Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-72670

$CFG->enable_read_only_sessions_debug produces false positives

    XMLWordPrintable

Details

    • MOODLE_311_STABLE
    • MOODLE_311_STABLE
    • MDL-72670-311
    • MDL-72670-master
    • Hide

      Prereqisites

      1. The "sessionbreaker" admin tool installed:
        • git clone git@github.com:catalyst/moodle-tool_sessionbreaker.git admin/tool/sessionbreaker
          php admin/cli/upgrade.php
          

      2. A redis cache store mapped to the session cache you can see the testing instructions of MDL-68608 and MDL-58018 for information on how to do that
      3. Begin tailing your error logs tail -f /var/log/apach2/error.log (or other relevant location)

      Test debugging functionality

      1. Open the the session mutation test script by browsing to [YOURMOODLE]/admin/tool/sessionbreaker/mutate_session_directly.php
      2. Refresh your browser a few times
      3. Verify no errors relating to the session are in the error log
      4. In config.php add: $CFG->enable_read_only_sessions_debug = true;
      5. Refresh your browser
      6. Verify you see the following in the error log: Script /path/to/mutate_session_directly.php defined READ_ONLY_SESSION but the following SESSION attributes were changed: $SESSION->myvar
      7. Take note of the value the test page tells you it is attempting to set the SESSION variable to (NB you should write the value down somewhere as you need to recall it in the next steps)
      8. Refresh the page in your browser
      9. Verify you see the following in the error log: Script /path/to/mutate_session_directly.php defined READ_ONLY_SESSION but the following SESSION attributes were changed: $SESSION->myvar
      10. Verify that the test page reports that the current value of the session is what it was attempting to set it to in the previous step
      11. Edit the mutate_session_directly.php script, commenting out define('READ_ONLY_SESSION', true)
      12. Refresh the page in your browser
      13. Verify no errors relating to the session are in the error log and that the values are being correctly written to SESSION (by refreshing a few times and noting the values attempting to be written)

      Test real functionality

      1. Uncomment the define('READ_ONLY_SESSION', true) in the mutate_session_directly.php script
      2. Comment out $CFG->enable_read_only_sessions_debug = true; in config.php and set $CFG->enable_read_only_sessions = true;
      3. Refresh your browser
      4. Verify you see the following in the error log: Script /path/to/mutate_session_directly.php defined READ_ONLY_SESSION but the following SESSION attributes were changed: $SESSION->myvar
      5. Take note of the current value in SESSION
      6. Refresh the page a few more times, verify the error keeps occurring and that the current value in SESSION does not change (this is because read only sessions are properly turned on now)
      7. Edit the mutate_session_directly.php script, commenting out define('READ_ONLY_SESSION', true)
      8. Refresh the page in your browser
      9. Verify no errors relating to the session are in the error log and that the values are being correctly written to SESSION (by refreshing a few times and noting the values attempting to be written)

      Test webservices that restart the session with a lock

      Deubgging functionality

      1. Remove $CFG->enable_read_only_sessions = true; and $CFG->enable_read_only_sessions_debug = true; from config.php
      2. Browse to: [YOUR MOODLE]/admin/tool/sessionbreaker/mutate_session_via_webservice.php
      3. Refresh your browser a few times
      4. Verify no errors relating to the session are in the error log (however there will be some messages about the current value of the SESSION and an attempt to set the value in SESSION)
      5. Add $CFG->enable_read_only_sessions_debug = true;
      6. Refresh the page
      7. Verify you see the following in the error log ""Current value in session: [*VALUE 1*]. Attempting to change it to: [*VALUE 2*]" as well as "Script [YOUR MOODLE]/lib/ajax/service.php?sesskey=[BLAH]&info=tool_sessionbreaker_mutate_session defined READ_ONLY_SESSION but the following SESSION attributes were changed: $SESSION->something"
      8. Refresh the page
      9. Verify you see the following in the error log "Current value in session: [*VALUE 2*]. Attempting to change it to: [*VALUE 3*]" as well as "Script [YOUR MOODLE]/lib/ajax/service.php?sesskey=[BLAH]&info=tool_sessionbreaker_mutate_session defined READ_ONLY_SESSION but the following SESSION attributes were changed: $SESSION->something"
        • NB this is similar to what we did before. Make sure to check that the new value of the session is what the previous step attempted to set it to.
      10. Edit admin/tool/sessionbreaker/db/services.php commenting out 'readonlysession' => true
      11. Refresh the page
      12. Verify you see the the following in the error log "Current value in session: [*VALUE 1*]. Attempting to change it to: [*VALUE 2*]" and no errors relating to the SESSION changing
      13. Refresh the page
      14. Verify you see the following in the error log "Current value in session: [*VALUE 2*]. Attempting to change it to: [*VALUE 3*]" and no errors relating to the SESSION changing
      15. Refresh a few more times and ensure values are getting written to the SESSION correctly

      Read only mode

      1. Uncomment 'readonlysession' => true in admin/tool/sessionbreaker/db/services.php
      2. Comment out $CFG->enable_read_only_sessions_debug in config.php and set $CFG->enable_read_only_sessions = true;
      3. Refresh the page
      4. Verify that you see "Current value in session: [*VALUE 1*]. Attempting to change it to: [*VALUE 2*]" as well as "Script [YOUR MOODLE]/lib/ajax/service.php?sesskey=[BLAH]&info=local_readwriteservicetest_mutate_session defined READ_ONLY_SESSION but the following SESSION attributes were changed: $SESSION->something"
      5. Refresh the page
      6. Verify that you see "Current value in session: [*VALUE 1*]. Attempting to change it to: [*VALUE 3*]" as well as "Script [YOUR MOODLE]/lib/ajax/service.php?sesskey=[BLAH]&info=local_readwriteservicetest_mutate_session defined READ_ONLY_SESSION but the following SESSION attributes were changed: $SESSION->something"
        • NB In this case be sure to check that after the second refresh the value in SESSION has not changed
      7. Edit the local/readwriteservicetest/db/services.php, commenting out 'readonlysession' => true
      8. Refresh the page in your browser
      9. Verify no errors relating to the session are in the error log and that the values are being correctly written to SESSION (by refreshing a few times and noting the values attempting to be written)

      Bonus

      • Enable both $CFG->enable_read_only_sessions_debug and $CFG->enable_read_only_sessions and ensure the behaviour is consistent with the second test of sets.
      • Test that adding/removing define('READ_ONLY_SESSION', true) has no effect when $CFG->enable_read_only_sessions_debug and $CFG->enable_read_only_sessions are both not enabled
      • Test that adding/removing 'readonlysession' => true has no effect when $CFG->enable_read_only_sessions_debug and $CFG->enable_read_only_sessions are both not enabled
      • Try setting $CFG->enable_read_only_sessions_debug and $CFG->enable_read_only_sessions to various combinations of false and ensure behaviour is consistent.
      Show
      Prereqisites The "sessionbreaker" admin tool installed: git clone git@github.com:catalyst/moodle-tool_sessionbreaker.git admin/tool/sessionbreaker php admin/cli/upgrade.php A redis cache store mapped to the session cache you can see the testing instructions of MDL-68608 and MDL-58018 for information on how to do that Begin tailing your error logs tail -f /var/log/apach2/error.log (or other relevant location) Test debugging functionality Open the the session mutation test script by browsing to [YOURMOODLE] /admin/tool/sessionbreaker/mutate_session_directly.php Refresh your browser a few times Verify no errors relating to the session are in the error log In config.php add: $CFG->enable_read_only_sessions_debug = true; Refresh your browser Verify you see the following in the error log: Script /path/to/mutate_session_directly.php defined READ_ONLY_SESSION but the following SESSION attributes were changed: $SESSION->myvar Take note of the value the test page tells you it is attempting to set the SESSION variable to ( NB you should write the value down somewhere as you need to recall it in the next steps) Refresh the page in your browser Verify you see the following in the error log: Script /path/to/mutate_session_directly.php defined READ_ONLY_SESSION but the following SESSION attributes were changed: $SESSION->myvar Verify that the test page reports that the current value of the session is what it was attempting to set it to in the previous step Edit the mutate_session_directly.php script, commenting out define('READ_ONLY_SESSION', true) Refresh the page in your browser Verify no errors relating to the session are in the error log and that the values are being correctly written to SESSION (by refreshing a few times and noting the values attempting to be written) Test real functionality Uncomment the define('READ_ONLY_SESSION', true) in the mutate_session_directly.php script Comment out $CFG->enable_read_only_sessions_debug = true; in config.php and set $CFG->enable_read_only_sessions = true; Refresh your browser Verify you see the following in the error log: Script /path/to/mutate_session_directly.php defined READ_ONLY_SESSION but the following SESSION attributes were changed: $SESSION->myvar Take note of the current value in SESSION Refresh the page a few more times, verify the error keeps occurring and that the current value in SESSION does not change (this is because read only sessions are properly turned on now) Edit the mutate_session_directly.php script, commenting out define('READ_ONLY_SESSION', true) Refresh the page in your browser Verify no errors relating to the session are in the error log and that the values are being correctly written to SESSION (by refreshing a few times and noting the values attempting to be written) Test webservices that restart the session with a lock Deubgging functionality Remove $CFG->enable_read_only_sessions = true; and $CFG->enable_read_only_sessions_debug = true; from config.php Browse to: [YOUR MOODLE] /admin/tool/sessionbreaker/mutate_session_via_webservice.php Refresh your browser a few times Verify no errors relating to the session are in the error log (however there will be some messages about the current value of the SESSION and an attempt to set the value in SESSION) Add $CFG->enable_read_only_sessions_debug = true; Refresh the page Verify you see the following in the error log ""Current value in session: [*VALUE 1*] . Attempting to change it to: [*VALUE 2*] " as well as "Script [YOUR MOODLE] /lib/ajax/service.php?sesskey= [BLAH] &info=tool_sessionbreaker_mutate_session defined READ_ONLY_SESSION but the following SESSION attributes were changed: $SESSION->something" Refresh the page Verify you see the following in the error log "Current value in session: [*VALUE 2*] . Attempting to change it to: [*VALUE 3*] " as well as "Script [YOUR MOODLE] /lib/ajax/service.php?sesskey= [BLAH] &info=tool_sessionbreaker_mutate_session defined READ_ONLY_SESSION but the following SESSION attributes were changed: $SESSION->something" NB this is similar to what we did before. Make sure to check that the new value of the session is what the previous step attempted to set it to. Edit admin/tool/sessionbreaker/db/services.php commenting out 'readonlysession' => true Refresh the page Verify you see the the following in the error log "Current value in session: [*VALUE 1*] . Attempting to change it to: [*VALUE 2*] " and no errors relating to the SESSION changing Refresh the page Verify you see the following in the error log "Current value in session: [*VALUE 2*] . Attempting to change it to: [*VALUE 3*] " and no errors relating to the SESSION changing Refresh a few more times and ensure values are getting written to the SESSION correctly Read only mode Uncomment 'readonlysession' => true in admin/tool/sessionbreaker/db/services.php Comment out $CFG->enable_read_only_sessions_debug in config.php and set $CFG->enable_read_only_sessions = true; Refresh the page Verify that you see "Current value in session: [*VALUE 1*] . Attempting to change it to: [*VALUE 2*] " as well as "Script [YOUR MOODLE] /lib/ajax/service.php?sesskey= [BLAH] &info=local_readwriteservicetest_mutate_session defined READ_ONLY_SESSION but the following SESSION attributes were changed: $SESSION->something" Refresh the page Verify that you see "Current value in session: [*VALUE 1*] . Attempting to change it to: [*VALUE 3*] " as well as "Script [YOUR MOODLE] /lib/ajax/service.php?sesskey= [BLAH] &info=local_readwriteservicetest_mutate_session defined READ_ONLY_SESSION but the following SESSION attributes were changed: $SESSION->something" NB In this case be sure to check that after the second refresh the value in SESSION has not changed Edit the local/readwriteservicetest/db/services.php , commenting out 'readonlysession' => true Refresh the page in your browser Verify no errors relating to the session are in the error log and that the values are being correctly written to SESSION (by refreshing a few times and noting the values attempting to be written) Bonus Enable both $CFG->enable_read_only_sessions_debug and $CFG->enable_read_only_sessions and ensure the behaviour is consistent with the second test of sets. Test that adding/removing define('READ_ONLY_SESSION', true) has no effect when $CFG->enable_read_only_sessions_debug and $CFG->enable_read_only_sessions are both not enabled Test that adding/removing 'readonlysession' => true has no effect when $CFG->enable_read_only_sessions_debug and $CFG->enable_read_only_sessions are both not enabled Try setting $CFG->enable_read_only_sessions_debug and $CFG->enable_read_only_sessions to various combinations of false and ensure behaviour is consistent.

    Description

      The purpose of the $CFG->enable_read_only_sessions_debug is to produce identical error messages to $CFG->enable_read_only_sessions, without enabling read only sessions. The idea being to turn on enable_read_only_sessions_debug on a large prod site, identify issues, fix them, and build some confidence that read only sessions can safely be enabled.

      To reproduce simply add $CFG->enable_read_only_sessions_debug to config.php and create a test script:

      <?php
       
      require_once('config.php');
       
      global $SESSION;
       
      $SESSION->myvar = 'asdf';
      

      Save, tail your error log and then load the script. Nothing will show in the error log. Now modify the script, setting the value of $SESSION->myvar to 'asdfasdf'. Save and refresh, you will see an error in the log. This is a false positive, as the error should only trigger when when the script defines READ_ONLY_SESSION as true.

      Attachments

        Issue Links

          Activity

            People

              cameron1729 cameron1729
              cameron1729 cameron1729
              Dmitrii Metelkin Dmitrii Metelkin
              Ilya Tregubov Ilya Tregubov
              Angelia Dela Cruz Angelia Dela Cruz
              Adrian Greeve, Jake Dallimore, Mathew May, Mihail Geshoski, Matteo Scaramuccia, Andrew Lyons, Huong Nguyen, Jun Pataleta, Michael Hawkins, Shamim Rezaie, Simey Lameze, Stevani Andolo
              Votes:
              1 Vote for this issue
              Watchers:
              12 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:
                8/Nov/21

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 1 hour
                  1h