Support #2997
openToken hash collision
0%
Description
Hi, in my server very often there is an exception "Wt: error during event handling: Token hash collision", after this query
select u."id", u."version", u."user_ref", u."password_hash", u."password_method", u."password_salt", u."status", u."failed_login_attempts", u."last_login_attempt", u."email", u."unverified_email", u."email_token", u."email_token_expires", u."email_token_role" from "auth_info" u join "auth_identity" i on u.id = i.auth_info_id where (i.provider = $1) and (i.identity = $2)
update "auth_info" set "version" = $1, "user_ref" = $2, "password_hash" = $3, "password_method" = $4, "password_salt" = $5, "status" = $6, "failed_login_attempts" = $7, "last_login_attempt" = $8, "email" = $9, "unverified_email" = $10, "email_token" = $11, "email_token_expires" = $12, "email_token_role" = $13 where "id" = $14 and "version" = $15
select count(1) from "auth_token" where (value = $1)
This only happens when the "Remember me" is selected.
Afte clean table auth_token work excellent.
Sometimes I have to clean cookies.
How to avoid this error ?
Updated by Koen Deforche over 10 years ago
- Status changed from New to Feedback
- Assignee set to Koen Deforche
Hey,
Either there's a programming error or the hashing function you are using is not well configured. What hashing function do you use and how long are the tokens that you allow? A hash collision should be extremely rare provided the hashing function and random generator are good and the tokens are sufficiently long? How many tokens do you have in the database when this occurs?
Regards,
koen
Updated by Евгений Илюшин over 10 years ago
In auth_token more 50 records by authInfo id
I make this query to remove all old token after connect.
dbo::Transaction transaction(session_);
dbo::ptr<AuthInfo> authInfo = users_->find(login_.user());
session_.execute("delete from auth_token where auth_info_id = ? and id not in (select id from auth_token where auth_info_id = ? order by expires desc limit 1)").bind(authInfo.id()).bind(authInfo.id());
And now i do't have token collisions !
I think it's not the best resolve :)
Updated by Евгений Илюшин over 10 years ago
Hi !
I got a new problem.
Users was saved session, open web page logged to another users !
How could this happen ?
Updated by Koen Deforche over 10 years ago
Hey,
This all sounds suspect. I have no explanation for any of this, but what version of Wt are you using, in fact?
And what database?
Regards,
koen
Updated by Евгений Илюшин over 10 years ago
Version from 28-11-2013 Wt-3.3.0-rc3
Database Postgre SQL 9.0.10
I got a reverse side this problem, after open web site, user sees a white page, in the log file had record "Wt: fatal error: Query: resultValue(): more than one result" if cleaned the cookies and press F5 web page will load normal.
Updated by Koen Deforche over 10 years ago
Hey,
Wt version 3.3.0 indeed did not clean cookies, this has since been implemented (see #1763).
Nevertheless I would not expect to see these problems --- unless your cookie id's are really short?
Btw. Wt-3.3.0-rc3 is from April 2013, not November?
Regards,
koen