Host Hopping Cookies

It started with a tweet on Saturday morning.

@MsIngalls: When I go to the Checklist in @Desire2Learn -when I am logged in – I get an error message that says my log in has expired – ideas? #d2l

This sounded like an issue we had in WebCT Vista product I called Failed Sessions. FSes occur when the user is actively working in the product and suddenly gets dumped to the login page. Not to be confused with Login Loop which is providing the correct username and password but never getting a valid session. I hated working either issue because they were never repeatable. The problem could involve any piece of software that could somehow touch a cookie on the user’s computer. Occasionally they were the fault of Weblogic too.

I recommended Amy open a Desire2Learn ticket through our portal on behalf of the professor. I also started my own investigation.

First, I poked around in the logging database for errors involving checklist. I found different courses not the one involved.

Second, I pulled out of our load balancer logs the id number for the course. That yielded plenty of data showing the problem.

These, I added to the ticket and suggested capturing the HTTP headers should the issue not be repeatable by others. Of course, the support agent was not able to repeat it. The headers clearly showed the cookies were not sent.

The professor of course poked holes all through my suggestions of tracking down which of the many software is involved. Different software, hardware, networks, and browsers meant the cause was probably not something residing on the computers. But the issue definitely was still all of these browsers in a wide variety of places all chose not to send the cookies. This is also when he dropped the next bomb that the problem only occurs on links in a specific widget.

Checking the code behind the widget, I only saw simple absolute URLs. Which made me shudder because earlier this week absolute URLs in the login page for a development site put me in production without me being aware for several minutes.

PSA: Only use absolute URLs when sending a visitor to another web server. Say you are here, at www.ezrasf.com and you want someone to see another of my blog entries. Drop http://www.ezrasf.com from the URL and start the path with / (a relative URL). Should I change the host name to blog.ezrasf.com or www.ezrafreelove.com, then the link has better success of working.

It turns out the problem is the professor used the pre-production host name for the web application. The widget absolute URL links used a different host name for production. Both resolve to the same servers. But cookies are tied to a specific host name. So being logged into one of host and getting a link to the variant means the session is not valid at the variant.

At least the workaround and fix are easy.

The workaround for the professor is to stop using the pre-production URL.

The fix is for the widget designer to turn the absolute URLs to relative URLs since they point to same location.

Also, it would be nice for a better error message than:

No Login

Either you have failed to login, or your login has expired.

First the comma is bad grammar. Second, if I am a normal user who encounters this problem, then what can I do to fix it myself? This is not an error someone sees if their password or username are wrong. This is also not what a user normally sees when they are idle too long. But then again, there are lots and lots of potential causes and solutions.

Extending Gmail Addresses

Surprised I have not posted prior about this. Gmail allows one to use username+anything@gmail.com and have it delivered to username@gmail.com. Use it to sign up for web sites or things and filter later. Should this address be compromised, you can create a filter to delete anything sent through just that address.

Keep in mind…

    1. Though I would expect pretty good spammers or hackers to remove the +anything. 
    2. Some web sites use algorithms that consider these addresses not real.

So your results may vary.

DSID-0C090334

Working with our clients on LDAP configuration almost invariable starts with SSL certificates. Self-signed, intermediate, and take up a while. The two tools, openSSL and keytool have become my friends. Working with a network admin for the client, I finally saw the legitimate certificate correctly signed by the intermediate certificate not the self-signed. This means I finally saw this new I error I have never before seen.

javax.naming.AuthenticationException: [LDAP: error code 49 – 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, user@host.domain.tld:    at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3041)

Research on the error code DSID-0C090334 led to indications the LDAP search username was incorrect. The Blackboard CE/Vista LDAP client lacks capabilities many clients have to make it easier to use such as searching deeper into a tree or across branches. In this case our clients configured the user as “cn=account”. We looked at other clients who had something like “cn=account,ou=group,dc=domain,dc=edu”. When presented with this discrepancy as likely a problem, the client suggested a path for us to try like the latter. I entered it, tried our test user.

It worked. They also confirmed it worked. Something to add to the wiki, I guess.

Report Just Usernames

Occasionally I’ll want to see the usernames who use something like a user-agent property or were doing something during a range of time. Rather than report all the log lines and pick them out of the data, I use this which Blackboard (or maybe BEA added).

Note  we’ve added user-agents to the webserver.log. The double quote I use as my delimiter in the awk is from us adding the user-agent to the webserver logs.If you have not set up your logs to use this, then you’ll either need to do so or figure out which position is appropriate for you with a space delimiter. The colon in the second awk is where just after the username the log records the reads and writes to the database.

| awk -F\” ‘{print $3}’ | awk -F\: ‘{print $1}’ | sort | uniq

An example usage is a case was escalated to me where a student had trouble taking an assessment. That student was, of course, using Internet Explorer 7, a web browser which prior CE/Vista 8.0.4 was supported. Now it is not. (Could be likely this is reason Blackboard stopped supporting in.) So I was curious how many users are still trying to use this browser.

Facebook Usernames

If you cannot find me, then you are not looking. If you search on Facebook for Ezra Freelove, then I am the only result at the moment. Maybe all you knew was Ezra and the city where I lived? Facebook search is not so great you could find me through my first name plus something else you knew about me (other than email or city). Probably this is for the best. We don’t want to make it too easy to stalk people, right?

Allowing users to make a username is a promotion. The blogosphere making a fuss over all this is a Chicken Littleesque. Sure Myspace, Twitter, and a number of other sites have addresses with usernames in them. No one is forcing people opposed to having one to make one. Only in the past month could one choose a username for one’s Google profile. Prior to that it was a hefty large number of numbers.

I think the reason some people prefer usernames comes down to elaborative encoding. To retain something in memory, we associate that something with existing items in memory. Short-term memory has only about 7 slots and digits are each a single item. Assuming a single incrementation per account created and over 200 million users, using a numbers means there ought to be 9 digits worth of numbers to memorize. Words occupy a single slot in short term memory, by far simplifying remembering. Which would you rather try to remember 46202460 or ezrasf?

An argument against usernames comes down to using the memory of the Facebook database or other computer memory. Computer memory is better than human memory for stuff like this.

All of these work and go to the same place:

  1. http://www.facebook.com/profile.php?id=46202460
  2. http://www.facebook.com/ezrasf
  3. http://www.ezrasf.com/fb

Pick your poison. Enjoy.

Recap of Vista Stuff

It has been a hectic week. A recap…

Java certificate fix – Yesterday, August 23rd, the certificate distributed in various Java applets expired. The community discovered the issue and informed Blackboard who put out a fix for the more current products on August 15th. Many customers are leery of having such little lead time to test, verify, and install a fix. Well, Vista 3.0.7.17 was also reported to have the problem, but Blackboard didn’t provide a fix until the 20th after I got my TSM to verify it really still is a problem on the 18th. (The corrected 3.0.7.17.8 version was provided August 21st. Why is in the next paragraph.)

The fix for Vista 3 required us to be on 3.0.7.17.8 (hotfix 8 which we had not yet applied), had references to the “webctapp” directory (in Vista 3 it is applications), and distributed a webct.sh script to add updateWar which didn’t work with Vista 3. FAIL. Thankfully we have modified War files in the past, so adding the updates was more work and accomplished before Blackboard provided a corrected version.

To see the Java certificates in Windows: Control Panel > Java > Security > Certificates. The Blackboard ones are verified by Thawte (the Certificate Authority). The old one is issued to Blackboard. The new one is issued to dc.blackboard.com.

Vista 3.0.7.17.8 – This hotfix was released a couple weeks ago. However, since the priority has been the migration to Vista 8, this was on hold. The previous problem made us step up and throw this into production. The testers went to heroic efforts to get this and the certifcate fix tested. Testing was mixed.

  1. Losing session cookie because of Office 2007 in Internet Explorer. Happened less often post fix, but still happens in some cases.
  2. Autosignon MAC2. Mode to allow insecure MAC works to give the one school using it time to correct update their portal to use MAC2. Originally the plan was to let them work out MAC2 in test.

Slammed by our users…

  1. systemIntegrationApi.dowebct – The school using the autosignon wanted to have the correct consortiaId to create the MAC. Some time back in January they started calling this any time users tried to login because a handful (guess was ~12) have had their username changed. So the autosignon failed. Yes, they were sent us 25,000 requests in a busy day (about 20% of the queues were working on these during the day) to handle potential 12 problems in a term. FAIL.
  2. pmSelfRegister.dowebt – One of the clusters started to have issues. Two nodes went crappy. I looked at the Weblogic console and found all of the failing nodes had no free spots in the queues. 90% of the queues were working on these. Much of this is because the requests were hanging around for at least 4800 seconds (an hour is 3600 seconds). At about 6000 seconds the cluster recovered when the queues cleared.I think the queues cleared because I changed to false a couple settings:
    • Allow users to register themselves as a Student in a section = false
    • Allow users to register themselves as an Auditor in a section = false

    As I recall, we only had about 22 queue spots open (out of 308) across the whole cluster. We got lucky.

Please verify the admin user and password

So, I got this error…

Unknown WebCT username or invalid password. Please verify the admin user and password in the IMS Settings.

I assumed the username and password were probably right. I had to find my error somewhere else.

The error turned out to be one missing character out of the 57 character long glcid. Totally my fault.

I wonder how long I would have spent dorking around with the password trying to get it work and thinking I must be typing something wrong.

Confidentiality

A student wants Blackboard Vista to not reveal his or her last name. The student has already gone to the Registrar and gotten a confidentiality flag placed on the record. As I understand it, this flag in Banner is a FERPA protection to prevent the record from being provided to parties external to the university. It does not provide anonymity within the university. That electronic systems are being scrubbed of the student’s last name means something more than just confidentiality.

We only create new and not update from our student information system (SIS). So in general, the last name should not revert.

The instructor must know who the student is in order to correctly assign grades. If grades were automatically sent back to the SIS, then it would match the IMS id to the what is in the SIS. The user name or any other name is immaterial and not a confounder to the process. Unfortunately, our faculty has to manually transfer the grades. Some rely on the WebCT id / username. Others rely on the first and last name. I guess without names, this latter group is going to have to deal with relying on the WebCT id.

Only username, first and last name, and role are populated into the grade book. So moving the last name to another name field (like other, prefix, or suffix) would not help.

The last name appears to be part of their scheme for creating usernames, so they will likely need to change the username if the point is to not let anyone know what it is. The school in question does not appear to populate their Vista user records with a school email address. So I don’t know if the same would need to be done with it as well.

Blackboard Vista 3.0.7 does have issues with renaming the last name. While many things are immediately updated (good), some things are not. This is not a comprehensive list.

  1. The last name in the grade book was not updated. Removing the user from the section and restoring it to the section changed the name to the correct one.
  2. The last name in discussions was not updated.

So while renaming the account is easy to do, not everything takes place as quicklly as we would like.

Zemanta Pixie