}.o.o break freeipa.i.o.o login, paste.o.o and specific links on monitor.o.o
As I just found out, forums.o.o also sends out the evil cookie.
The earliest mention of the paste.o.o breakage I could find was on 2018-07-24. This is not too far from the planned downtime on 2018-07-13, which included infrastructure updates (new hardware?) in Provo.
Updated by cboltz over 5 years ago
- Subject changed from cookies sent by {www,news,bugzilla,forums}.o.o break freeipa.i.o.o login, paste.o.o and specific links on monitor.o.o to cookies sent by {www,news,lizards,bugzilla,forums}.o.o break freeipa.i.o.o login, paste.o.o and specific links on monitor.o.o
One more - lizards.o.o also sends the evil cookie.
Updated by cboltz over 5 years ago
Michal fixed this on paste.opensuse.org
freeipa and parts of monitor.o.o are still broken by the evil cookie, but at least they "only" affect the heroes instead of all users.
Updated by lrupp about 4 years ago
- Status changed from New to Feedback
cboltz wrote:
Michal fixed this on paste.opensuse.org
freeipa and parts of monitor.o.o are still broken by the evil cookie, but at least they "only" affect the heroes instead of all users.
At least for me, progress.opensuse.org and monitor.opensuse.org/icinga/ work in parallel tabs without problem.
Does the Problem still exist?
Updated by cboltz about 4 years ago
- Status changed from Feedback to Closed
I didn't see the problem on monitor.o.o since months, therefore I'll assume it's fixed there.
No idea about FreeIPA - it insists on having a valid referrer, therefore I always have to start a separate browser (with less restrictive config) which doesn't have any bugzilla cookies ;-)
Given that (possibly) only FreeIPA is affected (and that more serviced will be moved away from MF-IT), I'll close this ticket as "seems to work now".