You are viewing a plain text version of this content. The canonical link for it is here.
Posted to embperl@perl.apache.org by Stefan Cars <st...@snowfall.se> on 2004/11/09 14:50:13 UTC
Sessions get mixed up ?
Hi!
We get reports about that people sometimes in the middle of a
registration get other peoples information. The only way I can see this
happen (after days of investigation) is that the $udat with the
member_id has changed in the middle of sessions and that it got another
session from another user currently also beeing logged in. Do you know
if this might be possible ? I saw a mail earlier regarding something
like this
(http://www.mail-archive.com/embperl@perl.apache.org/msg01385.html). I
am running FreeBSD 5.3, Apache 2.0.50 with latest mod_perl2 and
embperl2. Apache::SessionX 2.00b5 and Apache::Session 1.54, using mysql
for both sessions and locking.
Anyone with any ideas ?
Kind Regards,
Stefan Cars
---------------------------------------------------------------------
To unsubscribe, e-mail: embperl-unsubscribe@perl.apache.org
For additional commands, e-mail: embperl-help@perl.apache.org
Re: Sessions get mixed up ?
Posted by Ed Grimm <ed...@dsblade00.wat.us.ray.com>.
On Tue, 16 Nov 2004, Stefan Cars wrote:
> Ed Grimm wrote:
>> On Mon, 15 Nov 2004, Pierre Etchemaite wrote:
>>>Le lun 15 nov 2004 18:24:06 CET, Ed Grimm <ed...@dsblade00.wat.us.ray.com>
>>>a écrit :
>>>
>>>>>Apache::Session generates the id by doing a md5 hash on a random
>>>>>number (time () . {} . Rand() . $$) , maybe there are situation
>>>>>where it generates the same id (also this should normaly not
>>>>>happen).
>>>>
>>>>MD5 hash collisions very well could have that frequency, at that volume.
>>>>
>>>>How hard would it be to change the code to use a SHA or SSHA hash
>>>>instead? (Admittedly, I'm picking a more cryptographically secure hash
>>>>at psuedo-random; there may be one that's more appropriate.)
>>>
>>>Collisions with a 128 bits digest are *very* unlikely. It's more likely the
>>>original pseudo random number that provides less than 128 bits of entropy.
<snip>
> One of the things that is strange though (or maybe not? ) is that when
> we get reports of this, it looks like they always logged in almost at
> the same time (within 30 min from each other). Does that say anything to
> you ?
Given that you think 30 minutes is "close", that tells me that you're
not having a collision on the original pseudo random number - for that
to hit, you'd need them to be happening on the same second, and serviced
by the same apache child process.
It also suggests to me that either your sessions do not tend to last
much longer than 30 minutes, or that the special situation that triggers
the MD5 entropy loss is time-localized (this is not, actually,
surprising.) I'd personally suspect the latter, rather than the former.
Ed
---------------------------------------------------------------------
To unsubscribe, e-mail: embperl-unsubscribe@perl.apache.org
For additional commands, e-mail: embperl-help@perl.apache.org
Re: Sessions get mixed up ?
Posted by Stefan Cars <st...@snowfall.se>.
Ed Grimm wrote:
> On Mon, 15 Nov 2004, Pierre Etchemaite wrote:
>
>>Le lun 15 nov 2004 18:24:06 CET, Ed Grimm <ed...@dsblade00.wat.us.ray.com>
>>a écrit :
>>
>>
>>>>Apache::Session generates the id by doing a md5 hash on a random
>>>>number (time () . {} . Rand() . $$) , maybe there are situation where
>>>>it generates the same id (also this should normaly not happen).
>>>
>>>MD5 hash collisions very well could have that frequency, at that volume.
>>>
>>>How hard would it be to change the code to use a SHA or SSHA hash
>>>instead? (Admittedly, I'm picking a more cryptographically secure hash
>>>at psuedo-random; there may be one that's more appropriate.)
>>
>>Collisions with a 128 bits digest are *very* unlikely. It's more likely the
>>original pseudo random number that provides less than 128 bits of entropy.
>
>
> Well, we have 32 bits of time, but only a few bits of entropy, plus 32
> bits of entropy from Rand(), plus 16 bits of $$, but again only a few
> bits of actual entropy. This sounds like around 36-38 bits of entropy
> to me. This number, while much smaller than 128 bits, is still too
> variable for there to be a duplication of the seed number in that
> interval.
>
> MD5 hashes are known to not be cryptographically secure, which is to
> say that they do not necessarily preserve all the entropy which is fed
> into them. Providing more entropy should reduce the collision rate, but
> given that time is a factor, I suspect it won't eliminate it - with the
> number of logins per day quoted, I'd not expect there to be that many
> people logging in during the same second.
>
> Of course, if one wanted to go the other route, using Time::HiRes for
> time() would increase the effective entropy bits on time by 15-19, and
> should be a fairly drop-in change. (Just add
>
> use Time::HiRes qw(time);
>
> to the top of Apache/Session.pm.) Of course, this will only work if
> your system recognizes subsecond time.
>
> I personally have encountered checksum collisions in rsync, which uses a
> 128 bit MD4 hash; the files were the same size, but their content was
> different. I do not believe that I have yet performed rsync to update
> files of the same length more than 300,000 times.
>
> Ed
>
One of the things that is strange though (or maybe not? ) is that when
we get reports of this, it looks like they always logged in almost at
the same time (within 30 min from each other). Does that say anything to
you ?
Kind Regards,
Stefan Cars
---------------------------------------------------------------------
To unsubscribe, e-mail: embperl-unsubscribe@perl.apache.org
For additional commands, e-mail: embperl-help@perl.apache.org
Re: Sessions get mixed up ?
Posted by Ed Grimm <ed...@dsblade00.wat.us.ray.com>.
On Mon, 15 Nov 2004, Pierre Etchemaite wrote:
> Le lun 15 nov 2004 18:24:06 CET, Ed Grimm <ed...@dsblade00.wat.us.ray.com>
> a écrit :
>
>>> Apache::Session generates the id by doing a md5 hash on a random
>>> number (time () . {} . Rand() . $$) , maybe there are situation where
>>> it generates the same id (also this should normaly not happen).
>>
>> MD5 hash collisions very well could have that frequency, at that volume.
>>
>> How hard would it be to change the code to use a SHA or SSHA hash
>> instead? (Admittedly, I'm picking a more cryptographically secure hash
>> at psuedo-random; there may be one that's more appropriate.)
>
> Collisions with a 128 bits digest are *very* unlikely. It's more likely the
> original pseudo random number that provides less than 128 bits of entropy.
Well, we have 32 bits of time, but only a few bits of entropy, plus 32
bits of entropy from Rand(), plus 16 bits of $$, but again only a few
bits of actual entropy. This sounds like around 36-38 bits of entropy
to me. This number, while much smaller than 128 bits, is still too
variable for there to be a duplication of the seed number in that
interval.
MD5 hashes are known to not be cryptographically secure, which is to
say that they do not necessarily preserve all the entropy which is fed
into them. Providing more entropy should reduce the collision rate, but
given that time is a factor, I suspect it won't eliminate it - with the
number of logins per day quoted, I'd not expect there to be that many
people logging in during the same second.
Of course, if one wanted to go the other route, using Time::HiRes for
time() would increase the effective entropy bits on time by 15-19, and
should be a fairly drop-in change. (Just add
use Time::HiRes qw(time);
to the top of Apache/Session.pm.) Of course, this will only work if
your system recognizes subsecond time.
I personally have encountered checksum collisions in rsync, which uses a
128 bit MD4 hash; the files were the same size, but their content was
different. I do not believe that I have yet performed rsync to update
files of the same length more than 300,000 times.
Ed
---------------------------------------------------------------------
To unsubscribe, e-mail: embperl-unsubscribe@perl.apache.org
For additional commands, e-mail: embperl-help@perl.apache.org
Re: Sessions get mixed up ?
Posted by Pierre Etchemaite <pe...@concept-micro.com>.
Le lun 15 nov 2004 18:24:06 CET, Ed Grimm <ed...@dsblade00.wat.us.ray.com>
a écrit :
> > Apache::Session generates the id by doing a md5 hash on a random
> > number (time () . {} . Rand() . $$) , maybe there are situation where
> > it generates the same id (also this should normaly not happen).
>
> MD5 hash collisions very well could have that frequency, at that volume.
>
> How hard would it be to change the code to use a SHA or SSHA hash
> instead? (Admittedly, I'm picking a more cryptographically secure hash
> at psuedo-random; there may be one that's more appropriate.)
Collisions with a 128 bits digest are *very* unlikely. It's more likely the
original pseudo random number that provides less than 128 bits of entropy.
---------------------------------------------------------------------
To unsubscribe, e-mail: embperl-unsubscribe@perl.apache.org
For additional commands, e-mail: embperl-help@perl.apache.org
Re: Sessions get mixed up ?
Posted by Stefan Cars <st...@snowfall.se>.
Gerald Richter wrote:
>>How hard would it be to change the code to use a SHA or SSHA
>>hash instead? (Admittedly, I'm picking a more
>>cryptographically secure hash at psuedo-random; there may be
>>one that's more appropriate.) Note that I realize they take
>>longer to generate, but that time only happens at login, not
>>per page view, and it should reduce the hash collision rate
>>dramatically.
>>
>
>
> It is very simple to change the code. Apache::Session is very modular, so
> you can specify whihg Generator to use. Go to the Apache::Session source and
> take a look at
>
> Session/Generator/MD5.pm
>
> Create a new similar module with your desired alogrithem and specify it as
> Generatior in the Embperl config
>
Hi!
How would you change the Embperl config accordingly.
Kind Regards,
Stefan Cars
---------------------------------------------------------------------
To unsubscribe, e-mail: embperl-unsubscribe@perl.apache.org
For additional commands, e-mail: embperl-help@perl.apache.org
RE: Sessions get mixed up ?
Posted by Gerald Richter <ri...@ecos.de>.
>
> How hard would it be to change the code to use a SHA or SSHA
> hash instead? (Admittedly, I'm picking a more
> cryptographically secure hash at psuedo-random; there may be
> one that's more appropriate.) Note that I realize they take
> longer to generate, but that time only happens at login, not
> per page view, and it should reduce the hash collision rate
> dramatically.
>
It is very simple to change the code. Apache::Session is very modular, so
you can specify whihg Generator to use. Go to the Apache::Session source and
take a look at
Session/Generator/MD5.pm
Create a new similar module with your desired alogrithem and specify it as
Generatior in the Embperl config
Gerald
---------------------------------------------------------------------
To unsubscribe, e-mail: embperl-unsubscribe@perl.apache.org
For additional commands, e-mail: embperl-help@perl.apache.org
RE: Sessions get mixed up ?
Posted by Ed Grimm <ed...@dsblade00.wat.us.ray.com>.
On Mon, 15 Nov 2004, Gerald Richter wrote:
> Hi,
>
>> The problem is that this happens maybe once or twice a month (we have
>> about 10-15 thousands login per day). So it's really hard to
>> reproduce, and as far as I understand wouldn't the closure problem
>> create this problem more often ?)
>
> Yes, the closure problem should create the problem more often.
>
> If it happens so seldom, it really might be a problem of generating
> session ids.
>
> Apache::Session generates the id by doing a md5 hash on a random
> number (time () . {} . Rand() . $$) , maybe there are situation where
> it generates the same id (also this should normaly not happen).
MD5 hash collisions very well could have that frequency, at that volume.
How hard would it be to change the code to use a SHA or SSHA hash
instead? (Admittedly, I'm picking a more cryptographically secure hash
at psuedo-random; there may be one that's more appropriate.) Note that
I realize they take longer to generate, but that time only happens at
login, not per page view, and it should reduce the hash collision rate
dramatically.
Ed
---------------------------------------------------------------------
To unsubscribe, e-mail: embperl-unsubscribe@perl.apache.org
For additional commands, e-mail: embperl-help@perl.apache.org
RE: Sessions get mixed up ?
Posted by Gerald Richter <ri...@ecos.de>.
Hi,
>
> The problem is that this happens maybe once or twice a month
> (we have about 10-15 thousands login per day). So it's really
> hard to reproduce, and as far as I understand wouldn't the
> closure problem create this problem more often ?)
>
Yes, the closure problem should create the problem more often.
If it happens so seldom, it really might be a problem of generating session
ids.
Apache::Session generates the id by doing a md5 hash on a random number
(time () . {} . Rand() . $$) , maybe there are situation where it generates
the same id (also this should normaly not happen).
Are you able to log something like a username and the session id in a
seperate file and then it would be possible to see if two users have the
same id.
Gerald
> Kind Regards,
> Stefan Cars
>
> Gerald Richter wrote:
> >>After reading alot, I can understand why the sub's would give wrong
> >>results. Why the sessions would get mixed up I do not understand...
> >>
> >
> >
> > That might be the case when you keep data of a previous session in a
> > closure.
> >
> > The other possibility would be that Apache::Session
> generates duplicate ids
> > (I don't expect this, but who knows).
> >
> > You might also enable the dbgSession flag in EMBERL_DEBUG
> and watch the
> > embperl.log file to see what happen with your sessions and
> verify that you
> > have unique session ids
> >
> > Regards
> >
> > Gerald
> >
> >
> >
> >>/S
> >>
> >>Andre Landwehr wrote:
> >>
> >>>On Wed, Nov 10, 2004 at 10:25:24PM +0100, Stefan Cars wrote:
> >>>
> >>>
> >>>>Correct, it seems that they are doing "do 'inc.pl'" alot,
> is there
> >>>>around it or do we really need to change it to be [$ sub $]
> >>
> >>instead ?
> >>
> >>>>Or can we fix our subs to not close ?? Do you have any
> >>
> >>URL's to this ?
> >>
> >>>
> >>>Here is a thread from the time I had the problem,
> including Geralds
> >>>answer.
> >>>http://www.gossamer-threads.com/lists/modperl/embperl/11175#11175
> >>>
> >>>The link Gerald posted is no longer valid, but I think I found the
> >>>page here:
> >>>
> >>
> >>http://perl.apache.org/docs/general/perl_reference/perl_refe
> rence.html
> >>
> >>>#my___Scoped_Variable_in_Nested_Subroutines
> >>>
> >>>Andre
> >>>
> >>
> >>
> >>------------------------------------------------------------
> ---------
> >>To unsubscribe, e-mail: embperl-unsubscribe@perl.apache.org
> >>For additional commands, e-mail: embperl-help@perl.apache.org
> >>
> >>
> >
> >
> >
> >
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail: embperl-unsubscribe@perl.apache.org
> > For additional commands, e-mail: embperl-help@perl.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: embperl-unsubscribe@perl.apache.org
For additional commands, e-mail: embperl-help@perl.apache.org
Re: Sessions get mixed up ?
Posted by Stefan Cars <st...@snowfall.se>.
Hi!
The problem is that this happens maybe once or twice a month (we have
about 10-15 thousands login per day). So it's really hard to reproduce,
and as far as I understand wouldn't the closure problem create this
problem more often ?)
Kind Regards,
Stefan Cars
Gerald Richter wrote:
>>After reading alot, I can understand why the sub's would give
>>wrong results. Why the sessions would get mixed up I do not
>>understand...
>>
>
>
> That might be the case when you keep data of a previous session in a
> closure.
>
> The other possibility would be that Apache::Session generates duplicate ids
> (I don't expect this, but who knows).
>
> You might also enable the dbgSession flag in EMBERL_DEBUG and watch the
> embperl.log file to see what happen with your sessions and verify that you
> have unique session ids
>
> Regards
>
> Gerald
>
>
>
>>/S
>>
>>Andre Landwehr wrote:
>>
>>>On Wed, Nov 10, 2004 at 10:25:24PM +0100, Stefan Cars wrote:
>>>
>>>
>>>>Correct, it seems that they are doing "do 'inc.pl'" alot, is there
>>>>around it or do we really need to change it to be [$ sub $]
>>
>>instead ?
>>
>>>>Or can we fix our subs to not close ?? Do you have any
>>
>>URL's to this ?
>>
>>>
>>>Here is a thread from the time I had the problem, including Geralds
>>>answer.
>>>http://www.gossamer-threads.com/lists/modperl/embperl/11175#11175
>>>
>>>The link Gerald posted is no longer valid, but I think I found the
>>>page here:
>>>
>>
>>http://perl.apache.org/docs/general/perl_reference/perl_reference.html
>>
>>>#my___Scoped_Variable_in_Nested_Subroutines
>>>
>>>Andre
>>>
>>
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: embperl-unsubscribe@perl.apache.org
>>For additional commands, e-mail: embperl-help@perl.apache.org
>>
>>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: embperl-unsubscribe@perl.apache.org
> For additional commands, e-mail: embperl-help@perl.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: embperl-unsubscribe@perl.apache.org
For additional commands, e-mail: embperl-help@perl.apache.org
RE: Sessions get mixed up ?
Posted by Gerald Richter <ri...@ecos.de>.
>
> After reading alot, I can understand why the sub's would give
> wrong results. Why the sessions would get mixed up I do not
> understand...
>
That might be the case when you keep data of a previous session in a
closure.
The other possibility would be that Apache::Session generates duplicate ids
(I don't expect this, but who knows).
You might also enable the dbgSession flag in EMBERL_DEBUG and watch the
embperl.log file to see what happen with your sessions and verify that you
have unique session ids
Regards
Gerald
> /S
>
> Andre Landwehr wrote:
> > On Wed, Nov 10, 2004 at 10:25:24PM +0100, Stefan Cars wrote:
> >
> >>Correct, it seems that they are doing "do 'inc.pl'" alot, is there
> >>around it or do we really need to change it to be [$ sub $]
> instead ?
> >>Or can we fix our subs to not close ?? Do you have any
> URL's to this ?
> >
> >
> > Here is a thread from the time I had the problem, including Geralds
> > answer.
> > http://www.gossamer-threads.com/lists/modperl/embperl/11175#11175
> >
> > The link Gerald posted is no longer valid, but I think I found the
> > page here:
> >
> http://perl.apache.org/docs/general/perl_reference/perl_reference.html
> > #my___Scoped_Variable_in_Nested_Subroutines
> >
> > Andre
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: embperl-unsubscribe@perl.apache.org
> For additional commands, e-mail: embperl-help@perl.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: embperl-unsubscribe@perl.apache.org
For additional commands, e-mail: embperl-help@perl.apache.org
Re: Sessions get mixed up ?
Posted by Stefan Cars <st...@snowfall.se>.
Hi!
After reading alot, I can understand why the sub's would give wrong
results. Why the sessions would get mixed up I do not understand...
/S
Andre Landwehr wrote:
> On Wed, Nov 10, 2004 at 10:25:24PM +0100, Stefan Cars wrote:
>
>>Correct, it seems that they are doing "do 'inc.pl'" alot, is there
>>around it or do we really need to change it to be [$ sub $] instead ? Or
>>can we fix our subs to not close ?? Do you have any URL's to this ?
>
>
> Here is a thread from the time I had the problem, including
> Geralds answer.
> http://www.gossamer-threads.com/lists/modperl/embperl/11175#11175
>
> The link Gerald posted is no longer valid, but I think I found
> the page here:
> http://perl.apache.org/docs/general/perl_reference/perl_reference.html#my___Scoped_Variable_in_Nested_Subroutines
>
> Andre
>
---------------------------------------------------------------------
To unsubscribe, e-mail: embperl-unsubscribe@perl.apache.org
For additional commands, e-mail: embperl-help@perl.apache.org
Re: Sessions get mixed up ?
Posted by Andre Landwehr <an...@gmx.net>.
On Thu, Nov 11, 2004 at 11:36:50PM +0100, Stefan Cars wrote:
> > Andre Landwehr wrote:
> >Here is a thread from the time I had the problem, including
> >Geralds answer.
> >http://www.gossamer-threads.com/lists/modperl/embperl/11175#11175
> >
> >The link Gerald posted is no longer valid, but I think I found
> >the page here:
> >http://perl.apache.org/docs/general/perl_reference/perl_reference.html#my___Scoped_Variable_in_Nested_Subroutines
> Does this means that for example $udat{foo} can't be used inside a sub
> that is created with sub { } and not [$ sub $] and included with the
> 'do' syntax ?
To my understanding that is true. Not only %udat is affected but
everything you use in the sub that may be affected by closures,
though %udat is certainly the most annoying candidate from a
security point of view.
But maybe someone else can comment on that since my latest
experiences with Embperl are not very current anymore (I changed
to C/C++/Java development 2 years ago and have not done very much
with Embperl since then)
Andre
--
Earth. Air. Fire. Water.
---------------------------------------------------------------------
To unsubscribe, e-mail: embperl-unsubscribe@perl.apache.org
For additional commands, e-mail: embperl-help@perl.apache.org
Re: Sessions get mixed up ?
Posted by Stefan Cars <st...@snowfall.se>.
Hi!
Does this means that for example $udat{foo} can't be used inside a sub
that is created with sub { } and not [$ sub $] and included with the
'do' syntax ?
Kind Regards,
Stefan Cars
Andre Landwehr wrote:
> On Wed, Nov 10, 2004 at 10:25:24PM +0100, Stefan Cars wrote:
>
>>Correct, it seems that they are doing "do 'inc.pl'" alot, is there
>>around it or do we really need to change it to be [$ sub $] instead ? Or
>>can we fix our subs to not close ?? Do you have any URL's to this ?
>
>
> Here is a thread from the time I had the problem, including
> Geralds answer.
> http://www.gossamer-threads.com/lists/modperl/embperl/11175#11175
>
> The link Gerald posted is no longer valid, but I think I found
> the page here:
> http://perl.apache.org/docs/general/perl_reference/perl_reference.html#my___Scoped_Variable_in_Nested_Subroutines
>
> Andre
>
---------------------------------------------------------------------
To unsubscribe, e-mail: embperl-unsubscribe@perl.apache.org
For additional commands, e-mail: embperl-help@perl.apache.org
Re: Sessions get mixed up ?
Posted by Andre Landwehr <an...@gmx.net>.
On Wed, Nov 10, 2004 at 10:25:24PM +0100, Stefan Cars wrote:
> Correct, it seems that they are doing "do 'inc.pl'" alot, is there
> around it or do we really need to change it to be [$ sub $] instead ? Or
> can we fix our subs to not close ?? Do you have any URL's to this ?
Here is a thread from the time I had the problem, including
Geralds answer.
http://www.gossamer-threads.com/lists/modperl/embperl/11175#11175
The link Gerald posted is no longer valid, but I think I found
the page here:
http://perl.apache.org/docs/general/perl_reference/perl_reference.html#my___Scoped_Variable_in_Nested_Subroutines
Andre
--
Earth. Air. Fire. Water.
---------------------------------------------------------------------
To unsubscribe, e-mail: embperl-unsubscribe@perl.apache.org
For additional commands, e-mail: embperl-help@perl.apache.org
Re: Sessions get mixed up ?
Posted by Andre Landwehr <an...@gmx.net>.
On Tue, Nov 09, 2004 at 02:50:13PM +0100, Stefan Cars wrote:
> We get reports about that people sometimes in the middle of a
> registration get other peoples information. The only way I can see this
> happen (after days of investigation) is that the $udat with the
> member_id has changed in the middle of sessions and that it got another
> session from another user currently also beeing logged in. Do you know
> if this might be possible ?
Typically this behaviour means you have an (unwanted) closure
somewhere in your page. I experienced that effect many, many
times. Every sub you write in one of your pages can end up being
a closure, so just don't do this. Use [$ sub foo $] instead.
Btw: this is not even Embperls fault, it's a "feature" of
mod_perl.
Andre
--
Earth. Air. Fire. Water.
---------------------------------------------------------------------
To unsubscribe, e-mail: embperl-unsubscribe@perl.apache.org
For additional commands, e-mail: embperl-help@perl.apache.org