Feature #10674
openRename _session_id to _hostname_session_id
Description
When running multiple instances of Foreman via SSH tunnels (connecting to localhost), sessions do not play well together. Should be possible to do with Rails.application.config.session_options[:key]
.
Updated by Lukas Zapletal about 9 years ago
- Priority changed from Normal to Low
After discussion, it looks like to achieve this we need to make sure this is turned off by default as it can cause issues in clustered setups. We'd need to rename all our cookies as well in the similar pattern, which can be challenging.
It is possible to easily configure this behavior by changing this configuration file:
/usr/share/foreman/config/initializers/session_store.rb
Change this line
Foreman::Application.config.session_store :active_record_store, :secure => !!SETTINGS[:require_ssl]
to
require "socket" hostname = Socket.gethostbyname(Socket.gethostname).first Foreman::Application.config.session_store :active_record_store, :secure => !!SETTINGS[:require_ssl], :key => "_#{hostname}_session_id"
Updated by Ohad Levy about 9 years ago
would be able to use foreman_url setting?
Updated by Lukas Zapletal about 9 years ago
Yes, that's not a problem. The issue are cookies. I don't think cookies supports any kind of "prefixing".
Updated by Dominic Cleal about 9 years ago
Not in itself, but you'd have to update any code where we set cookies to also use the hostname too.
Updated by Lukas Zapletal about 9 years ago
Btw foreman_url is not good because the moment you change it via UI, you are signed off. I'd stick with hostname which is more stable. If there are no objections, I can make the patch introducing a new setting ignoring cookies for now and warning user in a comment.
Updated by Ohad Levy about 9 years ago
but hostname will break once you have a LB ? can we setup some other identifier to use?
Updated by Lukas Zapletal about 9 years ago
First of all, not all LB techniques kill this.
I don't see any other common id we could use. I suggest to turn this of when in LB mode.
Updated by Ohad Levy about 9 years ago
Lukas Zapletal wrote:
First of all, not all LB techniques kill this.
I don't see any other common id we could use. I suggest to turn this of when in LB mode.
lets have the cookie name configurable, it can default to the hostname, but would not block LB deployments?
Updated by Tom Caspy about 9 years ago
hostname means that we won't be able to have foreman behind a load balancer, assuming hostnames are different (fair assumption)
I think cookie name should be in settings, but can be defaulted to hostname
it's okay if users get logged out when changing the setting in the UI, it's a one-time thing.
Updated by Ohad Levy about 9 years ago
Tom Caspy wrote:
it's okay if users get logged out when changing the setting in the UI, it's a one-time thing.
I tend to agree, if its configurable and defaults to foreman_url imho it solves most of the issues?
Updated by Lukas Zapletal about 9 years ago
Foreman_url is not a good default IMHO for the reasons I explained above.
How about adding new configuration option cluster_id and autogenerate it via our installer to some random value? For cluster deployments we can instruct the users to use the same value...