mahara-contributors team mailing list archive

[Aaron Wells <1446036@xxxxxxxxxxxxxxxxxx>]

Testing instructions:

The easiest way to test this is to inspect the raw HTTP response
headers, using the network tab of Firefox's "Web Developer" feature
(Tools -> Web Developer -> Network) or Chromium's "Developer Tools"
feature (Menu -> More Tools -> Developer Tools, then click the Network
tab).

1. Open up the network tab so you can see the individual HTTP requests being sent by your browser.
2. Log in to your Mahara site as an admin
3. Go to the Mahara Administration page.
4. Look at the response headers for the HTTP request for /admin/index.php (it'll be at the top of a long list of HTTP requests as your browser requests copies of all the page's assets)
5. Locate the "Set-Cookie" response header

Expected result: One copy of the "mahara" session cookie, and possibly a
couple of other cookies like "lastinstitution". Like this:

Set-Cookie: "mahara=77e26f14610b4c998cc070f415d74136;
path=/mahara/htdocs/; HttpOnly"

Bug result: Multiple copies of the "mahara" session cookie. In Chromium
this will show up as multiple identical Set-Cookie headers. In Firefox
this will show up as one very long Set-Cookie header with repeated data,
like this:

Set-Cookie: "mahara=8d5b3e057f485394554cff20ef1cfd62;
path=/mahara/htdocs/; HttpOnlymahara=8d5b3e057f485394554cff20ef1cfd62;
path=/mahara/htdocs/; HttpOnlymahara=8d5b3e057f485394554cff20ef1cfd62;
path=/mahara/htdocs/; HttpOnlymahara=8d5b3e057f485394554cff20ef1cfd62;
path=/mahara/htdocs/; HttpOnlymahara=8d5b3e057f485394554cff20ef1cfd62;
path=/mahara/htdocs/; HttpOnly"

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1446036

Title:
  Session changes in Mahara 15.04 can cause excessively large response
  headers

Status in Mahara ePortfolio:
  Confirmed
Status in Mahara 15.04 series:
  Confirmed
Status in Mahara 15.10 series:
  Confirmed

Bug description:
  For the new Ajax progress bar, Bug 1352028, we changed
  htdocs/auth/session.php so that it closes the PHP session when not in
  use. This was necessary in order to allow multiple requests to the
  same session to process simultaneously; PHP by default locks the
  session between the time you call session_start() and
  session_write_close().

  The downside to this approach, though, is that every time you call
  session_start(), PHP adds a new (duplicate) PHP_SESS_ID cookie to the
  request header. Since we open and close the session every time we call
  $SESSION->set() now, this can lead to a very large cookie header. (See
  https://bugs.php.net/bug.php?id=38104 )

  On our hosting environment, these headers got too large and started
  causing our Nginx proxy server to throw errors while trying to
  initiate an MNet connection. This causes the proxy server to throw a
  500 error, and to log an error like this:

  2015/04/20 14:59:03 [error] 14845#0: *137093286 upstream sent too big
  header while reading response header from upstream, client:
  2404:130:0:1000:61f4:7e47:8a26:821, server: master-
  mahara.catalystdemo.net.nz, request: "GET
  /auth/xmlrpc/land.php?token=3acfeeb7cad9814471ec5932fc293b30bbc7e387&idp=http
  ://mnet-moodle.testing.elearning.catalyst.net.nz&wantsurl= HTTP/1.1",
  upstream:
  "http://202.78.243.12:9226/auth/xmlrpc/land.php?token=3acfeeb7cad9814471ec5932fc293b30bbc7e387&idp=http
  ://mnet-moodle.testing.elearning.catalyst.net.nz&wantsurl=", host:
  "master-mahara.catalystdemo.net.nz"

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1446036/+subscriptions