SitePoint Sponsor

User Tag List

Results 1 to 15 of 15
  1. #1
    SitePoint Zealot Hieronymus's Avatar
    Join Date
    Nov 2004
    Location
    Nederland, Eindhoven
    Posts
    145
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    AJAX requests get null result after a while

    Hi,

    I've have website on which you can monitor units. Their status gets updates via ajax requests every 30s. After a while (about 2,5 ~ 3 hours) they get a null result . The CMS (cakephp) doesn't apear to timeout the session or something (which would be weird since making the ajax requests should keep it alive anyway) because navigating to another page after the failures doesn't prompt for a new login.

    My guess is that it has something to do with the server configuration. I have no idea where to look for this.
    I have a server with CentOS and Apache2.2.8 with PHP 5.2.1 and MySQL

    I'm running two tests at the moment to count the succesfull request before failure (and the time)

    Hope you can help, because I like to put up this status view 24/7 on a big screen.
    What good are one-liners if they don't
    fit.

  2. #2
    SitePoint Zealot Hieronymus's Avatar
    Join Date
    Nov 2004
    Location
    Nederland, Eindhoven
    Posts
    145
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Test results

    OK, this is annoying.
    One test failed at 475 requests (almost 4 hours) (one request every 30sec.)
    The second test failed at 447 requests (3,7 hours)

    Both users were logged out (had to login again if I switched pages after the failed requests)

    I thought it might have something to do with
    Max Requests Per Child: 4000 - Keep Alive: off - Max Per Connection: 100
    Timeouts Connection: 120 - Keep-Alive: 15

    but now I'm not sure. Are there any server settings that could kill sessions?
    What good are one-liners if they don't
    fit.

  3. #3
    Certified Ethical Hacker silver trophybronze trophy dklynn's Avatar
    Join Date
    Feb 2002
    Location
    Auckland
    Posts
    14,671
    Mentioned
    19 Post(s)
    Tagged
    3 Thread(s)
    Heir,



    It appears that you've correctly created your script to perform the required action - but it fails after a significant time. To me, that implies (with your login comment) that you are not specifying a time for your SESSION to keep alive (set it for one year).

    As for the server issues, it may be that you are making too many requests and not terminating the script on the server which is providing the updates to the display script. I would guess that you need to close the database connection and use an end(); statement to ensure that the child opened for the series of AJAX requests are released.

    Regards,

    DK
    David K. Lynn - Data Koncepts is a long-time WebHostingBuzz (US/UK)
    Client and (unpaid) WHB Ambassador
    mod_rewrite Tutorial Article (setup, config, test & write
    mod_rewrite regex w/sample code) and Code Generator

  4. #4
    SitePoint Zealot Hieronymus's Avatar
    Join Date
    Nov 2004
    Location
    Nederland, Eindhoven
    Posts
    145
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi,

    I've found the problem... somehow cakephp does sets a few php.ini settings, even if you configure it to use your php.ini settings. That way the default value of cookieTimeout (=0, 'on browser close') got set to 240*60, which is the 4 hours I found testing. When the cookie dies, the session dies.
    Now, for a quick fix, I've added a CakeSession::renew() to the function that responds to the ajax request. This works. But a better way would be to fix the thing in cakephp itself.

    Are there any concequences of keeping the session alive with regard to server performance?sessions now last for as long as users use this auto-update function + the 4 hours of the normal session...
    What good are one-liners if they don't
    fit.

  5. #5
    Certified Ethical Hacker silver trophybronze trophy dklynn's Avatar
    Join Date
    Feb 2002
    Location
    Auckland
    Posts
    14,671
    Mentioned
    19 Post(s)
    Tagged
    3 Thread(s)
    Hier,

    The consequences are known as Session Hijacking, i.e., someone could see the session data go by their router (or wi-fi) and capture the session data to gain access. A relatively short (shorter than 4 hours, indeed!) lifespan for the session data (refreshed as new requests are made, of course) would be in order.

    Regards,

    DK
    David K. Lynn - Data Koncepts is a long-time WebHostingBuzz (US/UK)
    Client and (unpaid) WHB Ambassador
    mod_rewrite Tutorial Article (setup, config, test & write
    mod_rewrite regex w/sample code) and Code Generator

  6. #6
    Foozle Reducer ServerStorm's Avatar
    Join Date
    Feb 2005
    Location
    Burlington, Canada
    Posts
    2,699
    Mentioned
    89 Post(s)
    Tagged
    6 Thread(s)
    Chris Shiflett (a security expert) has a good article here on the dangers and approach to generate a token to protect the session so that longer session times are possible. You can find this article here: http://shiflett.org/articles/session-hijacking
    ictus==""

  7. #7
    Certified Ethical Hacker silver trophybronze trophy dklynn's Avatar
    Join Date
    Feb 2002
    Location
    Auckland
    Posts
    14,671
    Mentioned
    19 Post(s)
    Tagged
    3 Thread(s)
    SS,

    Thanks for that link! To carry one step further, there had been an article online (I don't remember where) about using a lot of the information provided by a browser to help "fingerprint" even further than Shiflett suggests - a little bit of paranoia can go a long way toward security!

    As a CEH (Certified Ethical Hacker), I'm aware of the techniques to hack into systems (in order to defeat them, of course) so spreading this knowledge about how to protect a system is important. THANK YOU for helping!

    Regards,

    DK
    David K. Lynn - Data Koncepts is a long-time WebHostingBuzz (US/UK)
    Client and (unpaid) WHB Ambassador
    mod_rewrite Tutorial Article (setup, config, test & write
    mod_rewrite regex w/sample code) and Code Generator

  8. #8
    Foozle Reducer ServerStorm's Avatar
    Join Date
    Feb 2005
    Location
    Burlington, Canada
    Posts
    2,699
    Mentioned
    89 Post(s)
    Tagged
    6 Thread(s)
    Quote Originally Posted by dklynn View Post
    SS,

    Thanks for that link! To carry one step further, there had been an article online (I don't remember where) about using a lot of the information provided by a browser to help "fingerprint" even further than Shiflett suggests - a little bit of paranoia can go a long way toward security!

    As a CEH (Certified Ethical Hacker), I'm aware of the techniques to hack into systems (in order to defeat them, of course) so spreading this knowledge about how to protect a system is important. THANK YOU for helping!

    Regards,

    DK
    Very neat the CEH that is... a valuable service you provide indeed! I am very interested in that article that takes the technique further, so if I find it I'll add it to this thread. Of note I also regenerate the session_id everytime a user performs an important operation like logging in, changing profile info, accessing messages and downloading secure data. Any further insights or points to resources are very appreciated as I try to keep my code base up to a very high security standard, but not being dedicated to this on an everyday basis, It sounds like there are modern techniques that I am not maybe doing?

    Thanks,
    Steve
    ictus==""

  9. #9
    Certified Ethical Hacker silver trophybronze trophy dklynn's Avatar
    Join Date
    Feb 2002
    Location
    Auckland
    Posts
    14,671
    Mentioned
    19 Post(s)
    Tagged
    3 Thread(s)
    SS,

    Frankly, the things that the CEH course taught scared the **** out of me! Hackers can use the weirdest things to break into systems just about anywhere. Have a look at http://www.backtrack-linux.org as the collection of "tools" is in one package (without instructions for obvious reasons).

    WinFingerprint (http://winfingerprint.sourceforge.net) can gather information about your computer (Date & Time, Disks, Event Log, Groups, NetBIOS Shares, Network Type, Null IPC$ Session, ICMP ping, Input Type, Patch Level, RPC Bindings, SNMP, Services, Sessions, TCP SYN Port scan, Traceroute, MAC Address, UDP Port scan, Users and Win32 OS Version).

    Other tools like Panopticlick (https://panopticlick.eff.org/) can gather browser information (including add-ons), thus, it is perfectly suited to validate SESSION submissions. My browser rendered:

    Your browser fingerprint appears to be unique among the 2,188,882 tested so far.

    Currently, we estimate that your browser has a fingerprint that conveys at least 21.06 bits of identifying information.

    ...

    It includes specifics about User Agent, HTTP_ACCEPT Headers, Browser Plugin Details, Time Zone, Screen Size and Color Depth, System Fonts, Are Cookies Enabled? and Limited supercookie test. If that's not enough information to verify a SESSION, I don't know what would be! Okay, it's gross overkill but it works to isolate my computer (browser).

    See their paper at https://panopticlick.eff.org/browser-uniqueness.pdf.

    Take a look at PanOptiClick's links as there is a wealth of information there!

    Pick and choose from the array of information to create a salt for a hash and you'll be able to identify a computer pretty easily - or verify the identity of a SESSION owner.

    Regards,

    DK
    David K. Lynn - Data Koncepts is a long-time WebHostingBuzz (US/UK)
    Client and (unpaid) WHB Ambassador
    mod_rewrite Tutorial Article (setup, config, test & write
    mod_rewrite regex w/sample code) and Code Generator

  10. #10
    Foozle Reducer ServerStorm's Avatar
    Join Date
    Feb 2005
    Location
    Burlington, Canada
    Posts
    2,699
    Mentioned
    89 Post(s)
    Tagged
    6 Thread(s)
    @dklynn ;

    That is awesome information, and yes it is a little scary; however we need to know this stuff so that we can best protect our users. I'm going take some time working with these tools to see how I need to better secure applications.

    Thanks that rocked!

    Regards,
    Steve
    Quote Originally Posted by dklynn View Post
    SS,

    Frankly, the things that the CEH course taught scared the **** out of me! Hackers can use the weirdest things to break into systems just about anywhere. Have a look at http://www.backtrack-linux.org as the collection of "tools" is in one package (without instructions for obvious reasons).

    WinFingerprint (http://winfingerprint.sourceforge.net) can gather information about your computer (Date & Time, Disks, Event Log, Groups, NetBIOS Shares, Network Type, Null IPC$ Session, ICMP ping, Input Type, Patch Level, RPC Bindings, SNMP, Services, Sessions, TCP SYN Port scan, Traceroute, MAC Address, UDP Port scan, Users and Win32 OS Version).

    Other tools like Panopticlick (https://panopticlick.eff.org/) can gather browser information (including add-ons), thus, it is perfectly suited to validate SESSION submissions. My browser rendered:
    Your browser fingerprint appears to be unique among the 2,188,882 tested so far.

    Currently, we estimate that your browser has a fingerprint that conveys at least 21.06 bits of identifying information.

    ...

    It includes specifics about User Agent, HTTP_ACCEPT Headers, Browser Plugin Details, Time Zone, Screen Size and Color Depth, System Fonts, Are Cookies Enabled? and Limited supercookie test. If that's not enough information to verify a SESSION, I don't know what would be! Okay, it's gross overkill but it works to isolate my computer (browser).

    See their paper at https://panopticlick.eff.org/browser-uniqueness.pdf.

    Take a look at PanOptiClick's links as there is a wealth of information there!

    Pick and choose from the array of information to create a salt for a hash and you'll be able to identify a computer pretty easily - or verify the identity of a SESSION owner.

    Regards,

    DK
    ictus==""

  11. #11
    Certified Ethical Hacker silver trophybronze trophy dklynn's Avatar
    Join Date
    Feb 2002
    Location
    Auckland
    Posts
    14,671
    Mentioned
    19 Post(s)
    Tagged
    3 Thread(s)
    SS,

    In case you missed the PC World article (Browser Fingerprints: A Big Privacy Threat) and the Electronic Frontier Foundation's article (How Online Tracking Companies Know Most of What You Do Online (and What Social Networks Are Doing to Help Them)).

    As I'm no longer on staff, do you believe this portion of the thread should be copied into a new thread elsewhere? I believe that it is very important to share this knowledge with others as there are privacy as well as security concerns which members should be aware of.

    Regards,

    DK
    David K. Lynn - Data Koncepts is a long-time WebHostingBuzz (US/UK)
    Client and (unpaid) WHB Ambassador
    mod_rewrite Tutorial Article (setup, config, test & write
    mod_rewrite regex w/sample code) and Code Generator

  12. #12
    Foozle Reducer ServerStorm's Avatar
    Join Date
    Feb 2005
    Location
    Burlington, Canada
    Posts
    2,699
    Mentioned
    89 Post(s)
    Tagged
    6 Thread(s)
    Quote Originally Posted by dklynn View Post
    SS,

    In case you missed the PC World article (Browser Fingerprints: A Big Privacy Threat) and the Electronic Frontier Foundation's article (How Online Tracking Companies Know Most of What You Do Online (and What Social Networks Are Doing to Help Them)).

    As I'm no longer on staff, do you believe this portion of the thread should be copied into a new thread elsewhere? I believe that it is very important to share this knowledge with others as there are privacy as well as security concerns which members should be aware of.

    Regards,

    DK
    Thank you for another imformative link. I have addressed this with the staff as I also believe that it is an important topic.

    Regards,
    Steve
    ictus==""

  13. #13
    Certified Ethical Hacker silver trophybronze trophy dklynn's Avatar
    Join Date
    Feb 2002
    Location
    Auckland
    Posts
    14,671
    Mentioned
    19 Post(s)
    Tagged
    3 Thread(s)
    SS,

    No worries, I found the "new" Web Security board.

    Regards,

    DK
    David K. Lynn - Data Koncepts is a long-time WebHostingBuzz (US/UK)
    Client and (unpaid) WHB Ambassador
    mod_rewrite Tutorial Article (setup, config, test & write
    mod_rewrite regex w/sample code) and Code Generator

  14. #14
    Foozle Reducer ServerStorm's Avatar
    Join Date
    Feb 2005
    Location
    Burlington, Canada
    Posts
    2,699
    Mentioned
    89 Post(s)
    Tagged
    6 Thread(s)
    Quote Originally Posted by dklynn View Post
    SS,

    No worries, I found the "new" Web Security board.

    Regards,

    DK
    Yes... one of the Advisors featured this thread (We felt it was best to give the OP a chance to reply to our posting before moving this) and I asked if there was a way to cull your information from this post and keep it in a more permanent way. The book is still out on this.

    Glad you found the Security board!

    Regards,
    Steve
    ictus==""

  15. #15
    SitePoint Wizard
    Join Date
    Apr 2007
    Posts
    1,401
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    I have not done this but if it's for "monitoring" then I'd think about using 2 way SSL authentication using CA.

    http://social.msdn.microsoft.com/For...8-ec5f929de6c6

    Then you don't have to worry about hijack session and you never have to "login" to renew the session either. Again..haven't done this on a browser side..I've done this for Web Service.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •