[Grok-dev] Strange session / security problem with Grok 0.14

Ivo van der Wijk vladdrac at gmail.com
Fri Jan 16 16:49:13 EST 2009


2009/1/16 Steve Schmechel <steveschmechel at yahoo.com>:

>
> To be fair to the Apache people the current Apache 2.2 mod_cache does work.
> I am not endorsing it as a solution here.  Just saying that the 2.0 mod_cache was a mess with Zope/Plone, but it was marked "experimental" all through the 2.0 time frame.  (I mostly saw problems with stale content after edits, rather than the authentication issues mentioned here.)
>
> The 2.2 version is not marked experimental and seems to do it's job.
> I don't know enough about the alternatives to compare them.  I can just say that using it with mod_rewrite as a front-end to a Zope2 or Zope3 server instance now seems to work.
>
> http://httpd.apache.org/docs/2.2/caching.html
>

True, I didn't mean to say mod_cache 2.2 is bad because it was
experimental in 2.0 - it's just to illustrate my experience with
mod_cache in general. And it hasn't been as long around as Squid. But
then, neither has Varnish (well, at least as far as I know). But to
varnish, caching is the main focus. For Apache, it isn't.

But I must say that I was unpleasantly surprised by the behaviour
mod_cache showed here.
Eventhough I didn't have full access to the apache configuration,
caching cookies from responses and actually collecting them seems like
a really bad idea. This is an actual response I got back from
mod_cache at a certain point:

HTTP/1.1 200 OK
Date: Fri, 16 Jan 2009 10:49:46 GMT
Server: Apache/2.2.3 (CentOS)
Set-Cookie: zope3_cs_d41c971=hyc5aBDbE2KsX-00U5CuvycYASkB7LGrQuHUQoCihjTpddNXrTwXGM;
Path=/;
Set-Cookie: zope3_cs_d41c971=w-HPYG-9JVPL78zoHI1sGG1XSWEGC8-kUh0YSeUSiGNFqsc6TZGJW4;
Path=/;
Set-Cookie: zope3_cs_d41c971=U4AmJz.Xhu2pTNAVKUWkY77lmJYUo6TrOh.Y6pPFO9QFdhQA.6CfbY;
Path=/;
Set-Cookie: zope3_cs_d41c971=W2KFGWrGkY-q3SUt5RrAyG7IruMwzAEjhul6sQEnlnD5MFiOt9xNh0;
Path=/;
Set-Cookie: zope3_cs_d41c971=W2KFGWrGkY-q3SUt5RrAyG7IruMwzAEjhul6sQEnlnD5MFiOt9xNh0;
Path=/;
Set-Cookie: zope3_cs_d41c971=W2KFGWrGkY-q3SUt5RrAyG7IruMwzAEjhul6sQEnlnD5MFiOt9xNh0;
Path=/;
Set-Cookie: zope3_cs_d41c971=W2KFGWrGkY-q3SUt5RrAyG7IruMwzAEjhul6sQEnlnD5MFiOt9xNh0;
Path=/;
Set-Cookie: zope3_cs_d41c971=W2KFGWrGkY-q3SUt5RrAyG7IruMwzAEjhul6sQEnlnD5MFiOt9xNh0;
Path=/;
Set-Cookie: zope3_cs_d41c971=W2KFGWrGkY-q3SUt5RrAyG7IruMwzAEjhul6sQEnlnD5MFiOt9xNh0;
Path=/;
Set-Cookie: zope3_cs_d41c971=EHQCC5MznrYwfiMqxk1Fe2yG3gMMjz6hlm.XU7u.oNBZ8qKltEN7Tw;
Path=/;

(and then 20 more like these!)

This, combined with the fact that apache kept serving cached content
after a "CacheDisable /" configuration until the diskcache was
cleared.

And after asking around, most people don't seem to be very positive
about mod_cache as a caching solution. At least not in a Zope/Plone
context.

Regards

Ivo


-- 
Drs. I.R. van der Wijk / m3r Consultancy B.V.
Linux/Python/Zope/Plone and Open Source solutions
PO-box 51091, 1007 EB Amsterdam, The Netherlands
Email: ivo <at> m3r.nl Web: http://m3r.eu/


More information about the Grok-dev mailing list