Closed Bug 422257 Opened 16 years ago Closed 16 years ago

Getting logged out if opening a bunch of extension to review in tabs

Categories

(addons.mozilla.org Graveyard :: Public Pages, defect)

Product:
addons.mozilla.org Graveyard
Component:
Public Pages
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
blocker

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: aryx, Assigned: clouserw)

References

Details

Attachments

(1 file)

meh
708 bytes, patch
wenzel
: review+
morgamic
: review+
Details | Diff | Splinter Review 
If I open several item from the pending update queue in tabs, Firefox sometimes logs me out. Seen for the first time yesterday.
Mel was seeing this problem the other day, but I wasn't able to reproduce it.  Any idea on how to make it happen every time?
Also, I don't think it changed anything for Mel, but have you tried clearing your cookies?  We had some oddities there last week (I talked about it here: http://micropipes.com/blog/2008/03/11/how-my-cookies-became-a-one-way-street/ )
I'll do some live header testing, it happened on or about the 6-7 tab, but try 8+, step I used to reproduce using 3.0 Nightlies (update just got it to happen on 2.x builds):

- open nomination queue
- very quick middle-click/ctrl-click on many links to open them up into background tabs
- you should see the last few are logged out, if you don't just reload the nomination page, it should be logged out, and submitting a review on one of those pages probably doesn't work, etc.

yeah, I removed all mozilla.org cookies, etc.
We can reproduce this consistently in bug 424453.
We should fix this before launch.
Target Milestone: --- → 3.2
Tracked this down to cake regenerating the session id every 10 requests.  Continuing to investigate...
Assignee: nobody → clouserw
Have you looked if the cake bugtracker has the issue listed (and maybe even fixed)?
(In reply to comment #9)
> Have you looked if the cake bugtracker has the issue listed (and maybe even
> fixed)?
> 

It's by design.  It's one of the benefits of "high security."  Makes me feel more secure!  The problem occurs when cake starts the old session (which I think is already started) to destroy it, right before it starts the new session.  For what it's worth, bug 408984 disappears if we change the security level from high to medium... ;)
Attached patch mehSplinter Review 
Not an awesome solution but it works.  All it does is change CAKE_SECURITY from high to medium.  From what I can see, HIGH means:

1) Sessions are renewed every 10th request
2) PHP's referrer check is turned on.

#1 is not critical, I'll miss #2 a bit.  An alternative to this patch is commenting out $this->renew() in cake/libs/session.php's _checkValid().

The underlying problem behind this is line 597 on cake/libs/session.php.  That session_start() function is breaking things and I'm not sure why.  I'm open to ideas, but the two things I've suggested here would get the problem fixed now.
Attachment #311446 - Flags: review?
Attachment #311446 - Flags: review? → review?(fwenzel)
Attachment #311446 - Flags: review?(morgamic)
Comment on attachment 311446 [details] [diff] [review]
meh

I'm okay with this as a temp fix.  Fixed the editor's feature manager bugs w/ AJAX requests.
Attachment #311446 - Flags: review?(morgamic) → review+
Comment on attachment 311446 [details] [diff] [review]
meh

I agree with Mike: Not so much a fix as a workaround, but good for now.
Attachment #311446 - Flags: review?(fwenzel) → review+
As per: https://bugzilla.mozilla.org/show_bug.cgi?id=424987#c1

The title of this bug is a bit misleading.  I saw this bug when searching, but I thought it was to do with something for Add-On Reviewers only.

But thanks for redirecting me, Frederic.  Could you fix this bug's title to be more accurate?
in SVN, r11514.  Please test/verify it works.
I'm still getting logged out constantly on preview. (I assume the change is there, as changes I landed an hour ago are there now.)
No sure what in SVN means, is that just on dev servers, the log out scenario has gotten worse, I can't even navigate the site properly without getting logged off about my 4-5 click in.
Have you guys cleared your cookies?  (I assume preview has been updated too)
removed all *.mozilla.org and *.mozilla.com cookies just to make sure, but the addons cookies where all root path based.
I have no cookie to clear; preview keeps removing it without my consent.
Severity: normal → blocker
Yeah, preview is pretty messed up.  I haven't managed to reproduce this on my dev copy, but it's every 1 or 2 clicks for me on preview.  *sigh*
This is the second bug only reproducible on preview, and both have to do with the Cake upgrade. I'm wondering if we should have preview served out of a fresh checkout or something after the DB is updated.
I actually get logged out when I push an add-on back to the sandbox on production from the admin CP. When I click on "update statuses" I get a success message, and when I am forwarded back to the page, I get a login screen instead because I have just been logged out. Unsure if this is the same issue that you are seeing here, though.
prior to today the only time I was logged out was when opening a bunch of tabs, navigating amo was file while logged in.  now I just long in and normal browsing logs me off at the tenth click. again not in editor pages but maybe the fact that I am an editor has something to do with it.  let me know if you want me to trace the headers or debug this and thanks.
From the look of the headers preview.amo is unsetting the cookie on purpose.  I just can't get it to do it anywhere else.  Justin said he couldn't reproduce on his copy either.  
Found a server with invalid time that was breaking the sessions.  This is WFM for me now - anyone else verify?
so far works again on normal navigation, but still getting logged out when opening multiple tabs, re-removed cookies just to make sure, but it still happened though it seems to be happening after a longer period of time/tabs.
I clicked around on https://preview.addons.mozilla.org/en-US/firefox/editors/featured for a while (which does a bunch of ajax) and didn't get logged out.

Then I hit https://preview.addons.mozilla.org/en-US/firefox/editors/queue/pending, told it to show 50 add-ons, and middle-clicked all the way from top to bottom (probably a little faster than 1/sec).  They all opened just fine for me and I'm still logged in.

I have a single cookie for preview.addons.mozilla.org named AMOv3 with a path of /.


I did as Wil did in comment 29, but I've also been heavily testing this pretty much all night, using various browsers on even the same virtual machine, many times; I'm sure I'd have noticed and been annoyed had I seen this at some point thus far.

I think it's "fixed"; Bueller?
I don't want to call it fixed until Mel's problem goes away, but I'm comfortable not blocking the push tonight on it.  For what it's worth I came back today and loaded preview.amo and was still logged in from yesterday.  Invincible session!
Turns out Mel was testing on the live site and we were testing on preview.  When he tested on preview it worked fine.  Since the new code is going live tonight, calling this FIXED.
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: