Re: Invalid Hash via SOAP API call

Maxim Solodovnik Fri, 27 Mar 2020 08:08:25 -0700

`open in same browser`
This is the question I have asked million times ....
multiple tabs/windows share _the same_ session
You can't be loggen in with different hashes and have same session


once in ~30 seconds page ping back to refresh session
and you got "Access denied"
expected

On Fri, 27 Mar 2020 at 21:54, Daniel Baker <i...@collisiondetection.biz>
wrote:

> Yes  I can  reproduce  this.
>
>
> If I have  2  different  rooms ( room 29 , 31 )   open  in same  browser
> invalid  hash is  shown.
>
> It also  happens  if  I have   2  rooms  the  same ( 29, 29, ... )
>
>
> It  actually  takes * some time,   30 seconds* or so  for  the Invalid
> hash  error to show.
>
>
> Thanks,
>
>
> Dan
> On 27/03/2020 05:07, Maxim Solodovnik wrote:
>
> Well,
>
> just tested hashes
> This error is only observed in case multiple tabs are opened in the same
> browser
>
> Is this issue reproducible for you if there is only one user in the room?
>
> Can you test this behavior with latest M4
> (new version of Moodle plugin will be required)
>
> On Thu, 26 Mar 2020 at 14:12, Maxim Solodovnik <solomax...@gmail.com>
> wrote:
>
>> According to above access log
>> This URL
>> /openmeetings/hash?&secure=9c271470-cfaa-4e95-9d64-9210b9e4a7cc&language=1
>> has been queried 2 times
>> First one was
>> /openmeetings/hash?&secure=9c271470-cfaa-4e95-9d64-9210b9e4a7cc&language=1
>> Second
>>
>> /openmeetings/hash;jsessionid=CE0DC1A368404F8AFDCE934313E81C96?secure=9c271470-cfaa-4e95-9d64-9210b9e4a7cc&language=1
>>
>> Since secureHash is one-time hash here might be the issue
>> It is not clear why session was invalidated .....
>> I'll try to perform more test tonight/tomorrow
>>
>> On Thu, 26 Mar 2020 at 13:49, Daniel Baker <i...@collisiondetection.biz>
>> wrote:
>>
>>> No other  OM logins.
>>>
>>>
>>> I  actually  titled this  wrong,  it  is a  REST  call not  SOAP.
>>>
>>>
>>> Thanks,
>>>
>>>
>>> Dan
>>>
>>>
>>> On 26/03/2020 00:27, Maxim Solodovnik wrote:
>>>
>>> is it possible OM was opened in second tab with active login?
>>>
>>> On Thu, 26 Mar 2020 at 04:15, Daniel Baker <i...@collisiondetection.biz>
>>> wrote:
>>>
>>>> Not sure  why  I am getting this  during  entering of a room :
>>>>
>>>>
>>>> I get invalid  hash / Access denied   show in the browser:
>>>>
>>>>
>>>> [image: image]
>>>>
>>>>
>>>> The  url  looks  like this  which seems correct  to my understanding  :
>>>>
>>>>
>>>>  tail -f localhost_access_log.2020-03-25
>>>>
>>>> XX.XXX.XXX.XXX - - [25/Mar/2020:19:24:27 +0000] "GET
>>>> /openmeetings/services/user/login?&user=admin&pass=PASSWORD%40 HTTP/1.1"
>>>> 200 96
>>>> XX.XXX.XXX.XXX - - [25/Mar/2020:19:24:27 +0000] "POST
>>>> /openmeetings/services/user/hash?&sid=973f7132-39f7-47d0-b614-7845c4ed0411
>>>> HTTP/1.1" 200 96
>>>> XX.XXX.XXX.XXX - - [25/Mar/2020:19:24:28 +0000] "GET
>>>> /openmeetings/hash?&secure=9c271470-cfaa-4e95-9d64-9210b9e4a7cc&language=1
>>>> HTTP/1.1" 200 7231
>>>> XX.XXX.XXX.XXX - - [25/Mar/2020:19:24:28 +0000] "GET
>>>> /openmeetings/css/theme_om/jquery-ui.min.css HTTP/1.1" 304 -
>>>> XX.XXX.XXX.XXX - - [25/Mar/2020:19:24:28 +0000] "GET
>>>> /openmeetings/css/theme.css HTTP/1.1" 304 -
>>>> XX.XXX.XXX.XXX - - [25/Mar/2020:19:24:28 +0000] "GET
>>>> /openmeetings/css/custom.css HTTP/1.1" 304 -
>>>> XX.XXX.XXX.XXX - - [25/Mar/2020:19:24:28 +0000] "-" 400 -
>>>> XX.XXX.XXX.XXX - - [25/Mar/2020:19:24:28 +0000] "-" 400 -
>>>> XX.XXX.XXX.XXX - - [25/Mar/2020:19:24:29 +0000] "GET
>>>> /openmeetings/services/user/login?&user=admin&pass=PASSWORD%40 HTTP/1.1"
>>>> 200 96
>>>> XX.XXX.XXX.XXX - - [25/Mar/2020:19:24:29 +0000] "GET
>>>> /openmeetings/services/room/32?&sid=25d019cb-728c-4c7e-a88e-88910b3eae51
>>>> HTTP/1.1" 200 444
>>>> XX.XXX.XXX.XXX - - [25/Mar/2020:19:24:30 +0000] "GET
>>>> /openmeetings/services/user/login?&user=admin&pass=PASSWORD%40 HTTP/1.1"
>>>> 200 96
>>>> XX.XXX.XXX.XXX - - [25/Mar/2020:19:24:30 +0000] "POST
>>>> /openmeetings/services/user/hash?&sid=bd8227ad-88d1-41ba-b4ce-69239844e5a1
>>>> HTTP/1.1" 200 96
>>>> XX.XXX.XXX.XXX - - [25/Mar/2020:19:24:32 +0000] "GET
>>>> **/openmeetings/wicket/bookmarkable/org.apache.openmeetings.web.pages.HashPage?0-1.0
>>>> *-access~denied*&secure=9c271470-cfaa-4e95-9d64-**9210b9e4a7cc&language=1&_=1585164268523
>>>> HTTP/1.1" 200 180
>>>> XX.XXX.XXX.XXX - - [25/Mar/2020:19:24:32 +0000] "GET
>>>> /openmeetings/hash;jsessionid=CE0DC1A368404F8AFDCE934313E81C96?secure=9c271470-cfaa-4e95-9d64-9210b9e4a7cc&language=1
>>>> HTTP/1.1" 200 7328
>>>> XX.XXX.XXX.XXX - - [25/Mar/2020:19:24:33 +0000] "-" 400 -
>>>> XX.XXX.XXX.XXX - - [25/Mar/2020:19:24:33 +0000] "-" 400 -
>>>> XX.XXX.XXX.XXX - - [25/Mar/2020:19:24:33 +0000] "-" 400 -
>>>> XX.XXX.XXX.XXX - - [25/Mar/2020:19:24:33 +0000] "GET
>>>> /openmeetings/wicket/resource/com.googlecode.wicket.kendo.ui.theme.Initializer/kendo.default.mobile.min-ver-70A144DCABA4386C973AE2446CA25F3D.css
>>>> HTTP/1.1" 200 111339
>>>> XX.XXX.XXX.XXX - - [25/Mar/2020:19:24:33 +0000] "GET
>>>> /openmeetings/css/theme_om/jquery-ui.min.css HTTP/1.1" 304 -
>>>>
>>>>
>>>>
>>>> OM  Version :
>>>>
>>>>
>>>> Name OpenMeetings  Version5.0.0-M3 Revisionb739f87 Build 
>>>> date2019-12-11T11:42:09Z
>>>>
>>>>
>>>> I  can see access denied in the log so  that pinpoints it somewhat.  Is
>>>> there a way  to see my  SOAP call is  correct  or a  verbose  logging mode 
>>>> ?
>>>>
>>>> Thanks,
>>>>
>>>> Dan
>>>>
>>>
>>>
>>> --
>>> WBR
>>> Maxim aka solomax
>>>
>>>
>>
>> --
>> WBR
>> Maxim aka solomax
>>
>
>
> --
> WBR
> Maxim aka solomax
>
>

-- 
WBR
Maxim aka solomax

Re: Invalid Hash via SOAP API call

Reply via email to