Re: [Cppcms-users] sessions::format violation data
Brought to you by:
artyom-beilis
Menu
▾
▴
Re: [Cppcms-users] sessions::format violation data
|
From: CN <cn...@fa...> - 2016-06-26 14:19:06
|
On Sat, Jun 25, 2016, at 09:36 PM, Artyom Beilis wrote:
> Does it happen in production? Or on your own tests.
It happened to my own tests - both browsers and server ran in localhost.
>
> Can it be that you switched from signed to encrypted and signed
> cookies without changing the signature key only added AES key?
If I remember correctly, I have been always using both "hmac" and "cbc"
like so:
"session":{
"location":"client",
"client":{
"hmac":"sha512",
"hmac_key":"my-hmac-key",
"cbc":"aes192",
"cbc_key":"my-cbc-key"
}
}
Besides, I remember that I always changed both values every time I did
rather than only one of them. The fact that my two browsers never cause
server to log that weird errors probably proves my memory being working
properly.
However, I am not sure which values have been changed for "hmac" and/or
"cbc" since the third browser in question was told by server to save the
(obsolete?) cookie.
>
> If it happens on your own tests just give me the cookie in the browser
> and the keys.
It was my fault - I restarted server after I saw the error log without
first making sure whether the server was dead or not. Then I accessed
the same URL from the third browser in question and successfully logged
in. Those steps caused server to tell the third browser to reset the
cookie. So I no longer have the suspected cookie in my third browser
now.
Next time if that same errors happen again, I will backup my browsers'
cookie first.
> If it happens in production it is different story. Also it must not
> happen as invalid data should not come through the signature.
> Than contact me in private and I'll see how can we debug it because it
> is serious.
Best Regards,
CN
--
http://www.fastmail.com - Email service worth paying for. Try it for free
|
