558143 - Logged-in status not reflected till user refreshes the page

Status: VERIFIED FIXED

(addons.mozilla.org Graveyard :: Public Pages, defect, P4)

Description

[krupa raj[:krupa]]

Note:Tester is not logged in.
steps to reproduce:
1.Go to https://preview.addons.mozilla.org/en-US/firefox/search?q=collection_name&cat=collections
2.Log in


expected behavior:
User is logged in.There is a log out link

actual behavior:
Logged-in status is not reflected till user refreshes the page.



screencast: http://screencast.com/t/OGM1ODExYjYt

Comment 1

[krupa raj[:krupa]]

I can reproduce this behavior in zamboni as well

STR:
1.Tester is not logged in
2.Go to https://preview.addons.mozilla.org/z/en-US/thunderbird/addon/2313/
3.Log in
4.The add-on detail page loads after log in.

observed behavior:
Logged-in status is not reflected till user refreshes the page

Adding [z] to the whiteboard

Comment 2

[Jeff Balogh (:jbalogh)]

That's a crazy bug!

Comment 4

[Wil Clouser [:clouserw]]

Tried to reproduce with the link in comment 1.  That's broken because of /z/ in the URL, works fine without it.

Comment 5

[krupa raj[:krupa]]

Once upon a time, this was reproducible on both remora and zamboni.

However, some supernatural power has fixed this bug before Wil could get to it.

Comment 6

[krupa raj[:krupa]]

I was able to reproduce this issue but while logging-out

STR:
1. Log in to preview
2. Log out

observed behavior:
User is still logged-in. Headers indicate that the problem may be due to redirects.

screencast: http://screencast.com/t/3B8dQIKq

Comment 7

[krupa raj[:krupa]]

Attachment: headers

Comment 8

[Jeff Balogh (:jbalogh)]

(In reply to comment #7)
> Created attachment 489844 [details]
> headers

I don't see anything hitting /login there.

Comment 9

[krupa raj[:krupa]]

https://addons.allizom.org/users/logout?to=/en-US/firefox/

GET /users/logout?to=/en-US/firefox/ HTTP/1.1
Host: addons.allizom.org
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en,kn;q=0.7,en-us;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://addons.allizom.org/en-US/firefox/
Cookie: csrftoken=25671f410e34f4f2aeabb0f30989bd76; amo_home_promo_seen=5; AMOappName=firefox; sessionid=2964fd8dad65cd055d35176543987b49

HTTP/1.1 302 Found
Server: Apache
X-Backend-Server: pm-app-amo24
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0, private
Content-Type: text/html; charset=UTF-8
Date: Fri, 12 Nov 2010 19:33:51 GMT
Location: https://addons.allizom.org/en-US/users/logout?to=%2Fen-US%2Ffirefox%2F
Keep-Alive: timeout=5, max=1000
X-AMO-ServedBy: pm-app-amo24.mozilla.org
Pragma: no-cache
Via: Moz-Cache-pm-zlb-amo01
Connection: Keep-Alive
X-Powered-By: PHP/5.2.9
X-Cache-Info: not cacheable; response specified "Cache-Control: no-store"
Content-Length: 0

Comment 10

[krupa raj[:krupa]]

filed comment 7 as  bug 611785. Moving this bug back to WORKSFORME

Comment 12

[Jeff Balogh (:jbalogh)]

I can consistently reproduce this with the STR in bug 652749.

This is the problem:

[z] Click "Log in"

[r] GET /en-US/firefox/users/login?to=%2Fen-US%2Ffirefox%2Faddon%2Ffftbm1%2Fabuse%2F
[r] POST /en-US/firefox/users/login HTTP/1.1

[r] 302 Location: https://addons.allizom.org/en-US/firefox/addon/fftbm1/abuse/
[r] Set-Cookie: AMOv3=r951c...1eu6; path=/; secure; HttpOnly

[z] GET /en-US/firefox/addon/fftbm1/abuse/ HTTP/1.1
[z] Set-Cookie: sessionid=8a3fc2496716d3b1cc009abcf77f0745; Domain=.addons.allizom.org; Path=/

/login goes through remora so zamboni has not assigned a session cookie. We see AMOv3 during the GET and assign a sessionid as part of our r-to-z shim. During the rest of the request the user appears to be anonymous, but subsequent requests see the cookie.

Solutions:
1. Move /login to zamboni
2. Move the login shim up the MIDDLEWARE_CLASSES list so the shim happens before any other auth stuff.

Comment 13

[Jeff Balogh (:jbalogh)]

Attachment: Headers for /login

Comment 15

[Gregory Koberger (:gkoberger)]

I'm getting this, too.  It insists I'm not logged in on the homepage, however I can get to devhub, editor tools, etc.

Comment 16

[Wil Clouser [:clouserw]]

> ...
> 2. Move the login shim up the MIDDLEWARE_CLASSES list so the shim happens
> before any other auth stuff.
> ...

Is it really that easy?  If so, let's do it

Comment 17

[Jeff Balogh (:jbalogh)]

(In reply to comment #16)
> > ...
> > 2. Move the login shim up the MIDDLEWARE_CLASSES list so the shim happens
> > before any other auth stuff.
> > ...
> 
> Is it really that easy?  If so, let's do it

After looking closer, I don't think this will actually work, but I'm trying it anyway in https://github.com/jbalogh/zamboni/commit/bdda4b1.

Comment 18

[krupa raj[:krupa]]

I haven't been able to reproduce the problem anymore. Marking this verified for now. However, I'll reopen if it surfaces again.