[Grok-dev] Strange session / security problem with Grok 0.14

Fri Jan 16 22:56:30 EST 2009

--- On Fri, 1/16/09, Ivo van der Wijk <vladdrac at gmail.com> wrote:

> But I must say that I was unpleasantly surprised by the > behaviour
> mod_cache showed here.
> Eventhough I didn't have full access to the apache configuration,
> caching cookies from responses and actually collecting them seems like
> a really bad idea. This is an actual response I got back from
> mod_cache at a certain point:
> 
> HTTP/1.1 200 OK
> Date: Fri, 16 Jan 2009 10:49:46 GMT
> Server: Apache/2.2.3 (CentOS)
> Set-Cookie:
> zope3_cs_d41c971=hyc5aBDbE2KsX-00U5CuvycYASkB7LGrQuHUQoCihjTpddNXrTwXGM;
> Path=/;
> Set-Cookie:
> zope3_cs_d41c971=w-HPYG-9JVPL78zoHI1sGG1XSWEGC8-kUh0YSeUSiGNFqsc6TZGJW4;
> Path=/;

</snip>

Wow!  I didn't believe it until I just tried it myself.
This discussion should probably move to a Zope3 or Apache forum, as I don't think it has anything in particular to do with Grok.

I will mention that I could not find this problem with Zope2/Plone sites and Apache 2.2 mod_cache.  It did happen with a Zope3-based web application.  I am using rewrite without caching on my Grok-based sites as they are currently small and low volume, but I would imagine it would follow the behavior of Zope3.

I did not see the problem on HTTP 200 responses, but rather on 304's that were for common image files.  Also, my Apache configuration modified less of the underlying header than yours - reporting the actual server type in header.  Maybe a difference in mod_proxy configuration.  There could also be differences in browser clients as not all handle proxy headers equally as well.

Example:

GET /schedule/@@/++resource++sidebar-background.png HTTP/1.1
Host: www.sitename.com
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.5) Gecko/2008121623 Firefox/8.10 (intrepid) Firefox/3.0.5
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://www.sitename.com/schedule/@@/layout.css
Cookie: zope3_cs_d0b9278=VI0QfSHapvVJg7fDou0nW7d47VY89YGv3JeHjK3l2xJHOFP6M-d5XU
If-Modified-Since: Thu, 31 Jul 2008 14:30:01 GMT
Cache-Control: max-age=0

HTTP/1.1 304 Not Modified
Date: Sat, 17 Jan 2009 01:25:23 GMT
Server: zope.server.http (zope.server.http)
Connection: Keep-Alive
Keep-Alive: timeout=15, max=99
Expires: Sun, 18 Jan 2009 01:25:23 GMT
Cache-Control: public,max-age=86400
Set-Cookie: zope3_cs_d0b9278=FDFSqrqGFyXij1TB1YXaFNw.xIwjH0WsoHa9btZOvDMSajRP-FVC30; Path=/schedule;
Set-Cookie: zope3_cs_d0b9278=-qEuuaG2eW2RHaUapZ6rUNK1KM0gVs5uqDdvlntkELNnWulNI4SjY8; Path=/schedule;
Set-Cookie: zope3_cs_d0b9278=zHMBUGVG7eENJEWvBFM-hZZrR54fpPMhhUL4bhLmKicIEbJRsCX0ro; Path=/schedule;
Set-Cookie: zope3_cs_d0b9278=pJw08.6HIZr4dKyfYpkHR-r9zS4tRzSw00aZeTnQ.XNYIxPDA1ENtM; Path=/schedule;
Set-Cookie: zope3_cs_d0b9278=pDMO8pQ3UAnypcFMX6hlxpKrTUo4QNaYZlPy1nUb7UoA5zhULmSfU8; Path=/schedule;

(repeated 35 more times)

Of the 40 "Set-Cookie" entries in the reply, the cookie from the request is duplicated 4 times!