Zotero doing a duplicate HTTP request (2090368446)

cejacksonma
I work for Ebsco Publishing. We've noticed that when working through Ezproxy in proxy-by-port mode, Zotero can create at least one duplicate access, where the same URL is sent in twice. In Ebsco's case, this can cause an error response on the second access. The page that is shown to the user is the correct one based on the first request, but I can see the invalid second request and response in a Fiddler trace.

I reported bugid 2090368446, but I have no idea whether the information in that report actually relates to what we're seeing.

I have a Fiddler trace if there's a place to upload it.
  • cejacksonma
    I can provide steps to reproduce, but they require working through an instance of Ezproxy that we use for testing. I can get credentials to any developer who needs them.
  • dstillman
    A Debug ID would be more helpful here.
  • cejacksonma
    I enabled debugging and submitted the ID D2044933401.

    Didn't look as helpful as I would have hoped. :-(

    Craig
  • dstillman
    I don't see any HTTP requests in there at all.
  • cejacksonma
    Can I send you a Fiddler SAZ file, or any other format?
  • dstillman
    Are you sure that debug output encompasses the HTTP requests? They should always be logged if they're actually made.
  • cejacksonma
    I did it again. D1890942534. Longer this time. (I did "enable after restart" and restarted Firefox.)
  • cejacksonma
    FYI, the URL I'm using is http://ezport.lib.ebscopub.net:2060/login.aspx?direct=true&db=a9h&AN=85407980&site=ehost-live.

    For you to use it, I'd need to add a username and password for you.
  • cejacksonma
    Just did it again. D1103603166

    The notable thing about this problem is that Zotero doesn't need to be active for it to happen. Just enabled.
  • dstillman
    Wait, what's the actual problem that you're reporting? I assumed you were referring to URL-bar saving, hence my comments above about HTTP requests, but now it sounds like you're talking about just loading a proxied web page. What are the steps to reproduce here?
  • dstillman
    So if this is just about loading a proxied web page, Simon would have to comment further, but first see if this still happens with 4.0b1.
  • cejacksonma
    edited March 25, 2013
    Enter the following URL:

    http://ezport.lib.ebscopub.net:2048/login?url=http://search.ebscohost.com/login.aspx?direct=true&db=a9h&AN=85407980&site=ehost-live

    Login with dstillman/Zotero

    If Zotero is disabled in Firefox, you'll see this sequence:

    1. /login port 2048, 200
    2. /login port 2048, 302
    3. /connect port 2048, 302
    4. /login.aspx port 2060, 302,
    5. /Community.aspx port 2060, 302
    6. /plink port 2072, 302
    7. /ehost/detail port 2072, 200

    With Zotero enabled, you'll see:

    1. /login port 2048, 200
    2. /login port 2048, 302
    3. /connect port 2048, 302
    4. /login.aspx port 2060, 302,
    5. /Community.aspx port 2060, 302
    6. /plink port 2072, 302
    7. /plink port 2072, 302
    8. /login port 2048, 302
    9. /plink port 2072, 200
    10. /ehost/detail port 2072, 200

    The access in (6) is the problem one. It is transmitted with no cookies, which results in the redirect that results in the (8) and (9) accesses. However, the access in (9) is a retransmission of the one in (7). That particular URL of ours can only be used once, result in the error result seen in the body of (9).

    Craig
  • Simon
    Without making the request in (6), Zotero has no way of knowing what domain port 2072 corresponds to. It gets this information by inspecting the login parameter of the redirect from 2072 to 2048 when no cookies are supplied. However, it should be possible to avoid requests (8) and (9).
  • cejacksonma
    Is this code specific to Ezproxy? I don't quite understand exactly what a duplicate transaction without the cookies will learn in the general case.

    Note that in the case I've been able to duplicate, only a single duplicate transaction occurs. However, we've seen in our error logs where a loop appears to occur in the background. I've seen the loop send us well over 10,000 erroneous transactions per hour. It's all in the background so the user of the browser never notices a problem, other than perhaps some browser and network slowness. A packet trace of one of these loops from the Ezproxy side showed that these cookieless accesses were involved.

    I have noted that when Ezproxy is in proxy-by-hostname mode, the extra access does not occur. This agrees with our logs, which never seem to show loops from Ezproxy instances in proxy-by-hostname mode.
  • Simon
    The code exists specifically to find the domains of proxy-by-port EZProxies when one proxy-by-port EZProxy links or redirects to another. It isn't executed under any other circumstances.

    I'm not entirely sure what would cause the loop, but I'm pretty sure we can eliminate it by not following the redirects after the request without cookies.
  • Simon
    I've fixed this for 4.0 and verified that requests (8) and (9) no longer happen. Unless you see a way (6) would be problematic on its own, or you know a way to get mappings from EZProxy ports to domains without it, we will keep doing it.
  • cejacksonma
    I see the problem. I don't know of a different way. Was this worked out with in cooperation with the folks at ezproxy@oclc.org?

    As you indicate, it's probably OK as long as you don't chase the resulting redirect. The extra access is going to the Ezproxy. As far as I know only the chased redirects are going on to the database provider.

    Which Beta will this be included in?

    I have a customer who can replicate the loop fairly readily. What would be the best way for him to test it? Should I tell him to get in touch with you?

    Based on https://wiki.mozilla.org/RapidRelease/Calendar, Firefox 20 is supposed to drop a week from today, so I'm assuming that this will need to be released soon.
  • dstillman
    edited March 25, 2013
    This fix is available in the 4.0 Branch dev XPI, so he could check with that (which at this point is mostly just 4.0 Beta 1 plus this fix).

    I'm not sure if we'll do a Beta 2, but 4.0 Final will indeed be released by the time Firefox 20 ships.
  • pahool
    Hi, I work with the hosted EZProxy implementation team. I've been in touch with a couple of proxy-by-port customers who have experienced this issue. Great that it's getting fixed. If you need any input or help from the ezproxy folks, email us at ezproxy@oclc.org
  • cejacksonma
    I have downloaded the dev build and verified from the client end that the extra access to the vendor site no longer appears to occur. (I have not yet verified from the host end.)

    It seems like OCLC and Zotero could collaborate to eliminate even the one extra access. For example, the hostname corresponding to the redirected-to port could be added as an extra "X-" HTTP header when redirecting a session to a new port. There would be no extra information exposure, as the hostname can always be inferred by doing what Zotero does now.
  • cejacksonma
    Does Zotero Standalone contain similar code to special-case handling of Ezproxy?

    Does it work at all with IE?

    We're trying to ascertain whether any of the other errors we've seen may have been related to Zotero.
  • Simon
    The EZProxy code applies only to Zotero for Firefox.
  • cejacksonma
    With which versions of Firefox is Zotero 4.0.1 compatible?

    I'm wondering if users who are unwilling to upgrade Firefox may still be able to upgrade Zotero.
  • adamsmith
    4.0 is compatible with FF 17 upwards.
    Anyone using a pre-17 FF version (which is the latest ESR release) doesn't receive security updates anymore and should be strongly discouraged from using the internet ...
Sign In or Register to comment.