[Netpass-users] important notes about latest NP bug fixes
Brought to you by:
jeffmurphy
Menu
▾
▴
[Netpass-users] important notes about latest NP bug fixes
|
From: Jeff M. <jcm...@os...> - 2005-08-31 18:54:41
|
I'm going to make some CVS commits today but before you use them, you'll
need to make a few manual adjustments.
- Audit report changes
The audit report will now attempt to connect to your other NP
servers (if any) and fetch audit history from those servers and then
coalesce it into the final report.
This was done because the audit table is not replicated amongst
the NP servers. That, in turn, was done because MySQL cluster is
limited by the amount of RAM in the machine, and the audit table
can grow quite large over time. So there was a need to fetch the
audit results from the various servers and present them in a
single report.
To make this happen, you need to grant access so that each server
can connect to the other. IPTables should already be configured
to allow this. Assuming you have two NP servers called "npw1"
and "npw2", MySQL must be configured as follows:
npw1% mysql -u root mysql
mysql> insert into user values ('npw2.cit.buffalo.edu', 'root', '',
'y','n','n','n','n','n','n','n','n','n','n','n','n','n','n',
'n','n','n','n','n','n','','','','',0,0,0);
npw1% mysqladmin -u root reload
npw2% mysql -u root mysql
mysql> insert into user values ('npw1.cit.buffalo.edu', 'root', '',
'y','n','n','n','n','n','n','n','n','n','n','n','n','n','n',
'n','n','n','n','n','n','','','','',0,0,0);
npw2% mysqladmin -u root reload
- Removal of reliance on cookies
During semester startup, we discovered an issue with cookies and IE
toolbars causing sessions to be corrupted. This caused the clients
to return to the login page repeatedly without ever fully completing
the registration process.
The root of the problem seems to be that the toolbars, not
surprisingly, share the same cookie store as IE itself. When you go
to, e.g., www.cnn.com, NetPass captures the session, displays its
welcome page and issues a cookie.
Next, the client authenticates by entering credentials and clicking
'I Accept...'. The transaction is posted to the NP server and the
session is then updated to reflect that they are authenticated.
Immediately following that, the toolbar (e.g. google toolbar) sends
the same URL to Google. NetPass captures that transaction and sends
it to Apache. Apache assigns the transaction to a random httpd
process. That process has a copy of the session, but lacks the
bit of information indicating that it's an authenticated session.
The welcome page is sent back to the toolbar (which ignores it)
and the session is stored, over-writing the state information
indicating that the other session is authenticated.
When the user finishes the scan, they get the welcome page instead
of the final or remediation pages.
We looked at a few different solutions to this, and the one that
required the least amount of changes, and therefor the least amount
of potential for introduction of bugs, was to stop using cookies
and instead move the session ID into the CGI POSTed information that
is sent by the client back to the web server.
To activate this, you must edit
/opt/netpass/lib/NetPass/WWW/Session.pm
and in the "new HTML::Mason::ApacheHandler" section, change
"session_use_cookie" to zero like this:
session_use_cookie => 0,
and also add this line:
session_args_param => 'npsess',
note the trailing comma (just check your edits for syntax).
Save your changes and do the "sudo make install" and everything
should continue to work. The session ID is embedded in the client
forms as a hidden field. For the Admin interface, it appears
as part of the URL.
Log into the Admin site and be sure to set COOKIE_DETECT to "no".
That final piece isn't critical, but the cookie detection is
pointless now, so you might as well disable it.
The installation procedure has these changes in it, although I haven't
yet trimmed out the portions of the code that deal with cookie
configuration.
|
