[ic] Timed-build and Locked-Out sessions.

Carl Bailey carl at triangleresearch.com
Mon Aug 7 18:42:15 EDT 2006 

Here's a strange thing that happened to one of our clients.  They 
discovered in the middle of the day that all customers were seeing 
links pointing to localhost (127.0.0.1) when the visited a certain page 
on the site.  We traced this to the the area of the page that was 
enclosed in a timed-build tag, and that got us to thinking ...

If a session requests too many pages in a short period, the session 
gets triggered for the do_lockout subroutine in Error.pm and the URL 
gets changed to localhost using the following line of code:
    $Vend::Cfg->{VendURL} = $Vend::Cfg->{SecureURL} = 'http://127.0.0.1';
Now, you can set a $Global::LockoutCommand to prevent further site 
access by the offender, but by default this is not defined, so all that 
happens is that all links in subsequently served pages point to 
localhost.

Now imagine that this user is a spider, working it's way through your 
site-map.  The site map has scores of links, and most of the target 
pages use the timed-build tag.  As the spider works its way through 
these links, the spider soon enough triggers the do_lockout mechanism 
described above.  But the spider has plenty of unvisited links that it 
got from the site-map earlier, so it continues about its business.  
Now, some of the pages it visits may well cause the timed-build area(s) 
to be re-generated because their elapsed time has expired.  This will 
result in new timed-build files being generated with localhost in the 
links, which will spoil things for every user who sees that page, until 
the next time it gets re-built, hours or days later.

It may seem far-fetched, but remember, this has actually happened to us 
within the last week.

What we needed was a protection in the timed-build tag that prevents it 
from writing a new file if do_lockout has been triggered.    We came up 
with the following change to the timed_build tag in Interpolate.pm:

---   Vend::Util::writefile(">file",$out,$opt);
+++   Vend::Util::writefile(">$file", $out, $opt )
+++      unless $Vend::Cfg->{VendURL} eq 'http://127.0.0.1';

We have tested this and it has worked successfully in our IC 5.4 
environment.

Carl
=======================
Carl Bailey
Triangle Research, Inc.
=======================

More information about the interchange-users mailing list