REST ression server is too intolerant of clock drift
Concerned version
Version: %2.0
Summary
When using Apache::Session::REST, the client and server use a secret key to authenticate communication.
The current check goes something like this:
if ( my $s = delete $infos->{__secret} ) {
my $t;
if ( $t =
$self->conf->{cipher}->decrypt($s)
and $t <= time
and $t > time - 15 )
{
$force = 1;
}
else {
$self->userLogger->error('Bad key, force denied');
}
}
So, session storage will only work if t(backend) -15 < t(proxy) < t(backend)
So, if the proxy is just one little second ahead of the backend, you will end up with a lot of Bad key, force denied
in logs and sessions will no longer be stored in the backend.
Backends used
REST portal server + Apache::Session::REST
Possible fixes
I suggest changing the code slightly to give more leeway:
and $t <= time + 15
and $t > time - 15 )
Any objections @guimard @clement_oudot ?