Destroy a session in Load Impact - azure

I have created a user scenario in Load Impact to simulate a couple of hundred users in our web store.
The problem is that I can't seem to simulate the users in our Azure Queue.
The queue is only increasing with +1 users and not the hundreds of users as I want :)
I have created a random correlation id, but it seems like the session is still there.
Is there a way to destroy the session so when the script is looping a new session is created?
I found a LUA reference that says destroy:session but it wont work for me.
function rnd()
return math.random(0000, 9999)
end
{"POST", "http://STORE.////",
headers={["Content-Type"]="application/json;charset=UTF-8"},
data="{\"ChoosenPhoneModelId\":0,\"PricePlanId\":\"phone\",\"CorrelationId\":\"e97bdaf6-ed61-4fb3-".. rnd().."-d3bb09789feb\",\"ChoosenPhoneColor\":{\"Color\":1,\"Code\":\"#d0d0d4\",\"Name\":\"Silver\",\"DeliveryTime\":\"1-2 veckor\",\"$$hashKey\":\"005\"},\"ChoosenAmortization\":{\"AmortizationLength\":24,\"Price\":312,\"$$hashKey\":\"00H\"},\"ChoosenPriceplan\":{\"IsPostpaid\":true,\"IsStudent\":false,\"IsSenior\":false,\"Title\":\"Fast \",\"Description\":\"Hello.\",\"MonthlyAmount\":149,\"AvailiableDataPackages\":null,\"SubscriptionBinding\":1,\"$$hashKey\":\"00M\"},\"ChoosenDataPackage\":{\"Description\":\"20
GB\",\"PricePerMountInKr\":149,\"DataAmountInGb\":20,\"$$hashKey\":\"00U\"}}",
auto_decompress=true}
})
Any tips on how to.
Thanks in advance.

The correlation id isn't a random number. It's set by your server in a cookie. Get and use like this:
local response = http.request_batch({
{"GET", "http://store.///step1", auto_decompress=true},
})
-- extract correlation Id
local strCorrelationId = response[1].cookies['corrIdCookie']
{"POST", "http://STORE.////",
headers={["Content-Type"]="application/json;charset=UTF-8"},
data="{\"ChoosenPhoneModelId\":0,\"PricePlanId\":\"phone\",\"CorrelationId\":\"".. strCorrelationId .. "",\"ChoosenPhoneColor\":{\"Color\":1,\"Code\":\"#d0d0d4\",\"Name\":\"Silver\",\"DeliveryTime\":\"1-2 veckor\",\"$$hashKey\":\"005\"},\"ChoosenAmortization\":{\"AmortizationLength\":24,\"Price\":312,\"$$hashKey\":\"00H\"},\"ChoosenPriceplan\":{\"IsPostpaid\":true,\"IsStudent\":false,\"IsSenior\":false,\"Title\":\"Fast \",\"Description\":\"Hello.\",\"MonthlyAmount\":149,\"AvailiableDataPackages\":null,\"SubscriptionBinding\":1,\"$$hashKey\":\"00M\"},\"ChoosenDataPackage\":{\"Description\":\"20
GB\",\"PricePerMountInKr\":149,\"DataAmountInGb\":20,\"$$hashKey\":\"00U\"}}",
auto_decompress=true}
})
That is what makes your user unique. If you set CorrelationId to just any random number your server will simply not accept the session in your queue.
Once it's unique and correct your server will accept the POST properly.

Related

Problem with revolut api transactions list

are few days that we are experiencing trouble with revolut api.
We use that library: https://github.com/useme-com/revolut-python
Now when we try to retrive a list of transactions we receive:
root## python3 transactions.py
HTTP 400 for https://b2b.revolut.com/api/1.0/transactions: Duplicate key User#XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXX (attempted merging values XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXX and YYYYYYYY-YYYY-YYYY-YYYY-YYYYYYYYYY)
The code is pretty straightforward, to debug basically:
[...]
# Enable Session
session = RenewableSession(refreshtoken,clientid,jwttoken)
# Create API Client
revolut = Client(session)
# Transactions Display
for transaction in revolut.transactions():
print(transaction)
[...]
The same code, from our side, worked until 3 days ago, without errors.
Any ideas on what's going on?
Possible that exist a failure from revolut side?
They are not responding on this (already opened a ticket about).
ty
I got this issue while using a high count param
https://b2b.revolut.com/api/1.0/transactions?count=1000
Reducing count to 100 or 200 made me get a good response. I think Revolut has some issues when sending API response that includes a very old historical transaction due to changes in data structure/merging etc at their end

How do I enforce a server-generated timestamp to a document in Firestore? [duplicate]

How do I check if user on client sided created document with only firebase.firestore.FieldValue.serverTimestamp()?
I have following:
allow create: if request.resource.data.timestamp == ??
What should I have instead of ??. I have tried serverTimestamp() firebase.firestore.FieldValue.serverTimestamp(), now or now() but it doesn't work.
It is possible to do it in Firebase like this:
".validate": "newData.child('timestamp').val() === now"
I am looking for the same solution. Any ideas? Thanks
You can access the current request timestamp in Security Rules using the request.time attribute (docs), which is the Firestore equivalent to the Realtime Databases's now. You'll therefore want something like:
allow create: if request.resource.data.timestamp == request.time;
For serverTimestamp() this should evaluate to true.
You should always validate client input in Security Rules, even if you're using serverTimestamp(). Security Rules doesn't automatically know the server input the value instead of the client, so without this check, a malicious client could create a different created at time.

How to remove the data after user has logged out?

I was following along the example Lending Library app in the book "Packtpub.Getting.Started.with.Meteor.js". It is running at:
http://matloob.lendlib.meteor.com
It works fine, but when a user logs out when one category is open and its items are being displayed, that category and its items remain on the page while the rest is filtered out. On refreshing the page the remaining category is also filtered out.
The publish function is:
Meteor.publish("Categories", function () {
Meteor.flush(); // I added this so it will flush out the remaining data, but :(
return lists.find({owner: this.userId}, {fields: {Category: 1}});
});
It is hard to point out the exact vulnerability withour seeing more code but this is what I could find out: even if not logged in as a user one can set the session variable current_list to an id to get the corresponding list document:
Session.set("current_list",'ZLREaTCPiC6E7ece3')
So I assume that somewhere in your code you publish the details of a list given its id.
At least this would explain why the list remains even after logging out when a category is selected (which in turn means current_list holds an id).
Possibly publishing the list is done using Deps.autorun since the list is immediately published once the session variable is changed.
Maybe you can find that piece of code and post it or just change it so that it also includes a check whether the user is the owner of that list or category.
Consider using the user-status package to listen for users logging out and doing some cleanup on the server as a result:
https://github.com/mizzao/meteor-user-status
Specfically, you can use the following callback:
UserStatus.on "sessionLogout", (advice) ->
console.log(advice.userId + " with session " + advice.sessionId + " logged out")

Shiro resets the session after 2 min

I am using Apache Shiro in my webapp.
I store some parameters in the session notably the primary key of an object stored in the database.
When the user logs in, I load the object from the database and save the primary key in the session. Then within the app the user can edit the object's data and either hit a cancel or a save button.
Both buttons triggers a RPC that gets the updated data to the server. The object is then updated in the database using the primary key stored in the session.
If the user remains active in the app (making some RPCs) everything works fine. But if he stays inactive for 3 min and subsequently makes a RPC then Shiro's securityUtils.getSubject().getSession() returns null.
The session timeout is set to 1,200,000 ms (20 min) so I don't think this is the issue.
When I go through the sessions stored in the cache of my session manager I can see the user's session org.apache.shiro.session.mgt.SimpleSession,id=6de78f10-b58e-496c-b40a-e2a9a4ad069c but when I try to get the session ID from the cookie and to call SecurityUtils.getSecurityManager().getSession(key) to get the session (where key is a SessionKey implementation): I get an exception.
When I try building a new subject from the session ID I lose all the attributes saved in the session.
I am happy to post some code to help resolve the issue but I tried so many workarounds that I don't know where to start... So please let me know what you need.
Alternatively if someone knows a better documented framework than Shiro I am all ears (Shiro's lack of documentation makes it really too time consuming)
The issue was related to the session config in the ini file. As usual with shiro the order mattered and some of my lines were out of place.
Below is the config that worked for me:
sessionDAO = org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO
#sessionDAO.activeSessionsCacheName = dropship-activeSessionCache
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
sessionManager.sessionDAO = $sessionDAO
# cookie for single sign on
cookie = org.apache.shiro.web.servlet.SimpleCookie
cookie.name = www.foo.com.session
cookie.path = /
sessionManager.sessionIdCookie = $cookie
# 1,800,000 milliseconds = 30 mins
sessionManager.globalSessionTimeout = 1800000
sessionValidationScheduler =
org.apache.shiro.session.mgt.ExecutorServiceSessionValidationScheduler
sessionValidationScheduler.interval = 1800000
sessionManager.sessionValidationScheduler = $sessionValidationScheduler
securityManager.sessionManager = $sessionManager
cacheManager = org.apache.shiro.cache.ehcache.EhCacheManager
securityManager.cacheManager = $cacheManager
It sounds as if you have sorted out your problem already. As you discovered, the main thing to keep in mind with the Shiro INI file is that order matters; the file is parsed in order, which can actually be useful for constructing objects used in the configuration.
Since you mentioned Shiro's lack of documentation, I wanted to go ahead and point out two tutorials that I found helpful when starting:
http://www.javacodegeeks.com/2012/05/apache-shiro-part-1-basics.html
and
http://www.ibm.com/developerworks/web/library/wa-apacheshiro/.
There are quite a few other blog posts that provide good information to supplement the official documentation if you look around.
Good luck!

Strict control over the statement_timeout variable in PostgreSQL

Does anybody know how to limit a users ability to set variables? Specifically statement_timeout?
Regardless of if I alter the user to have this variable set to a minute, or if I have it set to a minute in the postgresql.conf file, a user can always just type SET statement_timeount TO 0; to disable the timeout completely for that session.
Does anybody know a way to stop this? I know some variables can only be changed by a superuser but I cannot figure out if there is a way to force this to be one of those controlled variables. Alternatively, is there a way to revoke SET from their role?
In my application, this variable is used to limit the ability of random users (user registration is open to the public) from using up all the CPU time with (near) infinite queries. If they can disable it then it means that I must find a new methodology for limiting resources to users. If there is no method for securing this variable, is there other ways of achieving this same goal that you may suggest?
Edit 2011-03-02
The reason the database is open to the public and arbitrary SQL is allowed is because this project is for a game played directly in the database. Every player is a database user. Data is locked down behind views, rules and triggers, CREATE is revoked from public and the player role to prevent most alterations to the schema and SELECT on pg_proc is removed to secure game-sensitive function code.
This is not some mission critical system I have opened up to the world. It is a weird proof of concept that puts an abnormal amount of trust in the database in an attempt to maintain the entire CIA security triangle within it.
Thanks for your help,
Abstrct
There is no way to override this. If you allow the user to run arbitrary SQL commands, changing the statement_timeout is just the top of the iceberg anyway... If you don't trust your users, you shouldn't let them run arbitrary SQL - or accept that they can run, well, arbitrary SQL. And have some sort of external monitor that cancels the queries.
Basically you can't do this in plain postgres.
Meantime for accomplish your goal you may use some type of proxies and rewrite/forbidd some queries.
There several solutions for that, f.e.:
db-query-proxy - article how it born (in Russian).
BGBouncer + pgbouncer-rr-patch
Last contains very useful examples and it is very simple do on Python:
import re
def rewrite_query(username, query):
q1="SELECT storename, SUM\(total\) FROM sales JOIN store USING \(storeid\) GROUP BY storename ORDER BY storename"
q2="SELECT prodname, SUM\(total\) FROM sales JOIN product USING \(productid\) GROUP BY prodname ORDER BY prodname"
if re.match(q1, query):
new_query = "SELECT storename, SUM(total) FROM store_sales GROUP BY storename ORDER BY storename;"
elif re.match(q2, query):
new_query = "SELECT prodname, SUM(total) FROM product_sales GROUP BY prodname ORDER BY prodname;"
else:
new_query = query
return new_query

Resources