WeBWorK Problems

Session/cookie issue: users are getting logged in as other users!

Session/cookie issue: users are getting logged in as other users!

by Tony Box -
Number of replies: 10
So this is a super weird issue that just started happening. No updates have been made to the server (well... I did temporarily start a cron job that deleted outdated image files as described here http://webwork.maa.org/wiki/Clean_Out_Temporary_Files but this issue was present previous to that)

Occasionally, when a student or faculty member logs in to Webwork, they'll notice they are actually logged in as a different user! Then, when they try to log out, they get an error:

[/webwork2/MTH201H-F15/HH_Precalc1/7/] cookieUser = manninje19 and paramUser = banobi19
are different. at /opt/webwork/webwork2/lib/WeBWorK.pm line 307.\n * in Carp::croak called at line 350 of /opt/webwork/webwork2/lib/WeBWorK/Aut
hen.pm\n * in WeBWorK::Authen::get_credentials called at line 300 of /opt/webwork/webwork2/lib/WeBWorK/Authen.pm\n * in WeBWorK::Authen::do_veri
fy called at line 217 of /opt/webwork/webwork2/lib/WeBWorK/Authen.pm\n * in WeBWorK::Authen::verify called at line 307 of /opt/webwork/webwork2/
lib/WeBWorK.pm, referer: https://ourschoolurl/webwork2/MTH201H-F15/HH_Precalc1/7/

Other times this was posted in these forums, the issue was related to SSO/integration with moodle. We don't currently have that integration piece--we only have LDAP auth set up.

What could possibly be causing this? It's obviously a serious issue!

Thanks,
Tony
In reply to Tony Box

Re: Session/cookie issue: users are getting logged in as other users!

by Tony Box -
Okay a clarification--and it makes this even weirder--is that you don't even have to log in to WebWork to get logged in as another user.

You simply have to click a link or go to our webwork URL and you will get logged in as someone automatically (the plain-ol URL with nothing attached to the end).

Is there anywhere in WebWork that caches session cookies? Could it be a load-balancer caching issue? We haven't changed anything on the infrastructure-side of things so I don't know why this would suddenly start happening this semester.
In reply to Tony Box

Re: Session/cookie issue: users are getting logged in as other users!

by Michael Gage -
If you don't explicitly log out of WeBWorK then the login cookies may remain active on your computer.  This is a feature -- it allows you to log back in quickly if you close the window and go away for a few minutes.  (I believe that cookies are only created if you click "remember me" on the login page -- but I haven't tested that. )

In any case that is why login page is skipped and you go immediately to the course.

If you then try to login into the course as a different user ( without logging out from the old course) then there is a conflict between the cookie information and the information you enter for login ('the parameter information') hence the second message.  This attempt to verify that the user information is consistent has caused more headaches than it was worth so it will likely be gone in release 2.11 which is coming out shortly. (it requires a one line change in Authen.pm ).

The work around is easy and annoying, but not obvious.  Either remove cookies, or quit the browser and restart it (in most cases, and I think all cases) that will remove the cookies and allow you to login.

Whether the behavior with respect to allowing cookies should be change is up for discussion.  The feature has been present for a long time (over 10 years) but I think for parts of that time the cookies didn't automatically log one in as they were supposed to due to separate software bug.   

-- Mike

In reply to Michael Gage

Re: Session/cookie issue: users are getting logged in as other users!

by Tony Box -
Mike,

Thanks a ton for the reply.

The reason this problem is so serious is because this is happening to people on different computers from independent locations. One person may be at home on their personal computer, then open up their webwork page and click on a course to find they are logged in as a different user.

We just cleared out the cache on our load balancer in hopes that it may have been the culprit. I'll report back if that seems to have fixed the issue.

-Tony
In reply to Tony Box

Re: Session/cookie issue: users are getting logged in as other users!

by Michael Gage -
The problem might be different than what I diagnosed.  If it's the cookie problem that I thought it was then quitting the browser and restarting (or using another browser) should resolve the issue.  If it doesn't then this is some new phenomenon.


In reply to Tony Box

Re: Session/cookie issue: users are getting logged in as other users!

by Danny Glin -
It sounds like your analysis is correct.  Since this is happening on non-shared computers, something on the server side is caching cookies, and serving old cookies to users.

Since this is the first we've heard of this, my guess is that it is not WeBWorK itself.  Have you checked to see if any settings were changed on the load balancer?  Particularly, if additional caching was enabled.

You mentioned clearing the cache on your load balancer.  If the load balancer is configured to cache pages, then clearing the cache might not be enough, since it will just start caching again with a new set of cookies.  You will likely have to disable the caching, at least for this type of file.

Danny
In reply to Danny Glin

Re: Session/cookie issue: users are getting logged in as other users!

by Tony Box -
Yep--to confirm all of our suspicions, it was the Load Balancer. We disabled the caching and it seems to be working normally again.

It was unfortunate that someone had to change the settings on the load balancer without telling anyone... mixed
In reply to Michael Gage

Re: Session/cookie issue: users are getting logged in as other users!

by Björn Bergstrand -
We would really appreciate an option to atleast disable the cookie behaviour. Several of our instructors use different accounts to access webwork courses due to the way the moodle bridge creates users.
In reply to Björn Bergstrand

Re: Session/cookie issue: users are getting logged in as other users!

by Michael Gage -
By the way -- have you had a chance to try out the new moodle quiz bridge to WeBWorK?  I need feed back from regular moodle users.  :-)

http://michaelgage.blogspot.com/2015/06/using-webwork-questions-in-moodle.html
In reply to Michael Gage

Re: Session/cookie issue: users are getting logged in as other users!

by Björn Bergstrand -
Thanks for the reply!

The new bridge looks really good, i'll make sure to install it on our test systems asap!