[Mailman-Users] Cookie problems
David Smead
smead at amplepower.com
Tue Jul 18 05:29:34 CEST 2000
Dan,
OK, here are more specifics. I'm not sure what you refer to as base URL
and the first entered.
Starting here:
http://msgbd.com/mailman/admin/nosprayzone which asks for a password.
After entering the password, the URL stays the same.
Then we select: http://msgbd.com/mailman/admin/nosprayzone/members
Going to the bottom of the first 30 members we select:
http://www.msgbd.com/mailman/admin/nosprayzone/members?chunk=1 -- which
asks for a password.
After this password is entered, we are dumped into that same URL, but what
is shown is the first 30 members again - chunk 1 I presume. So we go to
the bottom of the page and select:
http://www.msgbd.com/mailman/admin/nosprayzone/members?chunk=1 -- again.
Now, when I select that again, I get the second page of members. The
person who I just gave the password to gets into an infinite loop. I'm
trying to find out what browser he is using.
Sincerely,
David Smead
http://www.amplepower.com.
http://www.ampletech.com.
On Mon, 17 Jul 2000, Dan Mick wrote:
>
> > Would this have anything to do with an infinite loop on trying to view all
> > the member pages as admin?
>
> If by "infinite loop" you mean "having to enter the password again",
> yes.
>
> >
> > I've had to enter the password after selecting the second page of members,
> > but then after entering the password again, I'd be able to select the
> > second page and get it.
>
> That sounds like the error I've described below: the base URL and the
> "first entered URL" are different. Is that true in your case?
>
> > Now I've given the password to another person and they get into an
> > infinite password loop.
> >
> > I'm still running b2.
>
> Here's a patch for Mailman/Cookie.py, for b4 (don't know how far
> back it will be valid), that logs some information on each cookie
> decode. Anyone having problems is encouraged to add this, and then
> look for ~mailman/logs/cookie for interesting output:
>
> *** Cookie.py.orig Mon Jul 17 18:57:26 2000
> --- Cookie.py Mon Jul 17 19:42:10 2000
> ***************
> *** 1,4 ****
> --- 1,5 ----
> #!/usr/bin/env python
> + from Mailman.Logging.Syslog import syslog
>
> """
> ####
> ***************
> *** 571,576 ****
> --- 572,578 ----
> else:
> M = Morsel()
> M.set(K, apply(self.net_setfunc, (V,)), V)
> + syslog("cookie", "key %s, morselval %s" % (K,
> apply(self.net_setfunc, (V,))))
> UserDict.__setitem__(self, K, M)
> return
> # end __ParseString
>
> >
> > Sincerely,
> >
> > David Smead
> > http://www.amplepower.com.
> > http://www.ampletech.com.
> >
> > On Mon, 17 Jul 2000, Dan Mick wrote:
> >
> > > First, let me make it clear that I'm just a happy Mailman user with
> > > some Python experience (from hacking at Mailman); don't take any
> > > of my comments or attitudes as "official Mailman policy" or anything.
> > >
> > > I've seen all the complaints about admin cookies, and I've been trying
> > > for the last two hours to reproduce any problem (using Netscape 4.73
> > > on Solaris, and Mailman 2.0beta4) and I can't repro anything but the
> > > one problem I already knew about.
> > >
> > > If anyone has a repro scenario, it would be interesting to hear
> > > about it.
> > >
> > > Here's the one and only cookie-related hassle I know about:
> > >
> > > Mailman wants to, by default, put everything on the web server under
> > > "/mailman", including the admin pages. The default URL for admin
> > > pages is usually "http://host/mailman/admin/listname" (where host
> > > and listname are replaceable tokens).
> > >
> > > I've experimented with making this path "/lists/", instead, by
> > > adding the right Alias statements to the webserver config...
> > > and this *sorta* works, but the problem is the admin cookies:
> > > they are issued based on the path configured into the list,
> > > by the last field on the General Options page (aka web_page_url
> > > in the object, seen by Python code, dumpdb, or config_list).
> > >
> > > If the URL you first go to doesn't match the URL mentioned
> > > in web_page_url, you will have problems, because the new cookie
> > > will be made based on web_page_url, regardless of the URL
> > > you used to access the page.
> > >
> > > For instance, in my example, the webserver would serve up the
> > > right CGI output from "/lists/", but the cookie would have
> > > "/mailman/" in it, so the Mailman CGI would be convinced that
> > > every access was a new one...until I clicked on something
> > > that would generate a path with "/mailman/", and then I'd get
> > > a second cookie, which would remove the problem.
> > >
> > > I never had a problem with multiple lists at the same time
> > > (two cookies, both named "<list>:admin", with different values,
> > > both stayed active as I bounced between lists and changed values
> > > on both.)
> > >
> > > I never got a response of anything like the possible errors from
> > > admin.py:
> > >
> > > except Errors.MMBadPasswordError:
> > > message = 'Sorry, wrong password. Try again.'
> > > except Errors.MMExpiredCookieError:
> > > message = 'Your cookie has gone stale, ' \
> > > 'enter password to get a new one.',
> > > except Errors.MMInvalidCookieError:
> > > message = 'Error decoding authorization cookie.'
> > > except Errors.MMAuthenticationError:
> > > message = 'Authentication error.'
> > >
> > > I can certainly imagine that some browser/OS combinations are
> > > corrupting the cookie data, as it's binary and contains things like
> > > embedded carriage-returns; to diagnose that, I'd look carefully
> > > at the stored cookie value and what gets transmitted to the server
> > > (using a network sniffer program like Ethereal, etherfind, tcpdump,
> > > snoop, or whatever). It might also be useful to add a bit of logging
> > > to SecurityManager.py to see what it thinks the cookie values it's
> > > getting are (and compare them to what the browser thought they
> > > were). If someone has a persistently-reproducible problem, I'd
> > > be willing to work with them to insert some debug into SecurityManager.py
> > > privately (mail me if you fit that description).
> > >
> > >
> > > ------------------------------------------------------
> > > Mailman-Users maillist - Mailman-Users at python.org
> > > http://www.python.org/mailman/listinfo/mailman-users
> > >
> >
> >
> > ------------------------------------------------------
> > Mailman-Users maillist - Mailman-Users at python.org
> > http://www.python.org/mailman/listinfo/mailman-users
>
>
>
> ------------------------------------------------------
> Mailman-Users maillist - Mailman-Users at python.org
> http://www.python.org/mailman/listinfo/mailman-users
>
More information about the Mailman-Users
mailing list