Local session cache causing basic auth failures
Concerned version
Version: %2.0.7
Platform: Nginx
Summary
When using basic auth with a local session cache, basic auth will start to fail once a day for several minutes even though the backend authentication succeeds. It seems to be related to the local session cache keeping an expired session, and the local purge script cleans it up too late.
Logs
Feb 20 20:03:08 janus LLNG[15821]: [notice] Good REST authentication for xxx
Feb 20 20:03:08 janus LLNG[15821]: [debug] [notice] Good REST authentication for xxx
Feb 20 20:03:08 janus LLNG[15821]: [debug] Get session b901f55522ea2b002d10ad57e2a1c2de8503b167ee84fa251906e14348e7a7cf from
Handler::Main::Run
Feb 20 20:03:08 janus LLNG[15821]: [debug] Check session validity from Handler
Feb 20 20:03:08 janus LLNG[15821]: [debug] Session timeout -> 72000
Feb 20 20:03:08 janus LLNG[15821]: [debug] Session _utime -> 1582156801
Feb 20 20:03:08 janus LLNG[15821]: [debug] now -> 1582228988
Feb 20 20:03:08 janus LLNG[15821]: [debug] Session timeoutActivityInterval -> 60
Feb 20 20:03:08 janus LLNG[15821]: [debug] Session TTL = -187
Feb 20 20:03:08 janus LLNG[15821]: [info] Session b901f55522ea2b002d10ad57e2a1c2de8503b167ee84fa251906e14348e7a7cf expired
Backends used
LDAP is used for the authentication backend, and Redis is used as the session storage. The session cache was the file backend.
Possible fixes
If I manually delete the session from the file cache while the issue is happening, it is fixed. I have since disabled the session cache entirely which has also fixed the issue.
(just as a side note for anyone trying this, the manager interface did not allow an empty field, so I had to set an empty value in the config file manually)
I'm not sure what a proper fix would be, but it seems that the basic auth handler could fall back to the main session database if it sees an expired entry and somehow refresh the expired session in the cache.