PowerDNS-Admin: Cannot log in with current cookies after long session.
I have setup the powerdns in runtime, after a while if I don’t delete the cookies i get the following errors:
[2023-03-12 14:52:54,305] [_internal.py:224] INFO - 10.0.0.1 - - [12/Mar/2023 14:52:54] "GET / HTTP/1.1" 500 -
Traceback (most recent call last):
File "/usr/local/lib/python3.9/site-packages/flask/app.py", line 2091, in __call__
return self.wsgi_app(environ, start_response)
File "/usr/local/lib/python3.9/site-packages/werkzeug/middleware/proxy_fix.py", line 187, in __call__
return self.app(environ, start_response)
File "/usr/local/lib/python3.9/site-packages/flask/app.py", line 2076, in wsgi_app
response = self.handle_exception(e)
File "/usr/local/lib/python3.9/site-packages/flask/app.py", line 2072, in wsgi_app
ctx.push()
File "/usr/local/lib/python3.9/site-packages/flask/ctx.py", line 434, in push
self.session = session_interface.open_session(self.app, self.request)
File "/usr/local/lib/python3.9/site-packages/flask_session/sessions.py", line 535, in open_session
if saved_session and saved_session.expiry <= datetime.utcnow():
TypeError: '<=' not supported between instances of 'NoneType' and 'datetime.datetime'
[2023-03-12 14:52:54,576] [_internal.py:224] INFO - 10.0.0.1 - - [12/Mar/2023 14:52:54] "GET /?__debugger__=yes&cmd=resource&f=style.css HTTP/1.1" 304 -
[2023-03-12 14:52:54,579] [_internal.py:224] INFO - 10.0.0.1 - - [12/Mar/2023 14:52:54] "GET /?__debugger__=yes&cmd=resource&f=debugger.js HTTP/1.1" 304 -
[2023-03-12 14:52:55,591] [_internal.py:224] INFO - 10.0.0.1 - - [12/Mar/2023 14:52:55] "GET /?__debugger__=yes&cmd=resource&f=console.png HTTP/1.1" 304 -
[2023-03-12 14:52:55,664] [_internal.py:224] INFO - 10.0.0.1 - - [12/Mar/2023 14:52:55] "GET /?__debugger__=yes&cmd=resource&f=console.png HTTP/1.1" 304 -
This makes me unable to log in or access the DNS, the workaround i have found is either clear all cookies or accessing in incognito.
About this issue
- Original URL
- State: closed
- Created a year ago
- Reactions: 1
- Comments: 25 (19 by maintainers)
I’m happy to report that some of the discussed and long known issues involving the flask-session dependency, seem to have been solved in the latest update of
0.6.0which I am testing in thedevbranch now.https://github.com/PowerDNS-Admin/PowerDNS-Admin/pull/1748
it seems to me that this issue has been fixed with the MR #1461
Currently used flask-session has been prone to this error since 2017. According to the project issues, there are several complaints about the same issue and overall it’s related how the application destroys session. Also some concurrency has a part in this (multiple pod race condition). The currently maintained drop-in replacement flask-session2 has merged the fix to handle session data with NULL expire value, but not the root cause of avoiding inserting NULL values in first place.
Somehow a query with insert NULL will be issued. I suspect a race condition with using
session.clear()in PDA code.I made a simple test by removing excess line from clear_session() function, by letting flask-session native logout_user() do all the session invalidation tricks. Fun fact - the sessions don’t get broken anymore. I can’t reproduce the situation any more, as all session entries in backend database have proper “not NULL” values.
I can’t say, what was the initial purpose of adding session.clear() to the PDA code. Maybe this breaks something in the other end, but using both, session.clear() and flask sessions logout_user(), isn’t a great combination. As in previous releases only the ‘filesystem’ session store was being used, the concurrency never triggered an issue. According to the issues of flask-session, it’s common to all centralized backends (sql, memcache, redis…).
EDIT: With this patch, I started to notice exactly the same error as in #552 (let the session time out e.g. 10 minutes and don’t close the browser tab, but just click any link in PDA).
[flask_seasurf.py:344] WARNING - Forbidden (CSRF token missing or incorrect.): /loginBut as the 403 is resolvable with a simple reload, it’s better solution than entire applications permanent 500.On a side note … (don’t take me seriously though, I’m by far a Flask expert) … I looked into this issue a few days ago to see if I could get Flask-Session2 switched out and it required a newer version of Flask. Flask is pinned to 2.1.3 in requirements.txt, Flask-Session2 requires 2.2.2.
I then tried to update Flask to 2.2.2 but that appeared to break quite a number more things. We may need to update to Flask 2.2.2 to use Flask-Session2.
Here is the dependency issue output log on Ubuntu 22.04… (with just the Flask-Session2 change)
@tbe
Did You clear the backend from stale “NULL” expiry sessions? The change to remove session.clear() doesn’t patch the TypeError occuring if the database contents are already bad. I cleared the database with the following and restarted PDA with patched powerdnsadmin/routes/index.py code.
This is a bug in Flask-Session: https://github.com/fengsp/flask-session/issues/151
But there is hope, https://github.com/christopherpickering/flask-session2 has not the same issue, as it checks the session object before using it, and it should be a simple drop in replacement @AzorianMatt
@MrGeneration I haven’t replicated the problem yet myself, but it’s starting to sound like it’s an issue directly tied to the changeover for session storage, which would make complete sense as it changed with this new release.
Ergo, after upgrading, all existing sessions would become invalid and likely lead to this kind of exception even though it should be more properly handled in the library.
Just wanted to say that I encountered the same issue in the following two scenarious:
Every time this issue appears removing the site’s cookies is enough. The issue does not seem to occur when you’re logging out cleanly.
This was a migrated installation via docker with MariaDB backend.