Bug #7817
closed
[Workbench] Doesn't load (at all) when an old session cookie is present
Description
I recently experienced an issue in which workbench would not load at all for me from a particular browser (in this case Chrome). After suffering with the problem for some time (assuming it was a network issue), I tried deleting the session cookie, after which it started working again immediately.
The session cookie was dated Friday, 23 October 2015 at 12:04:35 and it wasn't working as of 15-17 November 2015 (i.e. after my browser and its session cookie had existed for more than 3 weeks). I will attach a copy of a screenshot of the offending _arvados_workbench_session cookie as well as the corresponding log from workbench's production.log It appears our server side has been up and running since 23 October ~9am, so the server is older than the session.
Is there a known issue with handling of very old session cookies?
The error I got back in my browser was a generic 503 error from nginx indicating the backend did not respond, whereas the production.log indicates that after 180s the backend responded with a 422.
Waiting 3m before responding seems like an error in the backend's handling of the cookie. If the session cookie is invalid, the behaviour I would expect would be to delete the session cookie and create a new one.
Files
Updated by Brett Smith over 10 years ago
- Target version set to 2016-01-06 sprint
Updated by Brett Smith over 10 years ago
- Target version deleted (
2016-01-06 sprint)
Updated by Brett Smith about 10 years ago
- Target version set to Arvados Future Sprints
Updated by Brett Smith about 10 years ago
- Assigned To set to Radhika Chippada
- Target version changed from Arvados Future Sprints to 2016-01-20 Sprint
Updated by Brett Smith about 10 years ago
- Subject changed from Workbench doesn't load (at all) when an old session cookie is present to [Workbench] Doesn't load (at all) when an old session cookie is present
- Story points set to 1.0
Investigation timeboxed at 1 story point.
Updated by Radhika Chippada about 10 years ago
My thoughts about this issue:
- The session cookie _arvados_workbench_session is a browser cookie and lives until the browser session terminates (and hence does not expire), but instead the contents of the cookie are stale. The cookie contains the aravados_api_token, which I think has expired.
- The application_controller -> set_thread_api_token, an around_filter, tries to setup an active user session using this expired token.
load_api_token(session[:arvados_api_token])
- The API call invocation should hence fail and result in login prompt / SSO as needed.
I did the following tests to see if relogin is happening as expected when the cookie has an expired token.
- I added a workbench controller test that simulates a session cookie with expired token. The test "passes" and a redirection to login page is happening.
- Using my localhost workbench, I tested the following. Login to my workbench. Identify the current token. Update the record in my database for this token and set expires_at to a year ago. Navigate to a different page or reload same page in my workbench page. Looking at the workbench console log as well as workbench current token page, verify that the login process (SSO) is happening and a new token is created and the browser cookie is also updated. Tested with both Firefox and Chrome and in both cases I observed the expected behavior of login process upon encountering a session cookie with expired token.
- Based on these two tests, the session handling seems to work as expected in this scenario.
Updated by Brett Smith about 10 years ago
- Target version deleted (
2016-01-20 Sprint)
Updated by Radhika Chippada almost 10 years ago
- Assigned To deleted (
Radhika Chippada)
Updated by Peter Amstutz about 6 years ago
- Priority changed from Normal to Low
- Status changed from New to Closed