My application which is created in jHipster and resides in an iFrame,
However I get an
unauthorized
page whenever i want to login.
i already tried disabling CSRF , but i am not able to login, it works fine when it is not in an iframe,
Please help
thanks
A
Related
I have a basic Spring (v5.3.23) web app running in an Apache Tomcat container (v9), and using eclipse as IDE. It uses Spring security for processing logins.
Everything runs almost correctly, but sometimes, after a successful login, the browser shows a white page, while there is no exception logged server-side or any other message. The problem appears both in development environment and production environment, so I don't think it's eclipse-related.
I have managed to pin down the problem to the following sequence :
Start tomcat container
Open login page in browser
After login, the secured home page is displayed correctly
Re-start tomcat (the problem occurs both when changes are made to the web app or not)
Refresh the browser, which redirects to login
Login again
The blank page is shown, no exception logged, no log messages in console
In this sequence, the problem occurs most of the time. If between steps 5 and 6 I refresh the page one more, meaning the login page is reloaded, the white page problem does not occur anymore, and the proper page is displayed.
A strong possibility is that it's something related to either the CSRF token in the login form or the JSESSION cookie of the container, but short of debugging through Spring code, I can't figure it out.
LATER EDIT
I narrowed down the issue to the CSRF token; if I change the value in the login form, I always get the blank page.
I have noticed the _csrf token has one value in the login form, then a different, but single value across all form that are used while the user is connected. Seems like the _csrf token is linked to the user session somehow.
The same happens when the login page is refreshed: different tokens in login & other app forms, but somehow,, sometimes, the initial token does not match what the server expects.
I'm developing an app in shopify app market
As you know, shopify apps work in iframe. I've no problem in session when i directly use the app in browser without iframe.
The issue is only within iframe.
I'll process oauth for shopify and redirect it to my app url inside the iframe. I'll set required session data if oauth is successfull.
But as soon as the page is redirected to the dashboard page after setting session. The dashboard page doesn't have the session data which i set earlier
In oauth success block, i used this to set session data
$this->session->set_userdata('variable', array('uid' => 15));
In dashboard page, i used this to get session data
print_r($this->session->userdata('variable'));
But here i receive empty nothing else.
I tried many solutions in the web regarding this issue
But their issue is with or without iframe.
I tried lots of solutions, but nothing worked for me
Fyi, CI Version is 3.1.11
PHP Version is 7.1.9 and also tested with 7.4.21
I tried
ini_set('session.id', $params['cookie_name']);
and manually commenting our session_start() and other lines in Session.php files and other stuff
Nothing is fixed this issue
Any help would be greatly appreciated
I am using spring with ext js for my web application. Un- authorized users able to access app.js file. Please suggest how to protect it.
Facebook Registration works fine and users are redirected to the website but when users try to log-in using their FB account then it does not seem to work, that is, users are not redirected to the website instead loads facebook.com .
I checked the url before facebook asks user to enter fb password and it seems like permission denied is shown as below, but not sure what does that mean?:
callback%3Ferror%3Daccess_denied%26error_code%3D200%26error_description%3DPermissions%2Berror%26error_reason%3Duser_denied
I have added https which I thought could be the cause of error but then so many websites still use fb login successfully even when they don't have SSL (https). Also, SSL (https) does not seem to resolve the issue.
I am not sure how to debug this issue because not sure what is causing this, Laravel Socialite is straight-forward. Other Socialite Login I tried for example: Google+ seems to work just fine.
Any help is appreciated.
If You would like to see any part of the code, let me know in the comment.
Hi I have a static website running at localhost:8080/site. Here I display a login form. The form's action is project:8888/app_dev.php/login_check
My Symfony application, running at project:8888/app_dev.php/ also has it's own login form with the same action, at project:8888/app_dev.php/login
When I login using the login form in my Symfony application all works fine.
When I submit the login form on the static website, I get the following security error:
Your session has timed out, or you have disabled cookies
I assume this is a security matter, which makes it impossible to post login credentials from another domain? Is there a way to work around? Thanks in advance.