[ic] Timed-build and Locked-Out sessions.
Carl Bailey
carl at triangleresearch.com
Mon Aug 7 18:42:15 EDT 2006
Here's a strange thing that happened to one of our clients. They
discovered in the middle of the day that all customers were seeing
links pointing to localhost (127.0.0.1) when the visited a certain page
on the site. We traced this to the the area of the page that was
enclosed in a timed-build tag, and that got us to thinking ...
If a session requests too many pages in a short period, the session
gets triggered for the do_lockout subroutine in Error.pm and the URL
gets changed to localhost using the following line of code:
$Vend::Cfg->{VendURL} = $Vend::Cfg->{SecureURL} = 'http://127.0.0.1';
Now, you can set a $Global::LockoutCommand to prevent further site
access by the offender, but by default this is not defined, so all that
happens is that all links in subsequently served pages point to
localhost.
Now imagine that this user is a spider, working it's way through your
site-map. The site map has scores of links, and most of the target
pages use the timed-build tag. As the spider works its way through
these links, the spider soon enough triggers the do_lockout mechanism
described above. But the spider has plenty of unvisited links that it
got from the site-map earlier, so it continues about its business.
Now, some of the pages it visits may well cause the timed-build area(s)
to be re-generated because their elapsed time has expired. This will
result in new timed-build files being generated with localhost in the
links, which will spoil things for every user who sees that page, until
the next time it gets re-built, hours or days later.
It may seem far-fetched, but remember, this has actually happened to us
within the last week.
What we needed was a protection in the timed-build tag that prevents it
from writing a new file if do_lockout has been triggered. We came up
with the following change to the timed_build tag in Interpolate.pm:
--- Vend::Util::writefile(">file",$out,$opt);
+++ Vend::Util::writefile(">$file", $out, $opt )
+++ unless $Vend::Cfg->{VendURL} eq 'http://127.0.0.1';
We have tested this and it has worked successfully in our IC 5.4
environment.
Carl
=======================
Carl Bailey
Triangle Research, Inc.
=======================
More information about the interchange-users
mailing list