AptiraOpenStack

Oversized dashboard cookie values

Recently I installed an OpenStack (Mitaka) with all core services and other “optional” components, e.g. LBaaS, FWaaS, VPNaaS, Manila. Everything worked fine except I couldn’t log in to the dashboard with my favourite web browser, Chrome. Every time I logged in, even with a correct password, Horizon sent me back to the login page. But if I entered a wrong password it did tell me that the password is incorrect. This happened to Firefox too. However, it worked on IE.

Then I went to check the horizon log /var/log/horizon/horizon.log. There was nothing in the log when using Chrome and Firefox, which makes it hard to debug. But I found some errors when using IE:
2016-09-23 06:11:50,029 62832 ERROR horizon.middleware Total Cookie size for user_id: f6d48923b3ec4927a5c5b51a0da2965d is 4208B >= 4093B. You need to configure file-based or database-backed sessions instead of cookie-based sessions: http://docs.openstack.org/developer/horizon/topics/deployment.html#session-storage

2016-09-23 06:12:10,857 62832 ERROR horizon.middleware Total Cookie size for user_id: f6d48923b3ec4927a5c5b51a0da2965d is 4225B >= 4093B. You need to configure file-based or database-backed sessions instead of cookie-based sessions: http://docs.openstack.org/developer/horizon/topics/deployment.html#session-storage
Then I did some inspection with IE’s debug tool. It turned out that the cookie sessionid has a very log value, >4200 characters, which exceeds the max allowed cookie size of Chrome and Firefox.

Max cookie size can be figured out by using this tool: http://browsercookielimits.squawky.net/

From my test on the latest browser versions, only IE accepts more than 5000 characters.
Chrome 53.0.2785.116:
13:33:54.45: Guessing Max Cookie Count Per Domain: 180
13:33:54.45: Guessing Max Cookie Size Per Cookie: 4096 bytes
13:33:54.45: Guessing Max Cookie Size Per Domain: NA

Firefox 48.0.2:
13:33:54.769: Guessing Max Cookie Count Per Domain: 150
13:33:54.770: Guessing Max Cookie Size Per Cookie: 4097 bytes
13:33:54.772: Guessing Max Cookie Size Per Domain: NA

IE 10.0.9200.16384:
13:34:1.342: Guessing Max Cookie Count Per Domain: 50
13:34:1.348: Guessing Max Cookie Size Per Cookie: 5117 characters
13:34:1.353: Guessing Max Cookie Size Per Domain: Between 10234 and 15350 characters
By default, OpenStack uses memory-based sessions, such as memcached. According to the error message, we need to use file-based or database-based.

Edit /etc/openstack-dashboard/local_settings
SESSION_ENGINE = "django.contrib.sessions.backends.cached_db"
DATABASES = {
'default': {
# Database configuration here
'ENGINE': 'django.db.backends.mysql',
'NAME': 'dash',
'USER': 'dash',
'PASSWORD': 'DASH_DBPASS',
'HOST': 'localhost',
'default-character-set': 'utf8'
}
}

Create the database:
$ mysql -u root -p
mysql> CREATE DATABASE dash;
mysql> GRANT ALL PRIVILEGES ON dash.* TO 'dash'@'%' IDENTIFIED BY 'DASH_DBPASS';
mysql> GRANT ALL PRIVILEGES ON dash.* TO 'dash'@'localhost' IDENTIFIED BY 'DASH_DBPASS';

Create tables:
/usr/share/openstack-dashboard/manage.py syncdb
Answer ‘no’ when asked whether you want to create super user.
Then restart httpd/apache.

After this change, the real sessionid data will be put into database, and what is sent in cookie is only a key (32bytes). So every time a request is sent back from the browser, horizon queries the database to retrieve the real sessionid data with this key and proceed from there.

Before each OpenStack request, we need to have a valid token. When requesting the token, Keystone sends back the token as well as a service catalog; this is the sessionid in Horizon. What makes our sessionid so big is that I have installed many services into my OpenStack. Using database-based sessions for horizon will have some impact on the performance but that solves the problem. On the other hand, Horizon should put session data in multiple cookies if it is too long.

Reference: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux_OpenStack_Platform/5/html/Cloud_Administrator_Guide/dashboard-sessions.html

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.