Discussion:
Bad signed cookie "mojolicious"
El'Drako
2013-01-13 09:30:03 UTC
Permalink
Hi,
I just got acquainted with Mojolicious, respectively I have questions.

have this code:

# Application
package SIP;
use Mojo::Base 'Mojolicious';
use utf8;
...
sub startup {
my $self = shift;
$self->secret('fggwgwrggowifjwh7437hqnva7o');
...
my $r = $self->routes;
$r->get('/')->to('main#index');
}

# SIP/main.pm
package SIP::Main;
use Mojo::Base 'Mojolicious::Controller';

# This action will render a template
sub index {
my $self = shift;

# Render template "main/index.html.ep" with message
$self->render(title => 'test');
}

#templates
# main/index.html.ep
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title><%= $title %></title>
</head>
<body>
<div id="container">
%= include 'main/mainmenu'
%= include 'main/header'
<div id="content">
%= include 'main/leftsidebar'
<div id="content_right">
%= include 'main/content'
</div> <!-- end of content right -->
<div class="cleaner_with_height">&nbsp;</div>
</div> <!-- end of content -->
%= include 'main/footer'
</div> <!-- end of container -->
</body>
</html>

# main/heder.html.ep
<div id="logon">
<a href="/" style=""><%= $logon %></a><br/>
<small><%= $sublogon %></small>
</div>


and etc...
Bad signed cookie "mojolicious", possible hacking attempt.
if remove the %include and make a template in one file, the message
disappears.

how to work with templates from multiple files?

P.S. Sorry for my bad English.
--
You received this message because you are subscribed to the Google Groups "Mojolicious" group.
To view this discussion on the web visit https://groups.google.com/d/msg/mojolicious/-/1B8v7chvwasJ.
To post to this group, send email to ***@googlegroups.com.
To unsubscribe from this group, send email to mojolicious+***@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/mojolicious?hl=en.
Wes Cravens
2013-01-13 10:31:43 UTC
Permalink
I've not looked really close yet because at first glance I kinda suspect
that the problem is somewhere in the code that you replaced with '...'
in your example.

The message that you are getting suggests that there is something wrong
with your session cookie. But the session cookie isn't being used in
the code you provided as far as I can tell.

Wes
Post by El'Drako
Hi,
I just got acquainted with Mojolicious, respectively I have questions.
# Application
package SIP;
use Mojo::Base 'Mojolicious';
use utf8;
...
sub startup {
my $self = shift;
$self->secret('fggwgwrggowifjwh7437hqnva7o');
...
my $r = $self->routes;
$r->get('/')->to('main#index');
}
# SIP/main.pm
package SIP::Main;
use Mojo::Base 'Mojolicious::Controller';
# This action will render a template
sub index {
my $self = shift;
# Render template "main/index.html.ep" with message
$self->render(title => 'test');
}
#templates
# main/index.html.ep
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; " />
<title><%= $title %></title>
</head>
<body>
<div id="container">
%= include 'main/mainmenu'
%= include 'main/header'
<div id="content">
%= include 'main/leftsidebar'
<div id="content_right">
%= include 'main/content'
</div> <!-- end of content right -->
<div class="cleaner_with_height">&nbsp;</div>
</div> <!-- end of content -->
%= include 'main/footer'
</div> <!-- end of container -->
</body>
</html>
# main/heder.html.ep
<div id="logon">
<a href="/" style=""><%= $logon %></a><br/>
<small><%= $sublogon %></small>
</div>
and etc...
Bad signed cookie "mojolicious", possible hacking attempt.
if remove the%include and make a template in one file, the message
disappears.
how to work with templates from multiple files?
P.S. Sorry for my bad English.
--
You received this message because you are subscribed to the Google
Groups "Mojolicious" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/mojolicious/-/1B8v7chvwasJ.
To unsubscribe from this group, send email to
For more options, visit this group at
http://groups.google.com/group/mojolicious?hl=en.
El'Drako
2013-01-13 10:51:14 UTC
Permalink
full app and controller:

package SIP;
use Mojo::Base 'Mojolicious';
use utf8;
use IO::Compress::Gzip 'gzip';
use Mojolicious::Plugin::Config;

sub development_mode {
# Enable browsing of "/doc" only in development mode
shift->plugin(DOCRenderer => {preprocess => 'ep'});
}

# This method will run once at server start
sub startup {
my $self = shift;

# Documentation browser under "/perldoc"
$self->plugin('PODRenderer');

$self->hook(after_render => sub {
my ($self, $output, $format) = @_;

# Check if "gzip => 1" has been set in the stash
return unless $self->stash->{gzip};

# Check if user agent accepts GZip compression
return unless ($self->req->headers->accept_encoding // '') =~ /gzip/i;

# Compress content with GZip
$self->res->headers->content_encoding('gzip');
gzip $output, \my $compressed;
$$output = $compressed;
});

#my $config = $self->plugin('Config' => {file => 'sip.conf'});

#$self->secret($config->{secret});
$self->secret('fggwgwrggowifjwh7437hqnva7o');


# Router
my $r = $self->routes;

# Normal route to controller
$r->get('/')->to('main#index');

}
1;

##############
package SIP::Main;
use Mojo::Base 'Mojolicious::Controller';
use Mojolicious::Plugin::Config;

# This action will render a template
sub index {
my $self = shift;
my $config = $self->stash('config');

# ëÌÀÞ ÉÚ ËÏÎÆÉÇÁ ÄÌÑ ÛÉÆÒÏ×ÁÎÉÑ ËÕËÏ×
#$self->secret($config->{secret});

# Render template "main/index.html.ep" with message
$self->render(
title => 'test',
logon => 'test2',
sublogon => 'subtest',
gzip => 1);
}

1;

#########
templates in first post.

×ÏÓËÒÅÓÅÎØÅ, 13 ÑÎ×ÁÒÑ 2013 Ç., 14:31:43 UTC+4 ÐÏÌØÚÏ×ÁÔÅÌØ wcravens
Post by Wes Cravens
I've not looked really close yet because at first glance I kinda suspect
that the problem is somewhere in the code that you replaced with '...'
in your example.
The message that you are getting suggests that there is something wrong
with your session cookie. But the session cookie isn't being used in
the code you provided as far as I can tell.
Wes
--
You received this message because you are subscribed to the Google Groups "Mojolicious" group.
To view this discussion on the web visit https://groups.google.com/d/msg/mojolicious/-/US5K82piKRkJ.
To post to this group, send email to ***@googlegroups.com.
To unsubscribe from this group, send email to mojolicious+***@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/mojolicious?hl=en.
Wes Cravens
2013-01-13 11:55:49 UTC
Permalink
I'm still not seeing anything suspicious. Do you have anything in
main/mainmenu or main/header that could be accessing the session?

In any case. What I can tell you is that I get this problem when I've
been fiddling around with different applications with different session
secrets but from the same host. Of if I just change the secret in my
app this will happen until my app sends a new session cookie.

E.g.
If I locally run appA; and hit http://localhost:3000 with my browser
this may set a session cookie.

If I then stop appA and run appB that has a different session secret to
appA then hitting http://localhost:3000 will send the appA cookie, the
signature will be off and appB will log something like what you got.

You could try eliminating any cookie 'cross-talk' and see if your log
message goes away.[1] I really don't think it's related to your
template include unless using session data in those included files is
what's triggering it. I'd have to fiddle around to check and see
exactly when Mojolicious evaluates the cookie and signature.

Wes

The brute force method of this would be to delete all browser cookies
and start fresh.
package SIP;
use Mojo::Base 'Mojolicious';
use utf8;
use IO::Compress::Gzip 'gzip';
use Mojolicious::Plugin::Config;
sub development_mode {
# Enable browsing of "/doc" only in development mode
shift->plugin(DOCRenderer => {preprocess => 'ep'});
}
# This method will run once at server start
sub startup {
my $self = shift;
# Documentation browser under "/perldoc"
$self->plugin('PODRenderer');
$self->hook(after_render => sub {
# Check if "gzip => 1" has been set in the stash
return unless $self->stash->{gzip};
# Check if user agent accepts GZip compression
return unless ($self->req->headers->accept_encoding // '') =~ /gzip/i;
# Compress content with GZip
$self->res->headers->content_encoding('gzip');
gzip $output, \my $compressed;
$$output = $compressed;
});
#my $config = $self->plugin('Config' => {file => 'sip.conf'});
#$self->secret($config->{secret});
$self->secret('fggwgwrggowifjwh7437hqnva7o');
# Router
my $r = $self->routes;
# Normal route to controller
$r->get('/')->to('main#index');
}
1;
##############
package SIP::Main;
use Mojo::Base 'Mojolicious::Controller';
use Mojolicious::Plugin::Config;
# This action will render a template
sub index {
my $self = shift;
my $config = $self->stash('config');
# Ключ из конфига для шифрования куков
#$self->secret($config->{secret});
# Render template "main/index.html.ep" with message
$self->render(
title => 'test',
logon => 'test2',
sublogon => 'subtest',
gzip => 1);
}
1;
#########
templates in first post.
воскресенье, 13 января 2013 г., 14:31:43 UTC+4 пользователь wcravens
I've not looked really close yet because at first glance I kinda suspect
that the problem is somewhere in the code that you replaced with '...'
in your example.
The message that you are getting suggests that there is something wrong
with your session cookie. But the session cookie isn't being used in
the code you provided as far as I can tell.
Wes
--
You received this message because you are subscribed to the Google
Groups "Mojolicious" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/mojolicious/-/US5K82piKRkJ.
To unsubscribe from this group, send email to
For more options, visit this group at
http://groups.google.com/group/mojolicious?hl=en.
--
You received this message because you are subscribed to the Google Groups "Mojolicious" group.
To post to this group, send email to ***@googlegroups.com.
To unsubscribe from this group, send email to mojolicious+***@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/mojolicious?hl=en.
ElDrako
2013-01-13 12:04:13 UTC
Permalink
do not know if that helped, but the message was gone - I just added a few
routes and deleted the cookies on a template "mojo *".

Thanks for a your help.
Post by Wes Cravens
I'm still not seeing anything suspicious. Do you have anything in
main/mainmenu or main/header that could be accessing the session?
In any case. What I can tell you is that I get this problem when I've
been fiddling around with different applications with different session
secrets but from the same host. Of if I just change the secret in my
app this will happen until my app sends a new session cookie.
E.g.
If I locally run appA; and hit http://localhost:3000 with my browser
this may set a session cookie.
If I then stop appA and run appB that has a different session secret to
appA then hitting http://localhost:3000 will send the appA cookie, the
signature will be off and appB will log something like what you got.
You could try eliminating any cookie 'cross-talk' and see if your log
message goes away.[1] I really don't think it's related to your
template include unless using session data in those included files is
what's triggering it. I'd have to fiddle around to check and see
exactly when Mojolicious evaluates the cookie and signature.
Wes
The brute force method of this would be to delete all browser cookies
and start fresh.
package SIP;
use Mojo::Base 'Mojolicious';
use utf8;
use IO::Compress::Gzip 'gzip';
use Mojolicious::Plugin::Config;
sub development_mode {
# Enable browsing of "/doc" only in development mode
shift->plugin(DOCRenderer => {preprocess => 'ep'});
}
# This method will run once at server start
sub startup {
my $self = shift;
# Documentation browser under "/perldoc"
$self->plugin('PODRenderer');
$self->hook(after_render => sub {
# Check if "gzip => 1" has been set in the stash
return unless $self->stash->{gzip};
# Check if user agent accepts GZip compression
return unless ($self->req->headers->accept_encoding // '') =~
/gzip/i;
# Compress content with GZip
$self->res->headers->content_encoding('gzip');
gzip $output, \my $compressed;
$$output = $compressed;
});
#my $config = $self->plugin('Config' => {file => 'sip.conf'});
#$self->secret($config->{secret});
$self->secret('fggwgwrggowifjwh7437hqnva7o');
# Router
my $r = $self->routes;
# Normal route to controller
$r->get('/')->to('main#index');
}
1;
##############
package SIP::Main;
use Mojo::Base 'Mojolicious::Controller';
use Mojolicious::Plugin::Config;
# This action will render a template
sub index {
my $self = shift;
my $config = $self->stash('config');
# ëÌÀÞ ÉÚ ËÏÎÆÉÇÁ ÄÌÑ ÛÉÆÒÏ×ÁÎÉÑ ËÕËÏ×
#$self->secret($config->{secret});
# Render template "main/index.html.ep" with message
$self->render(
title => 'test',
logon => 'test2',
sublogon => 'subtest',
gzip => 1);
}
1;
#########
templates in first post.
×ÏÓËÒÅÓÅÎØÅ, 13 ÑÎ×ÁÒÑ 2013 Ç., 14:31:43 UTC+4 ÐÏÌØÚÏ×ÁÔÅÌØ wcravens
I've not looked really close yet because at first glance I kinda suspect
that the problem is somewhere in the code that you replaced with
'...'
in your example.
The message that you are getting suggests that there is something
wrong
with your session cookie. But the session cookie isn't being used in
the code you provided as far as I can tell.
Wes
--
You received this message because you are subscribed to the Google
Groups "Mojolicious" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/mojolicious/-/US5K82piKRkJ.
To unsubscribe from this group, send email to
For more options, visit this group at
http://groups.google.com/group/mojolicious?hl=en.
--
You received this message because you are subscribed to the Google Groups
"Mojolicious" group.
To unsubscribe from this group, send email to
For more options, visit this group at
http://groups.google.com/group/mojolicious?hl=en.
--
You received this message because you are subscribed to the Google Groups "Mojolicious" group.
To post to this group, send email to ***@googlegroups.com.
To unsubscribe from this group, send email to mojolicious+***@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/mojolicious?hl=en.
El'Drako
2013-01-13 12:09:07 UTC
Permalink
do not know if that helped, but the message was gone - I just added a few
routes and deleted the cookies in browser on a template "mojo*".

Thanks for a your help.
--
You received this message because you are subscribed to the Google Groups "Mojolicious" group.
To view this discussion on the web visit https://groups.google.com/d/msg/mojolicious/-/xi_cMN6zUVUJ.
To post to this group, send email to ***@googlegroups.com.
To unsubscribe from this group, send email to mojolicious+***@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/mojolicious?hl=en.
Charlie Brady
2013-01-13 18:51:20 UTC
Permalink
Post by Wes Cravens
I'm still not seeing anything suspicious. Do you have anything in
main/mainmenu or main/header that could be accessing the session?
In any case. What I can tell you is that I get this problem when I've
been fiddling around with different applications with different session
secrets but from the same host. Of if I just change the secret in my
app this will happen until my app sends a new session cookie.
Set a per-app cooking name with app->sessions->cookie_name().

Loading...