Project

General

Profile

Support #2997

Token hash collision

Added by Евгений Илюшин about 8 years ago. Updated about 8 years ago.

Status:
Feedback
Priority:
Normal
Assignee:
Target version:
-
Start date:
04/25/2014
Due date:
% Done:

0%

Estimated time:

Description

Hi, in my server very often there is an exception "Wt: error during event handling: Token hash collision", after this query

select u."id", u."version", u."user_ref", u."password_hash", u."password_method", u."password_salt", u."status", u."failed_login_attempts", u."last_login_attempt", u."email", u."unverified_email", u."email_token", u."email_token_expires", u."email_token_role" from "auth_info" u join "auth_identity" i on u.id = i.auth_info_id where (i.provider = $1) and (i.identity = $2)
update "auth_info" set "version" = $1, "user_ref" = $2, "password_hash" = $3, "password_method" = $4, "password_salt" = $5, "status" = $6, "failed_login_attempts" = $7, "last_login_attempt" = $8, "email" = $9, "unverified_email" = $10, "email_token" = $11, "email_token_expires" = $12, "email_token_role" = $13 where "id" = $14 and "version" = $15
select count(1) from "auth_token"  where (value = $1)

This only happens when the "Remember me" is selected.

Afte clean table auth_token work excellent.

Sometimes I have to clean cookies.

How to avoid this error ?

#1

Updated by Koen Deforche about 8 years ago

  • Status changed from New to Feedback
  • Assignee set to Koen Deforche

Hey,

Either there's a programming error or the hashing function you are using is not well configured. What hashing function do you use and how long are the tokens that you allow? A hash collision should be extremely rare provided the hashing function and random generator are good and the tokens are sufficiently long? How many tokens do you have in the database when this occurs?

Regards,

koen

#2

Updated by Евгений Илюшин about 8 years ago

In auth_token more 50 records by authInfo id

I make this query to remove all old token after connect.

dbo::Transaction transaction(session_);
dbo::ptr<AuthInfo> authInfo = users_->find(login_.user());
session_.execute("delete from auth_token where auth_info_id = ? and id not in (select id from auth_token where auth_info_id = ? order by expires desc limit 1)").bind(authInfo.id()).bind(authInfo.id());

And now i do't have token collisions !

I think it's not the best resolve :)

#3

Updated by Евгений Илюшин about 8 years ago

Hi !

I got a new problem.

Users was saved session, open web page logged to another users !

How could this happen ?

#4

Updated by Koen Deforche about 8 years ago

Hey,

This all sounds suspect. I have no explanation for any of this, but what version of Wt are you using, in fact?

And what database?

Regards,

koen

#5

Updated by Евгений Илюшин about 8 years ago

Version from 28-11-2013 Wt-3.3.0-rc3

Database Postgre SQL 9.0.10

I got a reverse side this problem, after open web site, user sees a white page, in the log file had record "Wt: fatal error: Query: resultValue(): more than one result" if cleaned the cookies and press F5 web page will load normal.

#6

Updated by Koen Deforche about 8 years ago

Hey,

Wt version 3.3.0 indeed did not clean cookies, this has since been implemented (see #1763).

Nevertheless I would not expect to see these problems --- unless your cookie id's are really short?

Btw. Wt-3.3.0-rc3 is from April 2013, not November?

Regards,

koen

Also available in: Atom PDF