I have a simple vaadin application created from an achetype. The page with button is loaded but when you click it, session is already expired. This problem occurs just only under this conditions:
session is https
browsert is IE 11.0.14393.0 (after Windows 10 Aniversary Update 1607)
SPNEGO is used
Server is WildFly 10.1.0.Final
Other browsers (EDGE, Firefox, Chrome) works fine. Before Aniversary update the IE 11 worked as well.
I know it is not enough information but I don't know what can be important. Can you point me what should I check / should I do?
I haven't find anything strange at logs and communication. I'm guessing there will be something wrong with a session but I can not find what is bad :-(
The problem is caused by the internally generated request for favicon. This request is generated internally by IE and uses wrong session ID (jsessionID). Server creates a new session and answers with its ID. Unfortunately the IE then uses this new session ID for other requests. Other browsers (and previous IE version) correctly use the original jsessionID and do not the one that is returned as a response to the internally generated favicon request.
Solution: I have changed the favicon links within my application and pointed them outside of the secured server area.
#Override
public void modifyBootstrapPage(BootstrapPageResponse response) {
// FIX for IE11 at Windows 10 after anniversary update
response.getDocument().head().getElementsByAttributeValue("rel", "shortcut icon").attr("href", "/static/favicon.ico");
response.getDocument().head().getElementsByAttributeValue("rel", "icon").attr("href", "/static/favicon.ico");
}
Related
Environment
.NET Core 5 Web Application
IIS 10
Azure VM
Issue
Executing a GET action results in that action being called a second time. The first call shows cookie information. The second does not show cookie information.
What we've tried:
Occurs for GET requests but not POST requests
Occurs without a view (NOT a javascript issue)
Browser does not show two requests. This occurs server-side.
Does not occur in Firefox Privacy Mode
Does not occur on localhost. Only in production.
Occurs with HTTPS off
Fork of the solution does not exhibit this behavior (makes middleware unlikely cause)
Best guesses:
.NET 5 (deprecated) or dependencies (a bad developer blames his tools)
IIS Settings
Session
Code example:
Controller
// no other filters
[HttpGet]
public IActionResult DupeRequestTest()
{
// database insert with Dapper
var sql = #"INSERT INTO TrackingTable
(CookieJson, CreateDate)
VALUES(#CookieJson, GETDATE());";
using var con = new SqlConnection(_connectionString);
con.Open();
con.Execute(sql, new
{
CookieJson=JsonConvert.SerializeObject(Request.Cookies),
});
// returning a status code so no View, javascript, or other requests
return StatusCode(200);
}
Database results:
CookieJson
CreateDate
[{"Key":"SessionId","Value":"ac6f292c-1ca1-5179-9123-78a04d382dea"}]
2022-10-25 09:46:30.523
[]
2022-10-25 09:46:30.770
Thank you. Any help, such as next testing steps, would be appreciated - short of building a new app.
I'm sure the answer is either very stupid or very hidden.
Using the very latest stable mvc core jquery template (4.6.0).
downloaded, ran db migration all good.
logged in using admin/123qwe and put a break point on the line AccountController line 104:
var loginResult = await GetLoginResultAsync(loginModel.UsernameOrEmailAddress, loginModel.Password, GetTenancyNameOrNull());
I'm seeing success result returned from above line.
Problem: The page stays on the login page (as though it was not authenticated) and I cannot navigate away to another page (eg \About)
No changes were made to the template code - What am I missing or should I report a bug in the repo?
This turned out to possibly be a local browser issue with a Chrome install.
To Fix the following steps were taken:
1) reinstall Chrome
2) clear all browser cookies, cache, history
3) restart Chrome, Close Chrome
4) re-run Abp app using Chrome
I have an ASP.NET Core MVC application hosted on Google Compute Engine, and when I check the logs, it seems that www.mysite.com/home/index is constantly being requested even though I am not searching that URL in my browser and nobody else knows the actual URL. Why is this? I am concerned that it may be interfering with some of my processes.
I am running the app on Windows Server 2016 and I often Remote Desktop into it. Could either of these be the reason behind the logs I am getting?
{"#t":"2019-01-01T09:37:24.4301536Z","#m":"Request starting HTTP/1.1 GET http://10.142.0.4/ ","#i":"ca22a1cb","Protocol":"HTTP/1.1","Method":"GET","ContentType":null,"ContentLength":null,"Scheme":"http","Host":"10.142.0.4","PathBase":"","Path":"/","QueryString":"","HostingRequestStartingLog":"Request starting HTTP/1.1 GET http://10.142.0.4/ ","EventId":{"Id":1},"SourceContext":"Microsoft.AspNetCore.Hosting.Internal.WebHost","RequestId":"0HLJFPIU5NJ9V:00000001","RequestPath":"/","CorrelationId":null,"ConnectionId":"0HLJFPIU5NJ9V"}
{"#t":"2019-01-01T09:37:24.5299320Z","#m":"Route matched with \"{action = \\\"Index\\\", controller = \\\"Home\\\"}\". Executing action \"TelebotApplication.Controllers.HomeController.Index (TelebotApplication)\"","#i":"a44c0341","RouteData":"{action = \"Index\", controller = \"Home\"}","ActionName":"TelebotApplication.Controllers.HomeController.Index (TelebotApplication)","EventId":{"Id":1},"SourceContext":"Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker","ActionId":"dc996f72-2933-4b90-9a5e-ccbfe11d91ba","RequestId":"0HLJFPIU5NJ9V:00000001","RequestPath":"/","CorrelationId":null,"ConnectionId":"0HLJFPIU5NJ9V"}
{"#t":"2019-01-01T09:37:24.5405482Z","#m":"Executing action method \"TelebotApplication.Controllers.HomeController.Index (TelebotApplication)\" - Validation state: Valid","#i":"dad538d7","ActionName":"TelebotApplication.Controllers.HomeController.Index (TelebotApplication)","ValidationState":"Valid","EventId":{"Id":1},"SourceContext":"Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker","ActionId":"dc996f72-2933-4b90-9a5e-ccbfe11d91ba","RequestId":"0HLJFPIU5NJ9V:00000001","RequestPath":"/","CorrelationId":null,"ConnectionId":"0HLJFPIU5NJ9V"}
{"#t":"2019-01-01T09:37:24.5441766Z","#m":"Executed action method \"TelebotApplication.Controllers.HomeController.Index (TelebotApplication)\", returned result \"Microsoft.AspNetCore.Mvc.ViewResult\" in 0.4835ms.","#i":"50a9e262","ActionName":"TelebotApplication.Controllers.HomeController.Index (TelebotApplication)","ActionResult":"Microsoft.AspNetCore.Mvc.ViewResult","ElapsedMilliseconds":0.48350000000000004,"EventId":{"Id":2},"SourceContext":"Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker","ActionId":"dc996f72-2933-4b90-9a5e-ccbfe11d91ba","RequestId":"0HLJFPIU5NJ9V:00000001","RequestPath":"/","CorrelationId":null,"ConnectionId":"0HLJFPIU5NJ9V"}
This seems to pretty much repeat itself endlessly.
Thanks
when I check the logs, it seems that www.mysite.com/home/index is constantly being requested even though I am not searching that URL in my browser and nobody else knows the actual URL
For this issue, it is caused by Health checking you configured in the GCP.
The issue I am facing, is occassionally, public static void
Main(string[] args) is re-entered without my instruction.
For this issue, it is usually caused by the application recycling. Exceptions in request would not make application recycling.
Is it possible to disable cache for the Webview control for a Windows Phone 8.1 runtime universal app? My App seems to be remembering the information it received the first time. My app logs me into a service and when I go back to rerun app in the emulator (without completing shutting down the emulator) it logs me in automatically rather than giving me the prompt. This behavior is in the NavigationCompleted handler if that helps explain a bit more on where I am hitting this issue.
If I were to shut off the emulator completely and then restart it then I am prompted for the login name and password again. I have gotten over this cache issue, when I was using the HttpClient in other part of my app, by sending the no-cache in the header as:
client.DefaultRequestHeaders.Add("Cache-Control", "no-cache");
Can I do something similar for the webview control?
Thank You!
here is the code which I used to clear the cookies which resolved my issue:
Windows.Web.Http.Filters.HttpBaseProtocolFilter myFilter = new Windows.Web.Http.Filters.HttpBaseProtocolFilter();
var cookieManager = myFilter.CookieManager;
HttpCookieCollection myCookieJar = cookieManager.GetCookies(new Uri("target URI for WebView"));
foreach (HttpCookie cookie in myCookieJar)
{
cookieManager.DeleteCookie(cookie);
}
There is no way to do it programmatically.
But for the test purposes for Windows application you can do it manually - http://blogs.msdn.com/b/wsdevsol/archive/2012/10/18/nine-things-you-need-to-know-about-webview.aspx#AN7.
This is a weird bug, and I'm not even sure how to begin figuring out what's going on.
We are using Cake 1.3.8 with our sessions in the database. I am not using ACL or any other access control. If we navigate into the application and click around a bit, and then rapidly click the browser back button twice (I've tried in Firefox and Chrome) the user is logged out more often than not and receives the error message 'You are not authorized to access that location'.
All of my searches thus far have involved people wanting to make the page inaccessible if a user logged out and then used the back button. I'm not seeing anything reported with regards to the issue I'm seeing.
Does anybody know if this is a Cake issue or have any thoughts on debugging what is going wrong?
Update: I found where the problem is. I have the security set to high, because we need the session to be closed whenever somebody closes the browser. I also have the timeout set very high because we do large binary uploads to S3, and don't want the user logged out while it's uploading or downloading. The specific block of code in cake_sessions.php that's causing the problem is:
$time = $this->read('Config.time');
$this->write('Config.time', $this->sessionTime);
if (Configure::read('Security.level') === 'high') {
$check = $this->read('Config.timeout');
$check -= 1;
$this->write('Config.timeout', $check);
if (time() > ($time - (Security::inactiveMins() * Configure::read('Session.timeout')) + 2) || $check < 1) {
$this->renew();
$this->write('Config.timeout', 10);
}
}
$this->valid = true;
I would guess this is because session IDs are regenerated between requests when security = high. Source:
http://book.cakephp.org/compare/44/CakePHP-Core-Configuration-Variables/cakephp/cakephp1x
You only need one out of sync request, say for a missing image and you will lose the session. I've generally found it unworkable because it's not possible to prevent users double-clicking on links and buttons and invalidating their session.
I would think about using medium security, setting the session timeout fairly short and using an AJAX script to refresh the session at regular intervals (eg every 60s). That way the user will be logged out quickly if the tab/window is closed.
If security is a priority I would suggest hacking the core to make sure the session cookies are set to http_only to help guard against session hijacking by XSS attacks. Cakephp 1.x supports PHP4 so probably isn't setting this by default.
http://php.net/manual/en/function.setcookie.php
It's possible that the session is erased and before it can be written again, the back button is clicked removing the auth from the session variables.
Page loads -> Back Button Clicks -> sessions is erased (but before session is rewritten) -> Back button clicks -> Session checks no existing session.
The only thing that I can think is happening is that when you're going back a page too quickly your code can't validate the person quickly enough (round trip from checking credentials) and throws an error that gets displayed on the next page that is loaded (second backed-to page).
Are you sure the person is actually logged out, or is it just the error being thrown?
Without seeing any code, it will be difficult to nail it down any further.