From Fedora Project Wiki

Revision as of 15:01, 11 April 2016 by Puiterwijk (talk | contribs) (Created page with "= Nuancier login issue = == Description == When voting for the supplementary wallpapers for Fedora 24, people would hit a Method Not Allowed message on submitting their votes...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Nuancier login issue

Description

When voting for the supplementary wallpapers for Fedora 24, people would hit a Method Not Allowed message on submitting their votes.

When the issue presented itself

At the start of the Fedora 24 supplementary wallpaper voting.

When it recovered (or got fixed)

At 14:50 UTC, with deploying a varnish configuration update.

Root cause

Varnish and Nuancier not playing nicely together. To make sure we cache as many pages as possible, we clear request cookies before passing them from Varnish to the backend application servers for static file endpoints. This means that even though the browser sends a cookie to Varnish, Varnish drops the cookie. This means that it sees less changes between requests, and it recognize that it can cache this specific request.

The problem here is that the backend sees no cookie coming in, which meant that it issued a new cookie. Because this new cookie had the same domain/path/name combination as the existing, logged in, session cookie, it overwrote the cookie in the browser. This means that on submission, the browser sent an "empty" cookie, resulting in an OpenID authentication. Because the user was recently logged in, this happened in the background, but during that process the submitted votes got lost with the transfer from a POST to a GET request.

The updated configuration sets a variable inside Varnish that it cleared the request cookies, so that it makes sure to also clears the response cookies, to prevent overwriting the logged in cookie.

Service Owners

Follow-up steps

The current Varnish config clears the response cookies in vcl_deliver. This means that it still sees cookies when it decides whether to cache the result, and as such will not cache it. This clearing should be moved to vcl_backend_response. The problem here is that req. is not available while in this context. This needs further looking into.