Evergreen

web staff client can spam open-ils.auth.session.retrieve requests

Bug #1774448 reported by Galen Charlton on 2018-05-31

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Evergreen	Fix Released	Undecided	Unassigned	Evergreen 3.1.5
	3.0	Fix Released	Undecided	Unassigned	Evergreen 3.0.11

Bug Description

The web staff client polls periodically to see if the authentication session is still current. This polling is done at an interval of the original auth session time (plus 5 seconds), using a $timeout.

However, super-large auth.staff_timeout values can result in the $timeout delay overflowing a 32-bit integer in most browser implementations (see https://developer.mozilla.org/en-US/docs/Web/API/WindowOrWorkerGlobalScope/setTimeout#Maximum_delay_value), meaning that it can do open-ils.auth.session.retrieve requests as quickly as possible... for every open browser tab logged into the web staff client.

If nothing else, this can cause logs to fill. A maximum poll time should be enforced below the 2,147,483,647 millisecond limit before a 32-bit integer overflows, and we should probably also coerce the minimum poll time to be 60 seconds or the like.

Evergreen 3.0+

Tags:

Bill Erickson (berick) on 2018-05-31

Changed in evergreen:
status:	New → Confirmed
assignee:	nobody → Bill Erickson (berick)
status:	Confirmed → In Progress

Revision history for this message

Bill Erickson (berick) wrote on 2018-05-31:

Fix pushed implementing Galen's suggestions.

Shortest poll value is now 60,000ms and longest is now 2,147,483,647ms.

http://git.evergreen-ils.org/?p=working/Evergreen.git;a=shortlog;h=refs/heads/user/berick/lp1774448-auth-poll-spam

Changed in evergreen:
milestone:	none → 3.1.3
assignee:	Bill Erickson (berick) → nobody
status:	In Progress → Confirmed
tags:	added: pullrequest webstaffclient

Evergreen Bug Maintenance (bugmaster) on 2018-06-29

Changed in evergreen:
milestone:	3.1.3 → 3.1.4

Evergreen Bug Maintenance (bugmaster) on 2018-07-26

Changed in evergreen:
milestone:	3.1.4 → 3.1.5

Revision history for this message

Bill Erickson (berick) wrote on 2018-08-22:

To confirm the overflow issue:

insert (or UPDATE) into actor.org_unit_setting (org_unit, name, value) values (1, 'auth.staff_timeout', '"30 days"');

[Note that any value above the integer overflow value results in setTimeout firing immediately. No math required, just make it a big value.]

Then log into the staff client with the browser console open. Note the flow of session retrieve calls. Once the patch is applied, it should only fire once a minute.

To confirm the 1-minute minimum after applying the patch, do the same as above using '"30 seconds"' as the value and confirm in the browser logs the session retrieve call only fires once per minute.

Revision history for this message

Jason Boyer (jboyer) wrote on 2018-08-22:

I came, I saw, I tested.

And it was fine. Signoff: http://git.evergreen-ils.org/?p=working/Evergreen.git;a=shortlog;h=refs/heads/user/jboyer/lp1774448-auth-poll-spam-signoff
working/user/jboyer/lp1774448-auth-poll-spam-signoff

Revision history for this message

Bill Erickson (berick) wrote on 2018-08-22:

Thanks, Jason! Merged to 3.0 and up.

Changed in evergreen:
assignee:	nobody → Bill Erickson (berick)
status:	Confirmed → Fix Committed
assignee:	Bill Erickson (berick) → nobody

Evergreen Bug Maintenance (bugmaster) on 2018-08-30

Changed in evergreen:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.