Session changes in Mahara 15.04 can cause excessively large response headers
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mahara |
Fix Released
|
Critical
|
Aaron Wells | ||
15.04 |
Fix Released
|
Critical
|
Aaron Wells | ||
15.10 |
Fix Released
|
Critical
|
Aaron Wells |
Bug Description
For the new Ajax progress bar, Bug 1352028, we changed htdocs/
The downside to this approach, though, is that every time you call session_start(), PHP adds a new (duplicate) PHP_SESS_ID cookie to the request header. Since we open and close the session every time we call $SESSION->set() now, this can lead to a very large cookie header. (See https:/
On our hosting environment, these headers got too large and started causing our Nginx proxy server to throw errors while trying to initiate an MNet connection. This causes the proxy server to throw a 500 error, and to log an error like this:
2015/04/20 14:59:03 [error] 14845#0: *137093286 upstream sent too big header while reading response header from upstream, client: 2404:130:
tags: | added: needs-behat |
tags: | added: behat |
description: | updated |
tags: | removed: behat needs-behat |
Changed in mahara: | |
status: | Fix Committed → Fix Released |
As a workaround, reverting the changes to htdocs/ auth/session. php corrects the problem:
git checkout 55a8deb8cb~ -- htdocs/ auth/session. php
This will cause the ajax status bar to not load properly, and it will cause the ajax block loader to load blocks in serial instead of in parallel, but otherwise it causes no problems. You can disable the ajax block loader by adding "$cfg-> ajaxifyblocks = false;" to your config.php file, which will turn off the ajax block loader and prevent that problem.
So far I have only noticed this problem popping up while doing an mnet connection, and only on our proxied hosting cluster (not on my local machine). It's possible that MNet sets a lot of session values, thus causing the problem to be worse than normal. It's also possible that our hosting cluster has tighter response header limitations than my local machine. However, the potential exists for this to cause problems in other areas and other hosting setups as well, so I've marked it "Critical".