#1094 Auth issues on newforge

v1.0.0
closed
Rick Copeland
sf-2 (994)
General
nobody
2015-08-20
2010-10-28
Mark Ramm
No

I keep getting redirected to the login page from pages like our tracker, the nf/admin pages, and the adobe page. On the login page I see this: 

     Logged-in as mramm

     You are already logged-in to a SourceForge account.

     You may use the form to the right to attach an OpenID to this account.

And I can't get back to any newforge pages.

I expect this is an issue with the session database connection, or something similar, but it's quite confusing since it works fine on the "classic" side.

Discussion

  • Dean Henrichsmeyer - 2010-10-28

    I've also experienced it where I login to view a ticket and then if I click a link to another ticket I get the login prompt again. New forge is not remembering or knowing that I'm logged in.

     

  • Jenny Steele - 2010-10-28
    • status: in-progress --> open
     

  • Mark Ramm - 2010-10-28

    just figured out how to reproduce that
    go to http://sf.net/nf/admin
    get redirected, login
    now you're at https://sf.net/nf/admin
    change https to http and hit enter

     

  • Rick Copeland - 2010-10-28

    rcopeland
    did we just switch to https-only cookies?

    jsteele
    oh, so that page on sfx needs to look at the return_to and send you there if you're logged in alread

    rcopeland
    yeah, that's it
    so on http, the PHPSESSID-S isn't sent

    Mark ramm-christensen
    makes sense I guess
    but when did that happen?

    rcopeland
    dunno, should ask the sfx guys
    probably around the time that firesheep came out
    anyway, if we don't receive that, then the user is anonymous
    and then they get a 401 because we require them to be authenticated
    which redirects them to the login page
    on https
    but they're already logged in
    so it's confusing

    Mark ramm-christensen
    good topic of conversation tomorrow morning

     

  • Rick Copeland - 2010-10-28

    one way we might be able to fix this is to make sure we do the http/https redirect based on something other than PHPSESSID-S

     

  • Rick Copeland - 2010-11-01
    • custom_field__size: --> 1
     

  • Dave Brondsema

    Dave Brondsema - 2010-11-01

    This is sf.consume's SfHttpHttpsMiddleware class:

    def __init__(self, app, domain):
    self.app = app
    self.domain = domain

def __call__(self, environ, start_response):
    req = Request(environ)
    resp = None
    if 'REQUEST_URI' in req.environ:
        request_uri = environ['REQUEST_URI']
    else:
        # http://www.python.org/dev/peps/pep-0333/#url-reconstruction
        request_uri = quote(environ.get('SCRIPT_NAME',''))
        request_uri += quote(environ.get('PATH_INFO',''))
        if environ.get('QUERY_STRING'):
            request_uri += '?' + environ['QUERY_STRING']
    try:
        # some stupid clients send URLs with random unicode
        request_uri.decode('ascii')
    except UnicodeError:
        resp = exc.HTTPNotFound()
    srv_path = self.domain + request_uri
    secure = req.environ.get('HTTP_X_SFINC_SSL', 'false') == 'true'
    try:
        sfuser = req.cookies.get('SFUSER')
    except CookieError:
        sfuser = None # we don't take kindly to your bogus cookie headers

    if sfuser:
        if not secure:
            resp = exc.HTTPFound(location='https://' + srv_path)
    elif secure and req.headers.get('User-Agent'):
        # The user-agent check is so xrds discovery agents can access the root page in https
        # they don't follow redirects (for security)
        # and Yahoo's agent doesn't send a user-agent value
        resp = exc.HTTPFound(location='http://' + srv_path)

    if resp is None:
        resp = req.get_response(self.app)
    return resp(environ, start_response)
     

  • Mark Ramm - 2010-11-02

    Thanks dave!

     

  • Rick Copeland - 2010-11-12
    • status: open --> in-progress
     

  • Rick Copeland - 2010-11-12
    • status: in-progress --> blocked
    • assigned_to: Rick Copéland
     

  • Rick Copeland - 2010-11-12

    Actually this only seems to happen on /nf/* urls, which we explicitly set to not redirect b/c of all the static resources. I have asked SOG to narrow the filter to only include our "true" static resources.

    https://control.sog.geek.net/sog/trac/ticket/17620

     

  • Rick Copeland - 2010-11-15
    • custom_field__milestone: nov-15 --> nov-22
     

  • Rick Copeland - 2010-11-16
    • status: blocked --> closed
     

Log in to post a comment.