Why is Symfony Session data encrypted on my production server? - session

I want to share a single authentificaition method for to Symfony websites sharing the same top-domain.
I use a cookie valid on all subdomains and sfPDOSessionStorage for keeping session data.
factories.yml is set up like this on both projects:
all:
storage:
class: sfPDOSessionStorage
param:
database: doctrine
db_table: sessions
session_name: myauth
db_id_col: id
db_data_col: sess_data
db_time_col: time
session_cookie_domain: ".mydomain.net"
session_cookie_lifetime: 86400
session_cookie_path: /
On my development machine and on my co-workers's machine this mechanism is working fine but on the server it does not (I'm asked for credentials when I switch sub-domains). The only difference I see between the two environments is the format in which the data is stored, the data seems to be encrypted on the prod server but appears in clear text on my machine. There's no sensitive data here so I can post an example :
Dev environment sess_data:
symfony/user/sfUser/lastRequest|i:1295349567;symfony/user/sfUser/authenticated|b:0;symfony/user/sfUser/credentials|a:0:{}symfony/user/sfUser/attributes|a:1:{s:30:"symfony/user/sfUser/attributes";a:1:{s:7:"referer";s:0:"";}}symfony/user/sfUser/culture|s:2:"fr";
Production server sess_data:
BB7HBTsQg75NNGvb9Z8sexldqbS79YzDgrztQzSFhsUpEk2EeCOtKw8FQbm31vLIRyr3ZP_klwZFXywnkdem27naIWjIVBP_WwpwNRg4IMj1J0fIfxJN_UOw2RbCWh91L5ryCD_7_ynN2UtxfuJwUWnxoGuUvqD8YQxNdczQipmktPVFk1mVfKE1-BsrdHHLIXH_gi44-Bos3f-EshE5skuQpachnY1FkgvvvOuXEj7zxPflgA3xtGoqJxkDijT-uKnQCH4TrimhvkIRGCt0oVuOdsAJzuWW6ijgPCD3X767mSIzm_lQmJoSGxDB7fAgFihB7Ljoq0tsysC62BqTYFB6dTnuZoj3KON8lXlyNJZVyLgTWZ3EYoObtc8jCKYNDonSjEqzTvwg4NJRVoB5ePx61iTqbDd9qFlkryzj9J8.
I haven't got a clue which encryption type is used to store information in the database, nor am I sure that this is the root of my problems but as this is the only difference I can spot, I don't see any other explanation. (PHP and MySQL versions are identical, with Ubuntu 10.10 on my side and Debian Squeeze server-side).

I think there's some module installed on your production server responsible for encrypting the session's data.
For example, suhosin patch adds such a feature to PHP: http://www.hardened-php.net/suhosin/configuration.html
It's activated by suhosin.session.encrypt configuration option in php.ini.

Related

Connection problem after transfer magento 2.1 to new server.?

I have migrated my magento website from one server to another, I have changed base url for secure and non secure to new domain, also changed database credentials in env file. but still i am getting error of PDO exception regard databse connection on exception log.
Note: I have enabled error log in index.php file.
Can you post the error details?
(keep sensible data out of it)
As far as I usually encounter, errors like these are related to file permissions. Especially after migrating. Kindly check your files & folders permissions.
Of course the above is assuming the new server meets the system requirements (PHP version, PHP extensions and Mysql versions).
Here are the Magento System Requirements for v2.1.x: https://devdocs.magento.com/guides/v2.1/install-gde/system-requirements-tech.html
Here is some info about permissions:
https://devdocs.magento.com/guides/v2.1/install-gde/prereq/file-system-perms.html
And if you happen to use SELinux check this: https://devdocs.magento.com/guides/v2.1/install-gde/prereq/security.html

Is there any point using CI encryption to encrypt stored data

So I'm hoping this is not too discursive a question - but I am looking at encryption and the CodeIgniter encryption library. Great. But I'm just wondering in the following circumstance if there is actually any point encrypting my data?
No open port access to MySQL (all done via key based SSH)
Key stored in CI config file (which resides on the same box)
Server is a Ubuntu Linode (Cloud server)
I am the only person with access to the box
Why should I store my data at rest? Wikipedia mentions "unauthorised access or theft" but that would require physically stealing the box which is unlikely. I guess access to my machine if I'm logged into a database and the data is unreadable but again - unless someone breaks into my house and unlocks my machine its highly unlikely.

Where does Redis store the data

I am using redis for pub/sub as well as for server side cache. I mean my app server has redis server running as one process (functioning as a cache as well) . I have several thin clients (running redis client) connected to this app server in pub/sub mode. I would like to know where redis stores the cache data ? in server alone or there will be a copy in the clients as well. Also is it a good idea to use Redis in this fashion if there are close to 100 redis clients connected to server through pub/sub channel.
Thanks
Redis is a (sort of) in-memory noSQL database; but I found that my copy (running on linux) dumps to /var/lib/redis/dump.rdb
Redis can manage really big numbers of connections, by default its in-memory store (thanks to storing stuff in RAM it can be so fast).
But in the same time it can be configured as a persistent store, so dumping cached data (every x time or every x updated keys) to disk.
So it can be configured depending on your needs, have a look here.
All the cache data will be stored in the memory of the server provided to the config of running redis server.
The clients do not hold any data, they only access the data stored by the redis server.
I just installed redis on mac via homebrew. Without any configuration, I
found the dump.rdb is in my working directory (where I launched redis-server).
You can figure that out with the config command.
redis-cli config get dir
However as far as I know pub/sub data is volatile and not stored nor cached in redis at all. If you need that, you should look for a dedicated message broker like for example RabbitMQ.
On my Ubuntu, it was at /var/lib/redis/dump.rdb. On my macOS (installed via brew), it was at /usr/local/var/db/redis/dump.rdb.
Default location
/var/lib/redis/
Redis save all data in memory of server and rarely save date to disk.
For server<>client flow - all data transport with server.
Redis can processing number of clients ... default limit - 10.000
If you need less .. you must reconfigure OS, Server Settings etc. - http://redis.io/topics/clients
As I understood about the question your concern is about the Radis server memory and the client (application) memory.
I would like to know where redis stores the cache data ? in server alone or there will be a copy in the clients as well.
The Redis 6's client-side caching is what you actually looking for. There server and application both stores copies an keep in sync through a protocol communication. Eventhough they have implemented few ways to accomplish it following example (picked from the docs) mechanism will help you to understand it well.
Client 1 -> Server: CLIENT TRACKING ON
Client 1 -> Server: GET foo
(The server remembers that Client 1 may have the key "foo" cached)
(Client 1 may remember the value of "foo" inside its local memory)
Client 2 -> Server: SET foo SomeOtherValue
Server -> Client 1: INVALIDATE "foo"
Hope this helps. See that nice docs for more elaboration.

migrating mod_plsql application to Oracle REST Data Services

I read on MOS Doc ID 1945619.1 that starting with the 12.1.3 Oracle HTTP Server (OHS), the mod_plsql feature has been deprecated and will not be included with the 12.2 Oracle HTTP Server.
For the future, Oracle recommends moving to Oracle REST Data Services (formerly known as Oracle APEX Listener) as an alternative to mod_plsql.
Our shop have a lot of mod_plsql applications (i.e. applications written usinjg HTP/HTF packages) in production. Since I don't know anything about Oracle REST Data Services I'm asking you if we can migrate the old applications to this new product without changing the code.
Thank you.
Kind regards, Cristian
Doug McMahon (Oracle employee) has a great open source module for Apache.
Apache PL/SQL Gateway Module
(mod_owa)
https://oss.oracle.com/projects/mod_owa/dist/documentation/modowa.htm
I am using it in a production environment and I highly recommend it. It's really fast and rock solid.
You need to do some compiling but it's worth it being able to use Apache 2.4 and mod_plsql.
Steps:
download httpd 2.4.? from apache.org + extract
If Centos 6 or less download apr and apr-util
configure with enable-so, make and make install
./configure --enable-so --with-apr=/usr/local/apr --with-apr-util=/usr/local/apr
Download mod_owa + unzip
create empty directory. Copy all files from "apache24" into new folder. Copy all files from "src" to new folder
enter new folder and edit modowa.mk <-- important add $ORACLE_HOME, edit APACHE_TOP
Copy mod_owa.so to apache's modules
Add a modowa.conf in Apache's conf/ dir.
Example modowa.conf:
loadModule owa_module modules/mod_owa.so
<Location /pls>
Options None
SetHandler owa_handler
OwaUserid user/pass
OwaNLS AMERICAN_AMERICA.AL32UTF8
OwaPool 100
OwaStart "package.procedure"
OwaDocProc "wwv_flow_file_mgr.process_download"
OwaDocTable photos_upload BLOB_CONTENT
OwaUploadMax 50M
OwaCharset "utf8"
order deny,allow
allow from all
OwaReset LAZY
OwaCharsize 4
OwaFlex package.procedure
OwaHttp REST
</Location>
Before starting httpd ORACLE_HOME, NLS_LANG needs to be set (ORACLE_SID also if local). It needs access to an Oracle Home with libclntsh.so. (Oracle client will do).
I simply added oracle.conf (one line full path to oracle home/lib) under /etc/ld.so.conf.d (+ ldconfig)
Really scalable and a much cleaner setup then OHS.
My shop is pretty much in the same situation as you are.
We also have some very large mod_plsql/htp based applications and will have to migrate to the Oracle REST Data Services at some point.
We have already spend quite some time in testing different ORDS configuration and our overall conclusions are:
only APEX applications are fully supported
key functionality is still available
harder to configure and maintain
slight performance degradation
some mod_plsql configuration options do no longer exist or have changed
The biggest problems we are currently facing (and actually preventing us from switching to ORDS) are some restrictions when using non-APEX (pure HTF/HTP) applications.
We already filed some SR's because some functionality in ORDS (for example the file upload and download API) is only available when running an APEX application.
The biggest hurdle to get over is setting up Oracle Rest Services (ORS) and securing it. Once this is done, your web toolkit apps will work the same. The url may slightly change, so if you've referenced URLs using full paths as opposed to relative paths you might need modify code.
I am not sure if ORS is as powerful as Apache in areas like mod_rewrite, mod_proxy, virtual hosts with multiple ip addresses, etc...
Another open source alternative is tox.

Multiple iDempiere instances in one server

I need to install multiple iDempiere instances in one server. The customized packages are different in build and the db they are using. Is there any way to deploy both of it in one server and access like localhost:8080/client1, localhost:8080/client2 . Any help appreciated.
When I want to reference several application servers I need to copy the path of various installations
and change the database name and port of each application :
/opt/idempiere-server-production/ (on port 8080 for example) for production
And
/opt/idempiere-server-test/ (on port 8081 for example) for test
the way you said is not possible, because the idempiere server for webapp is known as
http://hostname:port/webui
Running multiple instances of idempiere on a single server is not too difficult.
Here is what you need to take care of:
Install the instances into different directories. The instances do not need to share any common files. So you are just fine making a full installation for each instance.
Make sure each instance uses its own data base. Use different names for the instance data bases.
Make sure the idempiere server instances use different tcp ports.
If you really should need to use a single port to access all of the instances you could use a http server like apache or ngnix to do define virtual hosts. Proxying or use of rewrite rules will then allow you to do the desired redirections. (I am using subdomains and apache mod_proxy to do the job)
There is another benefit to using subdomains for browser access: If all your server instances use the same host name the client browser will sometimes not be able to keep cookies from different instances apart, which can lead to a blocked session as discussed here in the idempiere google group.
Use different DB user names. The docs advise not to change the default user name Adempiere and this is ok for a single instance installation. Still if you use a single DB user for all of your instances you will run into trouble once you need to restore a database from a backup file. The RUN_DBRestore.sh will delete and recreate the DB user which is not possible when the user owns more than one DB.
You can run all of your instances as services in parallel. Before the installation of another instance rename the service script: sudo mv /etc/init.d/idempiere /etc/init.d/idempiere-theInstance. Of course you will need to do some book keeping work wth the service controller of your OS to ensure that the renamed services are started as desired.
The service controller talks to the iDempiere server via the OSGI console. For this to work without problems in a multi instance environment you need to assign a different telnet port number to each of the instances: in the editor of your choice open the file /etc/init.d/iDempiere. Find the line export TELNET_PORT=12612 and change the port number to something else.
Please Note:
OS specific descriptions in this guide are for Ubuntu 16/18 or Debian, if on another OS you need to do some research.
I have been using the described approach to host idempiere versions 5 and 6 for some time now and did not have any problems so far. Still make sure you do your own thorough tests if you want to go that route.
If you run into any problems (and maybe even manage to solve them) please report back to the community. (by giving your own answer to this question or by posting to the idempiere google group) Thanks!
You can have as many setups on your server as you like. When you run the setup to create your properties, simply chose other web ports for each installation. You also may need to slightly change the webservers configuration if they have some default ports.

Resources