SuspiciousOperation: User tampered with session cookie

[Patrick .J. Anderson]

I installed Ubuntu Dapper today and got django set up.

I restred a Django application I was working on previously and when I
tried to login to the admin section, I received this error:

Traceback (most recent call last):
File "/usr/lib/python2.4/site-packages/django/core/handlers/base.py" in
get_response
74. response = callback(request, *callback_args, **callback_kwargs)
File
"/usr/lib/python2.4/site-packages/django/views/generic/date_based.py" in
archive_index
39. }, context_processors)
File "/usr/lib/python2.4/site-packages/django/template/context.py" in
__init__
97. self.update(processor(request))
File
"/usr/lib/python2.4/site-packages/django/core/context_processors.py" in auth
17. return {
File
"/usr/lib/python2.4/site-packages/django/contrib/auth/middleware.py" in
__get__
9. user_id = request.session[SESSION_KEY]
File
"/usr/lib/python2.4/site-packages/django/contrib/sessions/middleware.py"
in __getitem__
18. return self._session[key]
File
"/usr/lib/python2.4/site-packages/django/contrib/sessions/middleware.py"
in _get_session
57. self._session_cache = s.get_decoded()
File
"/usr/lib/python2.4/site-packages/django/contrib/sessions/models.py" in
get_decoded
55. raise SuspiciousOperation, "User tampered with session cookie."

SuspiciousOperation at /iblog/
User tampered with session cookie.

What exactly is the meaning of this and what would cause this error?
Apache virtual host settings, insufficient or misconfigured file
permissions?

It seems it has something to do with Apache configuration, becuase I
don't have that problem when I run Django development web server

[ska...@gmail.com]

Did your domain change?

I have seen this error when I was working on myDomainOne and then
started the same app under myDomainTwo.

[Patrick J. Anderson]

Hmm, I haven't changed domains. I simply took my previous setup on
Fedora Core 5 with apache+mod_python and put it on Ubuntu Dapper with
apache+mod_python.

I've heard that the problem might be related to md5 hashing (someone
just recently posted it here in the groups with the same error
message). I looked at the django code and that where that error message
is thrown and it seemed to confirm that, but I don't know why this
happens.

Could there be a bug with mod_python? I simply don't know, but would
appreciate someone more experienced looking into it.

[Joseph Kocherhans]

On 6/27/06, Patrick J. Anderson <pat.j.a...@gmail.com> wrote:
>
> I've heard that the problem might be related to md5 hashing (someone
> just recently posted it here in the groups with the same error
> message).

I suspect that it is. I've run into the same problem when I
inadvertently changed the SECRET_KEY setting.

Joseph

[Nikolaus Schlemm]

> I've heard that the problem might be related to md5 hashing (someone
> just recently posted it here in the groups with the same error
> message). I looked at the django code and that where that error message
> is thrown and it seemed to confirm that, but I don't know why this
> happens.

simply try generating the reference hashes provided at the end of the md5
rfc[1] within a django-view - if they are not calculated correctly, you might
want to switch from md5 to sha for a quick workaround and possibly follow the
thread on the modpy mailinglist[2].

another solution might be something along the lines of the patch I posted
earlier[3] - but of course, I don't know whether or when this will make it in
into django ;)

[1] http://www.ietf.org/rfc/rfc1321.txt
[2] http://modpython.org/pipermail/mod_python/2006-June/021482.html
[3]
http://groups.google.com/group/django-users/browse_thread/thread/eeb44c894342d6f7/4b951b6d3a8644dd
--
cheers,

Nikl

[csdu...@gmail.com]

Clear the cookies in your browser and the problem will go away.

[Nikolaus Schlemm]

Am Dienstag, 27. Juni 2006 19:25 schrieb csdu...@gmail.com:
> Clear the cookies in your browser and the problem will go away.

unfortunately that won't solve this problem - possibly another one ;)
--
cheers,

Nikl

[Patrick .J. Anderson]

csdu...@gmail.com wrote:
> Clear the cookies in your browser and the problem will go away.
>
>
> >
>

clearing the cookies doesn't help (I guess you answered that one).

hmm, i don't know exactly what to do here, as I haven't tampered with
anything. I'll try to recreate the project (extra work, but maybe it'll
work)

[Patrick .J. Anderson]

I recreated the project using django-admin.py (of course, I restored my
models and database), but still experience this behaviour and error
messsages when I try to log in to admin section. Weird, as everything I
have in my settings.py file is new and I obviously haven't tampered with
the session.

If this is a problem with mod_python in Ubuntu, I'll have to switch back
to FC5 where things 'worked'.

[Jacob Kaplan-Moss]

Hi Patrick --

What happens when you clear out your sessions table?

FYI, there's nothing about Ubuntu versus mod_python that would/could
cause this (I use both).

Jacob

[Patrick .J. Anderson]

Hmm, I don't want to modify the framework code and start creating this
sort of workarounds since I use django-trunk...

I guess I'll have to wait until this problem is resolved, though I
thought Django was for developers with deadlines :)

Well, this makes me a little cautious in using the framework for my web
development. Sad, 'cause I liked it. But I'll dig for more info and try
to find a solution

[Patrick .J. Anderson]

I cleared the session table and tried to login using my
apache/mod_python virtual host setup. This is the session_key I get:

000000000abcebfdaff71c28a368d8bd

When I log in using the development server, I can login successfully and
the session_key I see is:

6b668c51d7d4fddd89c14e14e0569417

These are obviously very different, particularly the 0s in the beginning
of the session_key from mod_python.

[Malcolm Tredinnick]

One common thing that I noticed between your current problem (which
looks a lot like Nikolaus Shlemm's md5 sum problem) and the original
problem Nikolaus demonstrated on the mod_python list is that you are
both using a reasonably recent Ubuntu installation. No idea why that
will contribute (or even if it is a differentiating factor), but it's
something to note.

Malcolm

[Patrick .J. Anderson]

Hi, Malcolm

Yes, I noticed that too. Perhaps it would be good if I tested this
behaviour on another distro, but I don't want to resetup my development
machine again. Maybe someone with a distro other than Ubuntu Dapper
could compare the session_keys in django_sessions table with mod_python
as well as builtin server, and see if this is also happening.

Patrick

[Patrick J. Anderson]

On Tue, 27 Jun 2006 23:30:56 -0500, Patrick .J. Anderson wrote:

> Malcolm Tredinnick wrote:
>> [quoted text muted]

>
> Hi, Malcolm
>
> Yes, I noticed that too. Perhaps it would be good if I tested this
> behaviour on another distro, but I don't want to resetup my development
> machine again. Maybe someone with a distro other than Ubuntu Dapper
> could compare the session_keys in django_sessions table with mod_python
> as well as builtin server, and see if this is also happening.
>
> Patrick
>
>
>

Well, I reinstalled Fedora Core 5 and setup django-trunk. There is no
problem with FC5, so I suspect that there's something wrong with Ubuntu
Dapper here.

Here's my session_key after logging into admin using mod_python:

21d78b3bd4da4a79bd7f02c038c0707d

[tone77]

On Ubuntu Dapper php5 seems to be the culprit. If you disable php5
(sudo a2dismod php5) you will discover that mod_python suddenly starts
calculating md5 properly and this bug will disappear.

A bug report has been filed with Ubuntu, so hopefully they will fix it
soon.
https://launchpad.net/distros/ubuntu/+source/libapache2-mod-python/+bug/54135

cheers,
Anton

[Tom Davis]

Although old, I'd like to point out that at least in my case this
wasn't a Dapper + PHP5 issue, it was a Deb + PHP5 issue, so the problem
seems to lie with the PHP5/Django pairing.