Possible Bug/Feature: Rapid cycling of sessions causes Server Fault 4 errors

luke_churchluke_church Registered Users Posts: 507 Major grins
Description: I've come across this at numerous points whilst developing, but until now haven't had something stable enough to hammer it down.

It seems that if you cycle accounts too quickly, the server starts returned Error Code 4 to requests it previously accepted. If it is left for a while, then it stops doing it.

This can make debugging exciting!

Example failure: (This test runs successfully normally, without any source code changes, so I don't think it's my user account details)

I have seen numerous cases of a very similar problem with other methods other than accounts.getType, that's just the simple method I'm using for testing at the moment

[php]

<?xml version="1.0"?>
<methodCall>
<methodName>smugmug.login.withPassword</methodName>
<params>
<param>
<value>
<string>smugtest@polymorphix.net</string>
</value>
</param>
<param>
<value>
<string>...</string>
</value>
</param>
<param>
<value>
<string>1.1.0</string>
</value>
</param>
<param>
<value>
<string>...</string>
</value>
</param>
</params>
</methodCall>
Header: (Left in for Cookie data)
HTTP/1.1 200 OK Date: Sun, 11 Sep 2005 02:35:09 GMT Server: Apache X-Powered-By: smugmug/1.2.0 Cache-Control: private, max-age=1, must-revalidate Pragma: Set-Cookie: SMSESS=b4f7cb9b9276cd0e5f5e6f7a2d5c3a60; path=/; domain=.smugmug.com Set-Cookie: snap=39179; expires=Tue, 11-Oct-05 02:35:10 GMT; path=/; domain=.smugmug.com Set-Cookie: shot=%241%247pt781tO%24AnkHhcM7muLCq.YuhZa4l0; expires=Tue, 11-Oct-05 02:35:10 GMT; path=/; domain=.smugmug.com ETag: sm-71feb02444ea1fa4e5bafface57c4449-sm Content-Length: 546 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/xml
<?xml version="1.0" encoding="iso-8859-1"?>
<methodResponse>
<params>
<param>
<value>
<struct>
<member>
<name>SessionID</name>
<value>
<string>b4f7cb9b9276cd0e5f5e6f7a2d5c3a60</string>
</value>
</member>
<member>
<name>UserID</name>
<value>
<int>39179</int>
</value>
</member>
<member>
<name>PasswordHash</name>
<value>
<string>...string>
</value>
</member>
</struct>
</value>
</param>
</params>
</methodResponse>
POST /hack/xmlrpc/ HTTP/1.1 Content-Type: text/xml User-Agent: XML-RPC.NET Content-Length: 245 Expect: 100-continue Host: api.smugmug.com HTTP/1.1 100 Continue
<?xml version="1.0"?>
<methodCall>
<methodName>smugmug.accounts.getType</methodName>
<params>
<param>
<value>
<string>b4f7cb9b9276cd0e5f5e6f7a2d5c3a60</string>
</value>
</param>
</params>
</methodCall>
HTTP/1.1 200 OK Date: Sun, 11 Sep 2005 02:35:10 GMT Server: Apache X-Powered-By: smugmug/1.2.0 Cache-Control: private, max-age=1, must-revalidate Pragma: Set-Cookie: SMSESS=b4f7cb9b9276cd0e5f5e6f7a2d5c3a60; path=/; domain=.smugmug.com ETag: sm-326b1987e10d1b10e236a4626a6d410e-sm Content-Length: 347 Content-Type: text/xml
<?xml version="1.0" encoding="iso-8859-1"?>
<methodResponse>
<fault>
<value>
<struct>
<member>
<name>faultCode</name>
<value>
<int>4</int>
</value>
</member>
<member>
<name>faultString</name>
<value>
<string>invalid user</string>
</value>
</member>
</struct>
</value>
</fault>
</methodResponse>


[/php]

If more XML from different examples would help, just give me a yell..

Or is this is a security feature to prevent API abuse?

Cheers,

Luke

Comments

  • onethumbonethumb Administrators Posts: 1,269 Major grins
    edited September 10, 2005
    Description: I've come across this at numerous points whilst developing, but until now haven't had something stable enough to hammer it down.

    It seems that if you cycle accounts too quickly, the server starts returned Error Code 4 to requests it previously accepted. If it is left for a while, then it stops doing it.

    This can make debugging exciting!

    Example failure: (This test runs successfully normally, without any source code changes, so I don't think it's my user account details)

    I have seen numerous cases of a very similar problem with other methods other than accounts.getType, that's just the simple method I'm using for testing at the moment

    [php]

    <?xml version="1.0"?>
    <methodCall>
    <methodName>smugmug.login.withPassword</methodName>
    <params>
    <param>
    <value>
    <string>smugtest@polymorphix.net</string>
    </value>
    </param>
    <param>
    <value>
    <string>...</string>
    </value>
    </param>
    <param>
    <value>
    <string>1.1.0</string>
    </value>
    </param>
    <param>
    <value>
    <string>...</string>
    </value>
    </param>
    </params>
    </methodCall>
    Header: (Left in for Cookie data)
    HTTP/1.1 200 OK Date: Sun, 11 Sep 2005 02:35:09 GMT Server: Apache X-Powered-By: smugmug/1.2.0 Cache-Control: private, max-age=1, must-revalidate Pragma: Set-Cookie: SMSESS=b4f7cb9b9276cd0e5f5e6f7a2d5c3a60; path=/; domain=.smugmug.com Set-Cookie: snap=39179; expires=Tue, 11-Oct-05 02:35:10 GMT; path=/; domain=.smugmug.com Set-Cookie: shot=%241%247pt781tO%24AnkHhcM7muLCq.YuhZa4l0; expires=Tue, 11-Oct-05 02:35:10 GMT; path=/; domain=.smugmug.com ETag: sm-71feb02444ea1fa4e5bafface57c4449-sm Content-Length: 546 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/xml
    <?xml version="1.0" encoding="iso-8859-1"?>
    <methodResponse>
    <params>
    <param>
    <value>
    <struct>
    <member>
    <name>SessionID</name>
    <value>
    <string>b4f7cb9b9276cd0e5f5e6f7a2d5c3a60</string>
    </value>
    </member>
    <member>
    <name>UserID</name>
    <value>
    <int>39179</int>
    </value>
    </member>
    <member>
    <name>PasswordHash</name>
    <value>
    <string>...string>
    </value>
    </member>
    </struct>
    </value>
    </param>
    </params>
    </methodResponse>
    POST /hack/xmlrpc/ HTTP/1.1 Content-Type: text/xml User-Agent: XML-RPC.NET Content-Length: 245 Expect: 100-continue Host: api.smugmug.com HTTP/1.1 100 Continue
    <?xml version="1.0"?>
    <methodCall>
    <methodName>smugmug.accounts.getType</methodName>
    <params>
    <param>
    <value>
    <string>b4f7cb9b9276cd0e5f5e6f7a2d5c3a60</string>
    </value>
    </param>
    </params>
    </methodCall>
    HTTP/1.1 200 OK Date: Sun, 11 Sep 2005 02:35:10 GMT Server: Apache X-Powered-By: smugmug/1.2.0 Cache-Control: private, max-age=1, must-revalidate Pragma: Set-Cookie: SMSESS=b4f7cb9b9276cd0e5f5e6f7a2d5c3a60; path=/; domain=.smugmug.com ETag: sm-326b1987e10d1b10e236a4626a6d410e-sm Content-Length: 347 Content-Type: text/xml
    <?xml version="1.0" encoding="iso-8859-1"?>
    <methodResponse>
    <fault>
    <value>
    <struct>
    <member>
    <name>faultCode</name>
    <value>
    <int>4</int>
    </value>
    </member>
    <member>
    <name>faultString</name>
    <value>
    <string>invalid user</string>
    </value>
    </member>
    </struct>
    </value>
    </fault>
    </methodResponse>


    [/php]

    If more XML from different examples would help, just give me a yell..

    Or is this is a security feature to prevent API abuse?

    Cheers,

    Luke

    Ahh, interesting. You're probably running into "slave lag" where you're updating our master DB and then quickly querying one of our slaves. Our slaves are rarely behind by more than a second or so. With a web browser, this is rarely an issue - the web browser takes forever to render the page and return user input anyway.

    With a fast app using the API, though, it's obviously a bigger issue.

    I'll have to think about how to best handle this.

    Good find!

    Don
Sign In or Register to comment.