cppcms-users

[Cppcms-users] sessions::format violation data

[CN <cn...@fa...>]

Hi!

Three browsers made the same requests to the same URL but the third one
causes the following errors:


2016-06-01 22:37:20; cppcms, error: Caught exception [sessions::format
violation data]
0x7fac3f2edc13:
cppcms::session_interface::load_data(std::map<std::string,
cppcms::session_interface::entry, std::less<std::string>,
std::allocator<std::pair<std::string const,
cppcms::session_interface::entry> > >&, std::string const&) + 0x653 in
/usr/local/lib/libcppcms.so.1
0x7fac3f2edf8e: cppcms::session_interface::load() + 0x13e in
/usr/local/lib/libcppcms.so.1
0x7fac3f272908:
cppcms::http::context::dispatch(booster::intrusive_ptr<cppcms::application>
const&, std::string const&, bool) + 0x188 in
/usr/local/lib/libcppcms.so.1
0x7fac3f27378e:
cppcms::http::context::dispatch(booster::shared_ptr<cppcms::application_specific_pool>
const&, booster::shared_ptr<cppcms::http::context> const&, std::string
const&) + 0x7e in /usr/local/lib/libcppcms.so.1
0x7fac3f2756c3: cppcms::impl::thread_pool::worker() + 0xc3 in
/usr/local/lib/libcppcms.so.1
0x7fac3f66a52a: booster_thread_func + 0x1a in
/usr/local/lib/libbooster.so.0
0x7fac3d8f50a4: ??? + 0x3d8f50a4 in
/lib/x86_64-linux-gnu/libpthread.so.0
0x7fac3dbf287d: clone + 0x6d in /lib/x86_64-linux-gnu/libc.so.6
 (http_context.cpp:336)

The first possible cause coming to my mind is that the third browser
sends cookie to server, and that cookie is either broken or created by
server with outdated keys.

If my guess is correct, is it possible to stop such exception by
enclosing the code in question with "try{...}"?

Best Regards,
CN

-- 
http://www.fastmail.com - Send your email first class

Re: [Cppcms-users] sessions::format violation data

[Artyom B. <art...@gm...>]

What type of session have you been using?

Note session content is protected with either digital signature or it
is stored on server so it may be either (a) file/db for server side
storage corrupted (b) there is a bug

If you getting this problem please provide the cookie that creates the
issue, if you are using client side storage I also need the keys, for
server side storage the data.

Artyom

On Wed, Jun 1, 2016 at 6:09 PM, CN <cn...@fa...> wrote:
> Hi!
>
> Three browsers made the same requests to the same URL but the third one
> causes the following errors:
>
>
> 2016-06-01 22:37:20; cppcms, error: Caught exception [sessions::format
> violation data]
> 0x7fac3f2edc13:
> cppcms::session_interface::load_data(std::map<std::string,
> cppcms::session_interface::entry, std::less<std::string>,
> std::allocator<std::pair<std::string const,
> cppcms::session_interface::entry> > >&, std::string const&) + 0x653 in
> /usr/local/lib/libcppcms.so.1
> 0x7fac3f2edf8e: cppcms::session_interface::load() + 0x13e in
> /usr/local/lib/libcppcms.so.1
> 0x7fac3f272908:
> cppcms::http::context::dispatch(booster::intrusive_ptr<cppcms::application>
> const&, std::string const&, bool) + 0x188 in
> /usr/local/lib/libcppcms.so.1
> 0x7fac3f27378e:
> cppcms::http::context::dispatch(booster::shared_ptr<cppcms::application_specific_pool>
> const&, booster::shared_ptr<cppcms::http::context> const&, std::string
> const&) + 0x7e in /usr/local/lib/libcppcms.so.1
> 0x7fac3f2756c3: cppcms::impl::thread_pool::worker() + 0xc3 in
> /usr/local/lib/libcppcms.so.1
> 0x7fac3f66a52a: booster_thread_func + 0x1a in
> /usr/local/lib/libbooster.so.0
> 0x7fac3d8f50a4: ??? + 0x3d8f50a4 in
> /lib/x86_64-linux-gnu/libpthread.so.0
> 0x7fac3dbf287d: clone + 0x6d in /lib/x86_64-linux-gnu/libc.so.6
>  (http_context.cpp:336)
>
> The first possible cause coming to my mind is that the third browser
> sends cookie to server, and that cookie is either broken or created by
> server with outdated keys.
>
> If my guess is correct, is it possible to stop such exception by
> enclosing the code in question with "try{...}"?
>
> Best Regards,
> CN
>
> --
> http://www.fastmail.com - Send your email first class
>
>
> ------------------------------------------------------------------------------
> What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
> patterns at an interface-level. Reveals which users, apps, and protocols are
> consuming the most bandwidth. Provides multi-vendor support for NetFlow,
> J-Flow, sFlow and other flows. Make informed decisions using capacity
> planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
> _______________________________________________
> Cppcms-users mailing list
> Cpp...@li...
> https://lists.sourceforge.net/lists/listinfo/cppcms-users

Re: [Cppcms-users] sessions::format violation data

[CN <cn...@fa...>]

On Sun, Jun 19, 2016, at 02:00 PM, Artyom Beilis wrote:
> What type of session have you been using?
> 
> Note session content is protected with either digital signature or it
> is stored on server so it may be either (a) file/db for server side
> storage corrupted (b) there is a bug
> 
> If you getting this problem please provide the cookie that creates the
> issue, if you are using client side storage I also need the keys, for
> server side storage the data.
> 

I use client side storage.
Server reset the cookie so fast that I failed to retain the cookie in
question in time. Next time I will try to grab it if the same problem
happens again.

Please pardon me for the dumb question - how do I retain the cookie in
question?
Am I supposed to write it to file in server or I can export cookies from
browsers to file?

Best Regards,
CN

-- 
http://www.fastmail.com - Faster than the air-speed velocity of an
                          unladen european swallow

Re: [Cppcms-users] sessions::format violation data

[Artyom B. <art...@gm...>]

Does it happen in production? Or on your own tests.

Can it be that you switched from signed to encrypted and signed
cookies without changing the signature key only added AES key?

If it happens on your own tests just give me the cookie in the browser
and the keys.
If it happens in production it is different story. Also it must not
happen as invalid data should not come through the signature.
Than contact me in private and I'll see how can we debug it because it
is serious.

Artyom

On Tue, Jun 21, 2016 at 12:57 PM, CN <cn...@fa...> wrote:
> On Sun, Jun 19, 2016, at 02:00 PM, Artyom Beilis wrote:
>> What type of session have you been using?
>>
>> Note session content is protected with either digital signature or it
>> is stored on server so it may be either (a) file/db for server side
>> storage corrupted (b) there is a bug
>>
>> If you getting this problem please provide the cookie that creates the
>> issue, if you are using client side storage I also need the keys, for
>> server side storage the data.
>>
>
> I use client side storage.
> Server reset the cookie so fast that I failed to retain the cookie in
> question in time. Next time I will try to grab it if the same problem
> happens again.
>
> Please pardon me for the dumb question - how do I retain the cookie in
> question?
> Am I supposed to write it to file in server or I can export cookies from
> browsers to file?
>
> Best Regards,
> CN
>
> --
> http://www.fastmail.com - Faster than the air-speed velocity of an
>                           unladen european swallow
>
>
> ------------------------------------------------------------------------------
> Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
> Francisco, CA to explore cutting-edge tech and listen to tech luminaries
> present their vision of the future. This family event has something for
> everyone, including kids. Get more information and register today.
> http://sdm.link/attshape
> _______________________________________________
> Cppcms-users mailing list
> Cpp...@li...
> https://lists.sourceforge.net/lists/listinfo/cppcms-users

Re: [Cppcms-users] sessions::format violation data

[CN <cn...@fa...>]

On Sat, Jun 25, 2016, at 09:36 PM, Artyom Beilis wrote:
> Does it happen in production? Or on your own tests.

It happened to my own tests - both browsers and server ran in localhost.

> 
> Can it be that you switched from signed to encrypted and signed
> cookies without changing the signature key only added AES key?

If I remember correctly, I have been always using both "hmac" and "cbc"
like so:

"session":{
	"location":"client",
	"client":{
		"hmac":"sha512",
		"hmac_key":"my-hmac-key",
		"cbc":"aes192",
		"cbc_key":"my-cbc-key"
	}
}

Besides, I remember that I always changed both values every time I did
rather than only one of them. The fact that my two browsers never cause
server to log that weird errors probably proves my memory being working
properly.

However, I am not sure which values have been changed for "hmac" and/or
"cbc" since the third browser in question was told by server to save the
(obsolete?) cookie.

> 
> If it happens on your own tests just give me the cookie in the browser
> and the keys.

It was my fault - I restarted server after I saw the error log without
first making sure whether the server was dead or not.  Then I accessed
the same URL from the third browser in question and successfully logged
in. Those steps caused server to tell the third browser to reset the
cookie. So I no longer have the suspected cookie in my third browser
now.

Next time if that same errors happen again, I will backup my browsers'
cookie first.

> If it happens in production it is different story. Also it must not
> happen as invalid data should not come through the signature.
> Than contact me in private and I'll see how can we debug it because it
> is serious.

Best Regards,
CN

-- 
http://www.fastmail.com - Email service worth paying for. Try it for free