Bug after a moment of inactivity

13 views
Skip to first unread message

Fabien

unread,
Oct 28, 2009, 5:29:09 AM10/28/09
to Clipperz
Hello !

I have installed the community edition on my server (Ubuntu 9.04).
The service works well, but after some inactiviy (no card loaded)
about 10-15 minutes, I have the following message when I try to load a
card :

Clipperz.PM.Crypto.encryptingFunctions.versions[_a89] is undefined

I don't know where to start investigations ... (client, server ...).
I have the same problem under Windows (Firefox) and Linux.

Giulio Cesare Solaroli

unread,
Oct 28, 2009, 10:51:53 AM10/28/09
to fabien....@gmail.com, Clipperz
Hello Fabien,

other users have reported this same problem, but I had no opportunity
to investigate it.
It is an excellent task for someone willing to contribute to the
community edition of the project. :)

Sorry for the trouble.

Best regards,

Giulio Cesare

Fabien Charlet

unread,
Oct 28, 2009, 12:48:27 PM10/28/09
to Giulio Cesare Solaroli, Clipperz
I tried to get a look at the application code but Javascript is not my
cup of tea.

So read the 30 000+ lines of uncommented and unformatted Javascript in
the index.html is just a too hard task for me.

But this bug doesn't appear with the official version of Clipperz, so
I hoped the problem could be easy to find.

The problem is very annoying (I need to relog every 10-15 minutes) and
I will just use the official version if it's not corrected.
--

Cordialement

Fabien CHARLET

Giulio Cesare Solaroli

unread,
Oct 28, 2009, 4:16:08 PM10/28/09
to Fabien Charlet, Clipperz
Hello Fabien,

the problem is not in the Javascript code, but in the PHP end.

The server side fence of the service is much less code to deal with.
In case you would like to take a look at the Javascript code, instead
of looking at the index.html file, where all the scripts are packed
together, try loading index_debug.html.

The index_debug.html file will probably take much longer to load, but
you will be able to see each individual javascript file, with all the
code cleanly layout, and with meaningful name for variables. There are
not many comments around the code (I try to describe everything within
the code, in order to avoid stale comments), but the code is quite
readable anyway.

In any case, the PHP side is still MUCH easier to deal with than the
Javascript part. :)

Hope this helps.

Regards,

Giulio Cesare

Johannes W

unread,
Sep 22, 2010, 8:45:02 PM9/22/10
to Giulio Cesare Solaroli, Fabien Charlet, Ryan Michael, Clipperz
Hello Giulio.

I think I managed to find the cause of this error:

The failing JS code is in ./src/js/Clipperz/PM/Crypto.js:423
('deferredDecrypt'-function). The arguments "aValue" and "aVersion" are
undefined (i.e. not returned by the PHP backend), so the array index
fails.

The PHP backend fails because $_SESSION["K"] != $parameters["srpSharedSecret"]
in index.php:364. This can happen e.g. if you open two Clipperz sessions
in two browser tabs, or if the PHP session gets wiped out after
session.gc_maxlifetime (php.ini) seconds.

As a workaround, one can append the following lines to
./php/configuration.php (extends timeout to one day):

$sessdir = ini_get('session.save_path') . "/clipperz";
if (!is_dir($sessdir)) { mkdir($sessdir, 0700); }
ini_set('session.save_path', $sessdir);
ini_set('session.gc_maxlifetime', 86400);

Attention: Debian uses /etc/cron.d/php5 to wipe out old
session files, so one has to exclude the clipperz directory
or change gc_maxlifetime for all scripts globally in php.ini.

Maybe Clipperz could exit more gracefully in 'deferredDecrypt'
or a calling function in such a case (e.g. redirect to a
"Your Session has been expired" page).

Greetings,
Johannes

giulio...@gmail.com

unread,
Sep 23, 2010, 3:35:47 AM9/23/10
to Johannes W, Fabien Charlet, Ryan Michael, Clipperz
Hello Johannes,

Clipperz has already a way to gracefully handle expired sessions.
Usually, when this happens, the client side code starts a new
authentication procedure and re-establish a secure connection with the
server side application before carrying on with the required action.

What I suppose is failing in the Community edition, is the matching of
the session expired exception in the client code.

I suppose the text reported by the PHP code is somehow different from
what reported by the Java code used for the main application, and this
will probably trigger the error in the Community Edition.

I will try to spot the exact check done on the client code in this
situation, so that we can compare with what the PHP code is returning.

I will get back to you as soon as I have more info.

Regards,

Giulio Cesare

giulio...@gmail.com

unread,
Sep 24, 2010, 4:25:02 AM9/24/10
to Johannes W, Fabien Charlet, Ryan Michael, Clipperz
Hello,

I have just managed to take a closer look at the Javascript code that
handles the expired session exception.

The code is located in the src/js/Clipperz/PM/Connection.js file, at
lines 383-384.

The code looks for exceptions with the following descriptions:
- "Trying to communicate without an active connection"
- "No tollManager available for current session"

Clipperz Community edition does not support hashcash protection
(implemented by the tollManager class), so the only reasonable value
to return would be the "Trying to communicate without an active
connection" message.

Now I would need some help in sorting out how to return this error
message from the PHP code when a session is missing.

It may be just a matter of replacing line 694 of the src/php/index.php file
> $result["error"] = "Wrong shared secret!";

with:
$result["error"] = "Trying to communicate without an active connection";

Anyone could confirm that this patch will fix the problem?

Regards,

Giulio Cesare

Johannes W

unread,
Sep 24, 2010, 9:45:35 AM9/24/10
to Clipperz
Hi Giulio,

I changed the error message (and the code does get executed), but the
'messageExceptionHandler' never gets called, although it is registered
in the 'sendMessage' function. How and when is the Errback-callback
executed?

Greetings,
Johannes

Josh

unread,
Nov 1, 2010, 7:54:58 PM11/1/10
to Clipperz
On Sep 24, 9:45 am, Johannes W <devnull.googlegro...@molb.org> wrote:
> Hi Giulio,
>
> I changed the error message (and the code does get executed), but the
> 'messageExceptionHandler' never gets called, although it is registered
> in the 'sendMessage' function. How and when is the Errback-callback
> executed?
>
> Greetings,
> Johannes
>
<snip>

I think I've figured it out. The sendRemoteMessage function of
Proxy.PHP.js doesn't check the results like the live Clipperz version
does. By adding some code:


deferredResult.addCallback(function (someValues) {
if (someValues['results'] == 'EXCEPTION') {
throw someValues['message'];
}
return someValues;
})

You can get that function to throw an error. To make it find that you
need to update index.php with:

$result["error"] = "Wrong shared
secret!"
$result["results"] = "EXCEPTION";
$result["message"] = "Trying to
communicate without an active connection";

This allowed me to resume a session by executing the SRP protocol
after removing the php session information from the server side.

Hope this helps,
-josh

PS: looking forward to signing the CLA so that some of my changes can
be incorporated :)

giulio...@gmail.com

unread,
Nov 2, 2010, 4:30:03 AM11/2/10
to jok...@gmail.com, Clipperz
Thanks Josh for the good catch.

I am trying to sort out a way to put the CLA on our web site, with
relative instructions on how to submit the requests.

By the way, the /gamma client code is using the same JSON transport
format the Community Edition is using, due to a vulnerability spotted
on the DWR implementation.

Cheers,

Giulio Cesare

> --
> You received this message because you are subscribed to the Google Groups "Clipperz" group.
> To post to this group, send email to clip...@googlegroups.com.
> To unsubscribe from this group, send email to clipperz+u...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/clipperz?hl=en.
>
>

Reply all
Reply to author
Forward
0 new messages