[Building Sakai] access/.../WebServlet.setSession question in Sakai 2.4.x
Stephen Swinsburg
s.swinsburg at lancaster.ac.uk
Sat Mar 7 01:10:51 PST 2009
Hi Casey,
Can't help you with your problem sorry but regarding finding a recent
session with the matching ID then re-establishing it, this could be a
security concern as one could attempt to guess/modify a session ID and
be logged in as someone else. I guess that is possible now, someone
could attempt to guess their session, but if they have timed out, as
far as I know, they aren't revived so it's ok.
cheers,
Steve
---
Steve Swinsburg
Portal Systems Developer
Centre for e-Science
Lancaster University
Lancaster
LA1 4YT
email: s.swinsburg at lancaster.ac.uk
phone: +44 (0) 1524 594870
On 07/03/2009, at 6:51 AM, Casey Dunn wrote:
> Hi folks.
>
> Ive got quick question about the access WebServlet code. This is not
> about Sakai being less than accurate about users AuthN during access
> to the WebServlet front end to the Content Hosting system.
>
> This email is about Session Migration.
>
> background: I've a situation where occasionally the LB / FW we have
> in front of Sakai will renegotiate a SSL session. When it does so it
> _may_ send the session to a new LBed Sakai server. ( background
> music: "SSL renogiation and IP spoofing" )
>
> When the request ends up at the new server the Sakai session is
> invalid. "Who the heck are you?" is the essential response.
>
> This is because the Sakai 2.4.x sessions are not viable across a
> pool of Sakai servers.
>
> I am considering making the WebServlet setSession code, well, should
> it fail, dig into the SAKAI_SESSION table and see if there has
> recently been, somewhere, a session with the same ID. the Session
> code will only WARN if a duplicate Sakai Session Id is re-used. A
> specific factor is that my client dumps the SAKAI_SESSION (etc)
> table daily... so say we all!
>
> If there has been a viable session I would then establish a new
> session on the new server for the purpose of pushing in the upload.
> I might establish this server's session with the same darn ID, and
> then refresh the Auth group stuff blah blah blah for this ride into
> sakai.
>
> Has anyone tried this yet?
>
> TIA,
> Casey
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> sakai-dev mailing list
> sakai-dev at collab.sakaiproject.org
> http://collab.sakaiproject.org/mailman/listinfo/sakai-dev
>
> TO UNSUBSCRIBE: send email to sakai-dev-unsubscribe at collab.sakaiproject.org
> with a subject of "unsubscribe"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://collab.sakaiproject.org/pipermail/sakai-dev/attachments/20090307/1f500e67/attachment-0001.html
More information about the sakai-dev
mailing list