[OPEN-ILS-DEV] Duplicate authtokens
Bill Ott
bott at grpl.org
Wed Feb 8 13:40:49 EST 2017
Unfortunately, at the time I caught this in the logs, we were only
logging warn, so I don't see the init call. The method we were using to
call init was not using nonce.
I've located a nice example in SIP.pm and will make a code change to use
it in our init call going forward!
On 02/08/2017 01:15 PM, Mike Rylander wrote:
> Bill,
>
> Can you find the log entries for the offending sessions (should all be
> around 6am, obv) for calls to open-ils.auth.authenticate.init? The
> first parameter is the username and the second is the nonce
> (http://stackoverflow.com/questions/5050932/nonce-usage-in-authentication)
> used to disambiguate session requests coming in at the same time. The
> nonce is based on the return value of rand($$) in the client (a random
> number between 0 and the client pid minus 1), and if they're the same
> then the same auth token could be generated. They should not be the
> same, of course, but if they are ... we may need to upgrade our PRNG
> to something stronger from CPAN, like
> http://search.cpan.org/~frew/Math-Random-Secure-0.08/lib/Math/Random/Secure.pm
>
> Thanks,
>
> --
> Mike Rylander
> | President
> | Equinox Open Library Initiative
> | phone: 1-877-OPEN-ILS (673-6457)
> | email: miker at equinoxinitiative.org
> | web: http://equinoxinitiative.org
>
>
> On Wed, Feb 8, 2017 at 12:30 PM, Bill Ott <bott at grpl.org> wrote:
>> I'm not sure this if this is a bug, as I haven't totally wrapped my mind
>> around it, but we've had some bizarre behavior that I wanted to put on the
>> radar.
>>
>> Ever since we upgraded to 2.11 in Dec., we've had occasional situations
>> where our automated book drops would start reporting the wrong OU on
>> checkin. The WS name would be correct, but not the OU. A restart of the
>> book drop service would correct it. I hadn't reported it because I thought
>> it may have something to do with our custom services.
>>
>> Today I found the smoking gun in the logs. Drops restart every morning at
>> 06:00. They are using the same user, but different WS values. The logs
>> showed 4 drops all with the same authtoken. When retrieving the ws_ou by
>> authtoken, you'd get the OU based on the first WS value.
>>
>> I'm not sure if this is something with the new auth code, and we can't
>> reproduce it manually, but it seems that there's something about requesting
>> multiple logins using the same user at the same moment that causes
>> authtokens to be reused, even though the WS is different.
>>
>> We've now created new distinct users for each drop and I suspect that will
>> prevent us from seeing this, but it seemed worth mentioning.
More information about the Open-ils-dev
mailing list