Topic on Project:Support desk

Jump to navigation Jump to search

There seems to be a problem with your login session; This action has been canceled as a precaution against session hijacking. Please resubmit the form.

17
Guilherme bangemann (talkcontribs)

I'm getting this error when I try to Login in my account on my Wiki.

On my LocalSettings.php :

$wgMainCacheType = CACHE_ACCEL;

$wgMemCachedServers = [];

$wgSessionCacheType = CACHE_DB;


I want to bind with my LDAP. LDAP is set correclty. Works on anothers sites on my server.

I just need to use the Extension LDAP, and it doesn't works!


LocalSettings.php:

wfLoadExtensions( [
        'PluggableAuth',
        'Auth_remoteuser',
        'LDAPProvider',
        'LDAPAuthentication2',
        'LDAPAuthorization',
        'LDAPUserInfo'
] );

$LDAPAuthorizationAutoAuthRemoteUserStringParser = 'solis';
$LDAPAuthentication2UsernameNormalizer = 'solis';
$LDAPAuthentication2AllowLocalLogin = true;
$wgAuthRemoteuserAllowUserSwitch = true;
$wgPluggableAuth_EnableLocalLogin = true;

 

$wgCookieSecure = false;

$wgShowExceptionDetails = true;



/var/www/wiki/extensions/LDAPProvider/docs/ldapprovider.json

{

        "solis": {

                "connection": {

                        "server": "ldapslave.solis.com.br",

                        "user": "cn=read-only-admin,dc=solis,dc=coop,dc=br",

                        "pass": "password",

                        "options": {

                                "LDAP_OPT_DEREF": 1

                        },

                        "basedn": "dc=solis,dc=coop,dc=br",

                        "groupbasedn": "dc=solis,dc=coop,dc=br",

                        "userbasedn": "dc=solis,dc=coop,dc=br",

                        "searchattribute": "uid",

                        "searchstring": "uid=guilherme_bangemann,dc=solis,dc=coop,dc=br",

                        "usernameattribute": "uid",

                        "realnameattribute": "cn",

                        "emailattribute": "mail"

                },

                "userinfo": {

                        "attributes-map": {

                                "email": "mail",

                                "realname": "cn",

"nickname": "uid",

                                "language": "preferredlanguage"

                        }

                },

                "groupsync": {

                        "mapping": {

                                "mathematicians": "ou=mathematicians,dc=solis,dc=coop,dc=br",

                                "scientists": "ou=scientists,dc=solis,dc=coop,dc=br"

                        }

                }

        }

}

MarkAHershberger (talkcontribs)
Osnard (talkcontribs)

What is 'solis'? This does not look like a valid value for $LDAPAuthorizationAutoAuthRemoteUserStringParser and $LDAPAuthentication2UsernameNormalizer.

Can you please post the output of $wgDebugLogFile?

Guilherme bangemann (talkcontribs)

I fortgot:

And what's the directory for LogFile??

#$wgDebugLogFile = "/var/log/wiki/debug-{$wg}.log";

What I need to put on ".../debug-{???}.log"; ????

Guilherme bangemann (talkcontribs)
Guilherme bangemann (talkcontribs)

$wgDebugLogFile @Osnard

A1exP (talkcontribs)

Hello,


Getting the same with LDAP stack on MW 1.31.

Was there a solution found for this?


Thanks,

Alex

Osnard (talkcontribs)

Unfortunately the debug log file does not contain hints. Have you tried using $wgMainCacheType = CACHE_DB; ?

A1exP (talkcontribs)

Yes, I have the below set

$wgMainCacheType = CACHE_ACCEL;

$wgSessionCacheType = CACHE_DB;

$wgMemCachedServers = [];


and at the end of the LocalSettings.php file

$wgCookieSecure = false;


In the browser, in the Cookie request header I can find

my_wiki_test51a2e67c_session=i6c1i83p0usojiifinlsvenrgc8liq4p


Full value:

Cookie:

experimentation_subject_id=IjAyZGQ2NzllLTA2MDAtNDlkNS04MzRhLTA4NDZjZTdkNjJlYSI%3D--b5c89d226c39b439cbfa6e7dc145c14ae8a548a0; consent=1; RIDC=undefined; RIDFPF=undefined-undefined-undefined-undefined-undefined-undefined-undefined-undefined-undefined-undefined-undefined-undefined-undefined-undefined; RIDSCR=undefined; _ga=GA1.2.1907998560.1576060652; my_wiki_testUserName=Root; my_wiki_test51a2e67c_session=i6c1i83p0usojiifinlsvenrgc8liq4p; UseDC=master; UseCDNCache=false


While in the objectcache table I find the keyname column with value

my_wiki_test:MWSession:i6c1i83p0usojiifinlsvenrgc8liq4p


"my_wiki_test" is the DB name


Below is what I get in the log file for this session

[DBConnection] Wikimedia\Rdbms\LoadBalancer::openConnection: connected to database 0 at 'localhost'.

[SQLBagOStuff] Connection 40421 will be used for SqlBagOStuff

[CryptRand] 0 bytes of randomness leftover in the buffer.

[session] SessionBackend "i6c1i83p0usojiifinlsvenrgc8liq4p" is unsaved, marking dirty in constructor

[session] SessionBackend "i6c1i83p0usojiifinlsvenrgc8liq4p" save: dataDirty=1 metaDirty=1 forcePersist=0

[cookie] setcookie: "my_wiki_test51a2e67c_session", "", "1544864578", "/", "", "", "1"

[cookie] already deleted setcookie: "my_wiki_test51a2e67cUserID", "", "1544864578", "/", "", "", "1"

[cookie] already deleted setcookie: "my_wiki_test51a2e67cToken", "", "1544864578", "/", "", "", "1"

[cookie] already deleted setcookie: "forceHTTPS", "", "1544864578", "/", "", "", "1"

Unstubbing $wgParser on call of $wgParser::setHook from wfFileList

Parser: using preprocessor: Preprocessor_DOM

[MessageCache] MessageCache::load: Loading en... local cache is empty, got from global cache

[DBConnection] Wikimedia\Rdbms\LoadBalancer::openConnection: connected to database 0 at 'localhost'.

[session] SessionBackend "i6c1i83p0usojiifinlsvenrgc8liq4p" force-persist due to persist()

[session] SessionBackend "i6c1i83p0usojiifinlsvenrgc8liq4p" save: dataDirty=0 metaDirty=1 forcePersist=1

[cookie] setcookie: "my_wiki_test51a2e67c_session", "i6c1i83p0usojiifinlsvenrgc8liq4p", "0", "/", "", "", "1"

[cookie] already deleted setcookie: "my_wiki_test51a2e67cRemoteToken", "", "1578992578", "/", "", "", "1"

[cookie] already deleted setcookie: "my_wiki_test51a2e67cUserID", "", "1544864578", "/", "", "", "1"

[cookie] already deleted setcookie: "my_wiki_test51a2e67cToken", "", "1544864578", "/", "", "", "1"

[cookie] already deleted setcookie: "forceHTTPS", "", "1544864578", "/", "", "", "1"

[session] SessionBackend "i6c1i83p0usojiifinlsvenrgc8liq4p" Taking over PHP session

[session] SessionBackend "i6c1i83p0usojiifinlsvenrgc8liq4p" save: dataDirty=0 metaDirty=1 forcePersist=1

[cookie] already set setcookie: "my_wiki_test51a2e67c_session", "i6c1i83p0usojiifinlsvenrgc8liq4p", "0", "/", "", "", "1"

[cookie] already deleted setcookie: "my_wiki_test51a2e67cRemoteToken", "", "1578992578", "/", "", "", "1"

[cookie] already deleted setcookie: "my_wiki_test51a2e67cUserID", "", "1544864578", "/", "", "", "1"

[cookie] already deleted setcookie: "my_wiki_test51a2e67cToken", "", "1544864578", "/", "", "", "1"

[cookie] already deleted setcookie: "forceHTTPS", "", "1544864578", "/", "", "", "1"

Unstubbing $wgLang on call of $wgLang::_unstub from ParserOptions->__construct

QuickTemplate::__construct was called with no Config instance passed to it

[CryptRand] 0 bytes of randomness leftover in the buffer.

[CryptRand] 0 bytes of randomness leftover in the buffer.

[session] SessionBackend "i6c1i83p0usojiifinlsvenrgc8liq4p" data dirty due to dirty(): LoginSignupSpecialPage->getFakeTemplate/SpecialUserLogin->getToken/MediaWiki\Session\Session->getToken/MediaWiki\Session\Session->set/MediaWiki\Session\SessionBackend->dirty

[GlobalTitleFail] MessageCache::parse called by array_map/AuthManagerSpecialPage::{closure}/Message->parse/Message->toString/Message->parseText/MessageCache->parse with no title set.

[GlobalTitleFail] MessageCache::parse called by array_map/AuthManagerSpecialPage::{closure}/Message->parse/Message->toString/Message->parseText/MessageCache->parse with no title set.

[session] SessionBackend "i6c1i83p0usojiifinlsvenrgc8liq4p" save: dataDirty=1 metaDirty=0 forcePersist=0

User::getBlockedStatus: checking...

MediaWiki::preOutputCommit: primary transaction round committed

MediaWiki::preOutputCommit: pre-send deferred updates completed

[DBReplication] Wikimedia\Rdbms\ChronologyProtector::shutdownLB: DB 'localhost' touched

MediaWiki::preOutputCommit: LBFactory shutdown completed

[cookie] setcookie: "UseDC", "master", "1576400589", "/", "", "", "1"

[cookie] setcookie: "UseCDNCache", "false", "1576400589", "/", "", "", "1"

Parser: using preprocessor: Preprocessor_DOM

OutputPage::sendCacheControl: private caching;  **

[runJobs] smw.propertyStatisticsRebuild SMW\SQLStore\Installer rootJobIsSelf=1 rootJobSignature=db42ba0748fde875c7dd60ebc4ffd96d265c3390 rootJobTimestamp=20191214200302 waitOnCommandLine=5 requestId=51e637999976d512e0f49bae (id=43,timestamp=20191214200701) STARTING

[runJobs] smw.propertyStatisticsRebuild SMW\SQLStore\Installer rootJobIsSelf=1 rootJobSignature=db42ba0748fde875c7dd60ebc4ffd96d265c3390 rootJobTimestamp=20191214200302 waitOnCommandLine=6 requestId=51e637999976d512e0f49bae (id=43,timestamp=20191214200701) t=9 good

Request ended normally

[session] Saving all sessions on shutdown

[DBConnection] Wikimedia\Rdbms\{closure}: closing connection to database 'localhost'.

[DBConnection] Wikimedia\Rdbms\{closure}: closing connection to database 'localhost'.

[caches] cluster: APCBagOStuff, WAN: mediawiki-main-default, stash: db-replicated, message: APCBagOStuff, session: SqlBagOStuff

[caches] LocalisationCache: using store LCStoreDB

[DBReplication] Wikimedia\Rdbms\LBFactory::getChronologyProtector: using request info {

    "IPAddress": "10.166.11.1",

    "UserAgent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/79.0.3945.79 Safari\/537.36",

    "ChronologyProtection": false,

    "ChronologyPositionIndex": 0

}

[DBConnection] Wikimedia\Rdbms\LoadBalancer::openConnection: calling initLB() before first connection.

[DBConnection] Wikimedia\Rdbms\LoadBalancer::openConnection: connected to database 0 at 'localhost'.

[caches] cluster: APCBagOStuff, WAN: mediawiki-main-default, stash: db-replicated, message: APCBagOStuff, session: SqlBagOStuff

[caches] cluster: APCBagOStuff, WAN: mediawiki-main-default, stash: db-replicated, message: APCBagOStuff, session: SqlBagOStuff

[caches] LocalisationCache: using store LCStoreDB

[DBConnection] Wikimedia\Rdbms\{closure}: closing connection to database 'localhost'.

[caches] LocalisationCache: using store LCStoreDB

[DBReplication] Wikimedia\Rdbms\LBFactory::getChronologyProtector: using request info {

    "IPAddress": "10.166.11.1",

    "UserAgent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/79.0.3945.79 Safari\/537.36",

    "ChronologyProtection": false,

    "ChronologyPositionIndex": 0

}

[DBReplication] Wikimedia\Rdbms\LBFactory::getChronologyProtector: using request info {

    "IPAddress": "10.166.11.1",

    "UserAgent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/79.0.3945.79 Safari\/537.36",

    "ChronologyProtection": false,

    "ChronologyPositionIndex": 0

}

[DBConnection] Wikimedia\Rdbms\LoadBalancer::openConnection: calling initLB() before first connection.

[DBConnection] Wikimedia\Rdbms\LoadBalancer::openConnection: connected to database 0 at 'localhost'.

[DBConnection] Wikimedia\Rdbms\LoadBalancer::openConnection: calling initLB() before first connection.

[DBConnection] Wikimedia\Rdbms\LoadBalancer::openConnection: connected to database 0 at 'localhost'.

[MessageCache] MessageCache::load: Loading en... local cache is empty, got from global cache

[DBConnection] Wikimedia\Rdbms\{closure}: closing connection to database 'localhost'.

[DBConnection] Wikimedia\Rdbms\{closure}: closing connection to database 'localhost'.

[caches] cluster: APCBagOStuff, WAN: mediawiki-main-default, stash: db-replicated, message: APCBagOStuff, session: SqlBagOStuff

[caches] LocalisationCache: using store LCStoreDB

[DBReplication] Wikimedia\Rdbms\LBFactory::getChronologyProtector: using request info {

    "IPAddress": "10.166.11.1",

    "UserAgent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/79.0.3945.79 Safari\/537.36",

    "ChronologyProtection": false,

    "ChronologyPositionIndex": 0

}

[DBConnection] Wikimedia\Rdbms\LoadBalancer::openConnection: calling initLB() before first connection.

[DBConnection] Wikimedia\Rdbms\LoadBalancer::openConnection: connected to database 0 at 'localhost'.

[DBConnection] Wikimedia\Rdbms\{closure}: closing connection to database 'localhost'.

Guilherme bangemann (talkcontribs)

@A1exP Try to see this situation:

https://www.mediawiki.org/w/index.php?title=Topic:V7i1eb6u4f779tpx&topic_showPostId=v7lpokzmvn7m2d2l&fromnotif=1#flow-post-v7lpokzmvn7m2d2l

https://www.mediawiki.org/w/index.php?title=Topic:V7fstm646jz6rjt5&topic_showPostId=v7lqcjha6pgxmymi&fromnotif=1#flow-post-v7lqcjha6pgxmymi


It worked for me.


Maybe try executing this code:

sudo php extensions/LDAPProvider/maintenance/ShowUserInfo.php --domain (YOUR-DOMAIN) --username (YOUR-USER-TEST)

sudo php extensions/LDAPProvider/maintenance/ShowUserGroups.php --domain (YOUR-DOMAIN) --username (YOUR-USER-TEST)

sudo php extensions/LDAPProvider/maintenance/CheckLogin.php --domain (YOUR-DOMAIN) --username (YOUR-USER-TEST)


EXAMPLE:

sudo php extensions/LDAPProvider/maintenance/CheckLogin.php --domain solis --username guilherme_bangemann

A1exP (talkcontribs)

Hello,


The authentication is working.

[root@lnx-mediawiki kb-test.ipsosinteractive.com]# scl enable rh-php70 'php /opt/rh/httpd24/root/var/www/html/kb-test.ipsosinteractive.com/extensions/LDAPProvider/maintenance/CheckLogin.php --domain "*********" --username "*********"'

Password:*********

OK

[root@lnx-mediawiki kb-test.ipsosinteractive.com]#


My issue is that that portion of code doesn't seem to get executed due to the session error "There seems to be a problem with your login session; this action has been canceled as a precaution against session hijacking. Please resubmit the form."


Thanks,

Alex

Osnard (talkcontribs)

@A1exP So you are using "form based authentication" from Special:Login, right? You don't have Extension:Auth remoteuser or something similar installed, do you? From your Logs I can see, you are using SQLBagOfStuff to store the sessions. Have you tried increasing $wgObjectCacheSessionExpiry?

A1exP (talkcontribs)

Hello @Osnard,

I am using indeed Auth_remoteuser as part of the LDAP stack.

Tried increasing wgObjectCacheSessionExpiry to

$wgObjectCacheSessionExpiry = 86400;

But without any success


Below is what I have in LocalSettings.php


wfLoadExtensions([

        'PluggableAuth',

        'Auth_remoteuser',

        'LDAPProvider',

        'LDAPAuthentication2',

        'LDAPAuthorization',

        'LDAPUserInfo'

    ]);

$LDAPAuthorizationAutoAuthRemoteUserStringParser = 'domain-backslash-username';

$LDAPAuthentication2UsernameNormalizer = 'strtolower';

$LDAPAuthentication2AllowLocalLogin = true;

$wgAuthRemoteuserAllowUserSwitch = true;

$wgPluggableAuth_EnableLocalLogin = true;

$wgAuthRemoteuserUserName = function () {

$user = '';

if (isset($_SERVER['REMOTE_USER'])) {

        $user = strtolower($_SERVER['REMOTE_USER']);

}

return $user;

};

$LDAPProviderDomainConfigProvider = function () {

$config = [

        'ipsosgroup' => [

        'connection' => [

                "server" => "*****",

                "user" => "*****",

                "pass" => ""*****",               

                "options" => [

                "LDAP_OPT_DEREF" => 1

                ],

                "basedn" => "*****",

                "groupbasedn" => "*****",

                "userbasedn" => "*****",

                //"searchstring" => "*****\\USER-NAME",

                "searchattribute" => "sAMAccountName",

                "usernameattribute" => "sAMAccountName",

                "realnameattribute" => "cn",

                "emailattribute" => "mail",

                "grouprequest" => "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\GroupMember::factory"

        ],

        'authorization' => [

                'rules' => [

                'groups' => [

                        'required' => [

                        '*****'

                        ]

                ]

                ]

        ],

        'userinfo' => [

                'attributes-map' => [

                'email' => 'mail',

                'realname' => 'cn'

                ]

        ]

        ]

];

return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray($config);

};


and at the bottom


$wgMainCacheType = CACHE_ACCEL;

$wgSessionCacheType = CACHE_DB;

$wgCookieSecure = false;

$wgCookieHttpOnly = false;

$wgMemCachedServers = [];

$wgObjectCacheSessionExpiry = 86400;


A1exP (talkcontribs)

Can you let me know in what file this check regarding the session is made so I can debug on my end?

Osnard (talkcontribs)
A1exP (talkcontribs)

These are different indeed.

I get from the log:


[authentication] Alex P Session token 17d9174fe04b1a3c8ff1a502a6971e1e5e05a92b+\

[authentication] Alex P Request token 3ae70f1c7c9c93858bd052e2e33e41bd5e05a926+\

[authentication] Alex P authform-wrongtoken


In the post I see indeed the request token

wpName: *****

wpPassword: *****

domain: *****

pluggableauthlogin: Log in with PluggableAuth

wpEditToken: +\

title: Special:UserLogin

authAction: login

force:

wpLoginToken: 3ae70f1c7c9c93858bd052e2e33e41bd5e05a926+\


I tried to log something from the getToken function which is used to get the session token for comparison, but somehow it's not appearing

   protected function getToken() {

       LoggerFactory::getInstance( 'authentication' )->warning('Alex P getToken call');

       return $this->getRequest()->getSession()->getToken( 'AuthManagerSpecialPage:'

           . $this->getName() );

   }


Osnard (talkcontribs)

Instead of LoggerFactory::getInstance( 'authentication' )->warning('Alex P getToken call');

try error_log( 'Alex P getToken call' ); or wfDebug( 'Alex P getToken call' );


Reply to "There seems to be a problem with your login session; This action has been canceled as a precaution against session hijacking. Please resubmit the form."