[Mailman-Users] Cookie problems

David Smead smead at amplepower.com
Tue Jul 18 05:29:34 CEST 2000 

Dan,

OK, here are more specifics.  I'm not sure what you refer to as base URL
and the first entered.

Starting here:
http://msgbd.com/mailman/admin/nosprayzone  which asks for a password.
After entering the password, the URL stays the same.

Then we select: http://msgbd.com/mailman/admin/nosprayzone/members
Going to the bottom of the first 30 members we select:
http://www.msgbd.com/mailman/admin/nosprayzone/members?chunk=1 -- which
asks for a password.

After this password is entered, we are dumped into that same URL, but what
is shown is the first 30 members again - chunk 1 I presume.  So we go to
the bottom of the page and select:
http://www.msgbd.com/mailman/admin/nosprayzone/members?chunk=1 -- again.

Now, when I select that again, I get the second page of members.  The
person who I just gave the password to gets into an infinite loop.  I'm
trying to find out what browser he is using.


Sincerely,

David Smead
http://www.amplepower.com.
http://www.ampletech.com.

On Mon, 17 Jul 2000, Dan Mick wrote:

> 
> > Would this have anything to do with an infinite loop on trying to view all
> > the member pages as admin?
> 
> If by "infinite loop" you mean "having to enter the password again",
> yes.
> 
> > 
> > I've had to enter the password after selecting the second page of members,
> > but then after entering the password again, I'd be able to select the
> > second page and get it.
> 
> That sounds like the error I've described below: the base URL and the
> "first entered URL" are different.  Is that true in your case?
> 
> > Now I've given the password to another person and they get into an
> > infinite password loop.
> > 
> > I'm still running b2.
> 
> Here's a patch for Mailman/Cookie.py, for b4 (don't know how far
> back it will be valid), that logs some information on each cookie
> decode.  Anyone having problems is encouraged to add this, and then
> look for ~mailman/logs/cookie for interesting output:
> 
> *** Cookie.py.orig      Mon Jul 17 18:57:26 2000
> --- Cookie.py   Mon Jul 17 19:42:10 2000
> ***************
> *** 1,4 ****
> --- 1,5 ----
>   #!/usr/bin/env python
> + from Mailman.Logging.Syslog import syslog
>   
>   """
>   ####
> ***************
> *** 571,576 ****
> --- 572,578 ----
>                         else:
>                                 M = Morsel()
>                                 M.set(K, apply(self.net_setfunc, (V,)), V)
> +                               syslog("cookie", "key %s, morselval %s" % (K, 
> apply(self.net_setfunc, (V,))))
>                                 UserDict.__setitem__(self, K, M)
>                 return
>         # end __ParseString
> 
> > 
> > Sincerely,
> > 
> > David Smead
> > http://www.amplepower.com.
> > http://www.ampletech.com.
> > 
> > On Mon, 17 Jul 2000, Dan Mick wrote:
> > 
> > > First, let me make it clear that I'm just a happy Mailman user with
> > > some Python experience (from hacking at Mailman); don't take any
> > > of my comments or attitudes as "official Mailman policy" or anything.
> > > 
> > > I've seen all the complaints about admin cookies, and I've been trying
> > > for the last two hours to reproduce any problem (using Netscape 4.73
> > > on Solaris, and Mailman 2.0beta4) and I can't repro anything but the
> > > one problem I already knew about.
> > > 
> > > If anyone has a repro scenario, it would be interesting to hear
> > > about it.
> > > 
> > > Here's the one and only cookie-related hassle I know about:
> > > 
> > > Mailman wants to, by default, put everything on the web server under
> > > "/mailman", including the admin pages.  The default URL for admin
> > > pages is usually "http://host/mailman/admin/listname" (where host
> > > and listname are replaceable tokens).
> > > 
> > > I've experimented with making this path "/lists/", instead, by
> > > adding the right Alias statements to the webserver config...
> > > and this *sorta* works, but the problem is the admin cookies:
> > > they are issued based on the path configured into the list,
> > > by the last field on the General Options page (aka web_page_url
> > > in the object, seen by Python code, dumpdb, or config_list).
> > > 
> > > If the URL you first go to doesn't match the URL mentioned
> > > in web_page_url, you will have problems, because the new cookie
> > > will be made based on web_page_url, regardless of the URL
> > > you used to access the page. 
> > > 
> > > For instance, in my example, the webserver would serve up the
> > > right CGI output from "/lists/", but the cookie would have
> > > "/mailman/" in it, so the Mailman CGI would be convinced that
> > > every access was a new one...until I clicked on something
> > > that would generate a path with "/mailman/", and then I'd get
> > > a second cookie, which would remove the problem.
> > > 
> > > I never had a problem with multiple lists at the same time
> > > (two cookies, both named "<list>:admin", with different values,
> > > both stayed active as I bounced between lists and changed values
> > > on both.)
> > > 
> > > I never got a response of anything like the possible errors from
> > > admin.py:
> > > 
> > >         except Errors.MMBadPasswordError:
> > >             message = 'Sorry, wrong password.  Try again.'
> > >         except Errors.MMExpiredCookieError:
> > >             message = 'Your cookie has gone stale, ' \
> > >                       'enter password to get a new one.',
> > >         except Errors.MMInvalidCookieError:
> > >             message = 'Error decoding authorization cookie.'
> > >         except Errors.MMAuthenticationError:
> > >             message = 'Authentication error.'
> > > 
> > > I can certainly imagine that some browser/OS combinations are
> > > corrupting the cookie data, as it's binary and contains things like
> > > embedded carriage-returns; to diagnose that, I'd look carefully
> > > at the stored cookie value and what gets transmitted to the server
> > > (using a network sniffer program like Ethereal, etherfind, tcpdump,
> > > snoop, or whatever).  It might also be useful to add a bit of logging
> > > to SecurityManager.py to see what it thinks the cookie values it's
> > > getting are (and compare them to what the browser thought they
> > > were).  If someone has a persistently-reproducible problem, I'd
> > > be willing to work with them to insert some debug into SecurityManager.py
> > > privately (mail me if you fit that description).
> > > 
> > > 
> > > ------------------------------------------------------
> > > Mailman-Users maillist  -  Mailman-Users at python.org
> > > http://www.python.org/mailman/listinfo/mailman-users
> > > 
> > 
> > 
> > ------------------------------------------------------
> > Mailman-Users maillist  -  Mailman-Users at python.org
> > http://www.python.org/mailman/listinfo/mailman-users
> 
> 
> 
> ------------------------------------------------------
> Mailman-Users maillist  -  Mailman-Users at python.org
> http://www.python.org/mailman/listinfo/mailman-users
>

More information about the Mailman-Users mailing list