public inbox for [email protected]help / color / mirror / Atom feed
[pgAdmin4][RM3371] Ping endpoint still send a pg4a_session cookie 4+ messages / 2 participants [nested] [flat]
* [pgAdmin4][RM3371] Ping endpoint still send a pg4a_session cookie @ 2018-07-02 12:35 Aditya Toshniwal <[email protected]> 0 siblings, 1 reply; 4+ messages in thread From: Aditya Toshniwal @ 2018-07-02 12:35 UTC (permalink / raw) To: pgadmin-hackers Hi Hackers, Attached is the patch for fixing RM3371 where /misc/ping service generate session file for each call and so cannot be used frequently. The patch is to skip session file generation and session caching for the URLs provided in SESSION_SKIP_PATH list config parameter. pg4a_session_cookie value will still be generated but nothing will be stored at the backend. Also, I have separated the garbage collection code in current ping service to a new url /misc/cleanup. /misc/ping will be purely for is alive check. Request you to kindly review. -- Thanks and Regards, Aditya Toshniwal Software Engineer | EnterpriseDB Software Solutions | Pune "Don't Complain about Heat, Plant a tree" Attachments: [application/octet-stream] RM3371.patch (7.3K, 3-RM3371.patch) download | inline diff: diff --git a/web/config.py b/web/config.py index a8a9ce01..128ad11b 100644 --- a/web/config.py +++ b/web/config.py @@ -391,3 +391,11 @@ if (SUPPORT_SSH_TUNNEL is True and ((sys.version_info[0] == 2 and sys.version_info[1] < 7) or (sys.version_info[0] == 3 and sys.version_info[1] < 4))): SUPPORT_SSH_TUNNEL = False + + +######################################################################### +# Skip session stroing in files and cache for paths +######################################################################### +SESSION_SKIP_PATHS = [ + '/misc/ping' +] diff --git a/web/pgadmin/__init__.py b/web/pgadmin/__init__.py index e4c9c484..5926559d 100644 --- a/web/pgadmin/__init__.py +++ b/web/pgadmin/__init__.py @@ -354,7 +354,9 @@ def create_app(app_name=None): # register custom unauthorised handler. app.login_manager.unauthorized_handler(pga_unauthorised) - app.session_interface = create_session_interface(app) + app.session_interface = create_session_interface( + app, config.SESSION_SKIP_PATHS + ) # Make the Session more secure against XSS & CSRF when running in web mode if config.SERVER_MODE: diff --git a/web/pgadmin/browser/static/js/browser.js b/web/pgadmin/browser/static/js/browser.js index b26738cf..d0efe468 100644 --- a/web/pgadmin/browser/static/js/browser.js +++ b/web/pgadmin/browser/static/js/browser.js @@ -490,7 +490,7 @@ define('pgadmin.browser', [ // Ping the server every 5 minutes setInterval(function() { $.ajax({ - url: url_for('misc.ping'), + url: url_for('misc.cleanup'), type:'POST', success: function() {}, error: function() {}, diff --git a/web/pgadmin/misc/__init__.py b/web/pgadmin/misc/__init__.py index 55e3fe73..ad4f9254 100644 --- a/web/pgadmin/misc/__init__.py +++ b/web/pgadmin/misc/__init__.py @@ -74,7 +74,7 @@ class MiscModule(PgAdminModule): Returns: list: a list of url endpoints exposed to the client. """ - return ['misc.ping', 'misc.index'] + return ['misc.ping', 'misc.index', 'misc.cleanup'] # Initialise the module @@ -92,14 +92,19 @@ def index(): ########################################################################## # A special URL used to "ping" the server ########################################################################## [email protected]("/ping", methods=('get', 'post')) [email protected]("/ping") def ping(): """Generate a "PING" response to indicate that the server is alive.""" - driver.ping() - return "PING" +# For Garbage Collecting closed connections [email protected]("/cleanup", methods=['POST']) +def cleanup(): + driver.ping() + return "" + + @blueprint.route("/explain/explain.js") def explain_js(): """ diff --git a/web/pgadmin/utils/session.py b/web/pgadmin/utils/session.py index 266f83b3..fa313e0a 100644 --- a/web/pgadmin/utils/session.py +++ b/web/pgadmin/utils/session.py @@ -102,10 +102,11 @@ class SessionManager(object): class CachingSessionManager(SessionManager): - def __init__(self, parent, num_to_store): + def __init__(self, parent, num_to_store, skip_paths=[]): self.parent = parent self.num_to_store = num_to_store self._cache = OrderedDict() + self.skip_paths = skip_paths def _normalize(self): if len(self._cache) > self.num_to_store: @@ -115,6 +116,12 @@ class CachingSessionManager(SessionManager): def new_session(self): session = self.parent.new_session() + + # Do not store the session if skip paths + for sp in self.skip_paths: + if request.path.startswith(sp): + return session + self._cache[session.sid] = session self._normalize() @@ -143,6 +150,11 @@ class CachingSessionManager(SessionManager): if not session: session = self.parent.get(sid, digest) + # Do not store the session if skip paths + for sp in self.skip_paths: + if request.path.startswith(sp): + return session + self._cache[sid] = session self._normalize() @@ -150,23 +162,31 @@ class CachingSessionManager(SessionManager): def put(self, session): self.parent.put(session) + + # Do not store the session if skip paths + for sp in self.skip_paths: + if request.path.startswith(sp): + return + if session.sid in self._cache: try: del self._cache[session.sid] except Exception: pass + self._cache[session.sid] = session self._normalize() class FileBackedSessionManager(SessionManager): - def __init__(self, path, secret, disk_write_delay): + def __init__(self, path, secret, disk_write_delay, skip_paths=[]): self.path = path self.secret = secret self.disk_write_delay = disk_write_delay if not os.path.exists(self.path): os.makedirs(self.path) + self.skip_paths = skip_paths def exists(self, sid): fname = os.path.join(self.path, sid) @@ -185,6 +205,11 @@ class FileBackedSessionManager(SessionManager): sid = str(uuid4()) fname = os.path.join(self.path, sid) + # Do not store the session if skip paths + for sp in self.skip_paths: + if request.path.startswith(sp): + return ManagedSession(sid=sid) + # touch the file with open(fname, 'wb'): pass @@ -233,6 +258,12 @@ class FileBackedSessionManager(SessionManager): session.last_write = current_time session.force_write = False + + # Do not store the session if skip paths + for sp in self.skip_paths: + if request.path.startswith(sp): + return + fname = os.path.join(self.path, session.sid) with open(fname, 'wb') as f: dump( @@ -242,9 +273,8 @@ class FileBackedSessionManager(SessionManager): class ManagedSessionInterface(SessionInterface): - def __init__(self, manager, skip_paths, cookie_timedelta): + def __init__(self, manager, cookie_timedelta): self.manager = manager - self.skip_paths = skip_paths self.cookie_timedelta = cookie_timedelta def get_expiration_time(self, app, session): @@ -256,11 +286,6 @@ class ManagedSessionInterface(SessionInterface): cookie_val = request.cookies.get(app.session_cookie_name) if not cookie_val or '!' not in cookie_val: - # Don't bother creating a cookie for static resources - for sp in self.skip_paths: - if request.path.startswith(sp): - return None - return self.manager.new_session() sid, digest = cookie_val.split('!', 1) @@ -301,10 +326,12 @@ def create_session_interface(app, skip_paths=[]): FileBackedSessionManager( app.config['SESSION_DB_PATH'], app.config['SECRET_KEY'], - app.config.get('PGADMIN_SESSION_DISK_WRITE_DELAY', 10) + app.config.get('PGADMIN_SESSION_DISK_WRITE_DELAY', 10), + skip_paths ), - 1000 - ), skip_paths, + 1000, + skip_paths + ), datetime.timedelta(days=1)) ^ permalink raw reply [nested|flat] 4+ messages in thread
* Re: [pgAdmin4][RM3371] Ping endpoint still send a pg4a_session cookie @ 2018-07-02 14:59 Dave Page <[email protected]> parent: Aditya Toshniwal <[email protected]> 0 siblings, 1 reply; 4+ messages in thread From: Dave Page @ 2018-07-02 14:59 UTC (permalink / raw) To: Aditya Toshniwal <[email protected]>; +Cc: pgadmin-hackers Hi I'm not in a position to test at the moment, but can you confirm this will work if the root of pgAdmin is at (for example) /pgadmin? So the actual root is /pgadmin/misc/ping ? On Mon, Jul 2, 2018 at 1:35 PM, Aditya Toshniwal < [email protected]> wrote: > Hi Hackers, > > Attached is the patch for fixing RM3371 where /misc/ping service generate > session file for each call and so cannot be used frequently. > The patch is to skip session file generation and session caching for the > URLs provided in SESSION_SKIP_PATH list config parameter. > pg4a_session_cookie value will still be generated but nothing will be > stored at the backend. > Also, I have separated the garbage collection code in current ping service > to a new url /misc/cleanup. /misc/ping will be purely for is alive check. > > Request you to kindly review. > > -- > Thanks and Regards, > Aditya Toshniwal > Software Engineer | EnterpriseDB Software Solutions | Pune > "Don't Complain about Heat, Plant a tree" > -- Dave Page Blog: http://pgsnake.blogspot.com Twitter: @pgsnake EnterpriseDB UK: http://www.enterprisedb.com The Enterprise PostgreSQL Company ^ permalink raw reply [nested|flat] 4+ messages in thread
* Re: [pgAdmin4][RM3371] Ping endpoint still send a pg4a_session cookie @ 2018-07-04 05:38 Aditya Toshniwal <[email protected]> parent: Dave Page <[email protected]> 0 siblings, 1 reply; 4+ messages in thread From: Aditya Toshniwal @ 2018-07-04 05:38 UTC (permalink / raw) To: Dave Page <[email protected]>; +Cc: pgadmin-hackers Hi Dave, I tested with apache2 and it works fine. Below is the log: adityatoshniwal@ubuntu:~/.pgadmin/sessions$ ls -ltr total 0 adityatoshniwal@ubuntu:~/.pgadmin/sessions$ curl -vvv " http://pgadmin.local/pgadmin/misc/ping"; * Trying 127.0.0.1... * Connected to pgadmin.local (127.0.0.1) port 80 (#0) > GET /pgadmin/misc/ping HTTP/1.1 > Host: pgadmin.local > User-Agent: curl/7.47.0 > Accept: */* > < HTTP/1.1 200 OK < Date: Wed, 04 Jul 2018 05:36:37 GMT < Server: Apache/2.4.18 (Ubuntu) < Set-Cookie: pga4_session=d9ec42c2-7a9d-4e7a-abae-e510a7bee94e!7GpTdrxChvZaPCud1IZS4BdqwgU=; Expires=Thu, 05-Jul-2018 11:06:37 GMT; HttpOnly; Path=/ < Content-Length: 4 < Content-Type: text/html; charset=utf-8 < * Connection #0 to host pgadmin.local left intact PINGadityatoshniwal@ubuntu:~/.pgadmin/sessions$ ls -ltr total 0 adityatoshniwal@ubuntu:~/.pgadmin/sessions$ On Mon, Jul 2, 2018 at 8:29 PM, Dave Page <[email protected]> wrote: > Hi > > I'm not in a position to test at the moment, but can you confirm this will > work if the root of pgAdmin is at (for example) /pgadmin? So the actual > root is /pgadmin/misc/ping ? > > On Mon, Jul 2, 2018 at 1:35 PM, Aditya Toshniwal <aditya.toshniwal@ > enterprisedb.com> wrote: > >> Hi Hackers, >> >> Attached is the patch for fixing RM3371 where /misc/ping service generate >> session file for each call and so cannot be used frequently. >> The patch is to skip session file generation and session caching for the >> URLs provided in SESSION_SKIP_PATH list config parameter. >> pg4a_session_cookie value will still be generated but nothing will be >> stored at the backend. >> Also, I have separated the garbage collection code in current ping >> service to a new url /misc/cleanup. /misc/ping will be purely for is alive >> check. >> >> Request you to kindly review. >> >> -- >> Thanks and Regards, >> Aditya Toshniwal >> Software Engineer | EnterpriseDB Software Solutions | Pune >> "Don't Complain about Heat, Plant a tree" >> > > > > -- > Dave Page > Blog: http://pgsnake.blogspot.com > Twitter: @pgsnake > > EnterpriseDB UK: http://www.enterprisedb.com > The Enterprise PostgreSQL Company > -- Thanks and Regards, Aditya Toshniwal Software Engineer | EnterpriseDB Software Solutions | Pune "Don't Complain about Heat, Plant a tree" ^ permalink raw reply [nested|flat] 4+ messages in thread
* Re: [pgAdmin4][RM3371] Ping endpoint still send a pg4a_session cookie @ 2018-07-05 10:12 Dave Page <[email protected]> parent: Aditya Toshniwal <[email protected]> 0 siblings, 0 replies; 4+ messages in thread From: Dave Page @ 2018-07-05 10:12 UTC (permalink / raw) To: Aditya Toshniwal <[email protected]>; +Cc: pgadmin-hackers Thanks, patch applied. On Wed, Jul 4, 2018 at 6:38 AM, Aditya Toshniwal < [email protected]> wrote: > Hi Dave, > > I tested with apache2 and it works fine. Below is the log: > > adityatoshniwal@ubuntu:~/.pgadmin/sessions$ ls -ltr > total 0 > adityatoshniwal@ubuntu:~/.pgadmin/sessions$ curl -vvv " > http://pgadmin.local/pgadmin/misc/ping"; > * Trying 127.0.0.1... > * Connected to pgadmin.local (127.0.0.1) port 80 (#0) > > GET /pgadmin/misc/ping HTTP/1.1 > > Host: pgadmin.local > > User-Agent: curl/7.47.0 > > Accept: */* > > > < HTTP/1.1 200 OK > < Date: Wed, 04 Jul 2018 05:36:37 GMT > < Server: Apache/2.4.18 (Ubuntu) > < Set-Cookie: pga4_session=d9ec42c2-7a9d-4e7a-abae-e510a7bee94e!7GpTdrxChvZaPCud1IZS4BdqwgU=; > Expires=Thu, 05-Jul-2018 11:06:37 GMT; HttpOnly; Path=/ > < Content-Length: 4 > < Content-Type: text/html; charset=utf-8 > < > * Connection #0 to host pgadmin.local left intact > PINGadityatoshniwal@ubuntu:~/.pgadmin/sessions$ ls -ltr > total 0 > adityatoshniwal@ubuntu:~/.pgadmin/sessions$ > > > On Mon, Jul 2, 2018 at 8:29 PM, Dave Page <[email protected]> wrote: > >> Hi >> >> I'm not in a position to test at the moment, but can you confirm this >> will work if the root of pgAdmin is at (for example) /pgadmin? So the >> actual root is /pgadmin/misc/ping ? >> >> On Mon, Jul 2, 2018 at 1:35 PM, Aditya Toshniwal < >> [email protected]> wrote: >> >>> Hi Hackers, >>> >>> Attached is the patch for fixing RM3371 where /misc/ping service >>> generate session file for each call and so cannot be used frequently. >>> The patch is to skip session file generation and session caching for the >>> URLs provided in SESSION_SKIP_PATH list config parameter. >>> pg4a_session_cookie value will still be generated but nothing will be >>> stored at the backend. >>> Also, I have separated the garbage collection code in current ping >>> service to a new url /misc/cleanup. /misc/ping will be purely for is alive >>> check. >>> >>> Request you to kindly review. >>> >>> -- >>> Thanks and Regards, >>> Aditya Toshniwal >>> Software Engineer | EnterpriseDB Software Solutions | Pune >>> "Don't Complain about Heat, Plant a tree" >>> >> >> >> >> -- >> Dave Page >> Blog: http://pgsnake.blogspot.com >> Twitter: @pgsnake >> >> EnterpriseDB UK: http://www.enterprisedb.com >> The Enterprise PostgreSQL Company >> > > > > -- > Thanks and Regards, > Aditya Toshniwal > Software Engineer | EnterpriseDB Software Solutions | Pune > "Don't Complain about Heat, Plant a tree" > -- Dave Page Blog: http://pgsnake.blogspot.com Twitter: @pgsnake EnterpriseDB UK: http://www.enterprisedb.com The Enterprise PostgreSQL Company ^ permalink raw reply [nested|flat] 4+ messages in thread
end of thread, other threads:[~2018-07-05 10:12 UTC | newest] Thread overview: 4+ messages (download: mbox mbox.gz follow: Atom feed) -- links below jump to the message on this page -- 2018-07-02 12:35 [pgAdmin4][RM3371] Ping endpoint still send a pg4a_session cookie Aditya Toshniwal <[email protected]> 2018-07-02 14:59 ` Dave Page <[email protected]> 2018-07-04 05:38 ` Aditya Toshniwal <[email protected]> 2018-07-05 10:12 ` Dave Page <[email protected]>
This inbox is served by agora; see mirroring instructions for how to clone and mirror all data and code used for this inbox