One of my pages in the application triggers a lot of AJAX requests. After a while, I even got a 401 error. How can I solve this problem?
Related
I'm not managing to solve a problem related to the mentioned error in my application.
Looking for a solution I only find information about how to handle CSRF-tokens and can find anything else, is it possible that if I get this error it has to be a problem with the token?
I'm sending a post requests with axios, from a vue component to Laravel.
Edit: I didn't add the code because I know there are already a lot of threads talking about this, I was just wandering if anyone has ever got this error in some case other than CSRF-token related issue.
set in your axios code request
xmlhttp.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
and set cookie
xmlhttp.setRequestHeader('X-CSRF-TOKEN',window.Cookies.get('_csrf'));
If you are using web routes to call as API then you would get this error on POST request. Please define the API routes in api.php and it will start working.
I have an issue with a Facebook Page Tab I have built.
The website functions perfectly fine in Chrome and Firefox but I have an issue when I try to do something simple in IE.
[BASE URL: http://domain.com/]
[REQ URL: http://domain.com/request]
What I am trying to do is make a simple ajax request from my server BASE URL to my server again on REQ URL, In Chrome or Firefox I get the expected result, IE however I get a couple of errors and warnings.
Warnings are as follows (without sensitive domain information)
SEC7118: XMLHttpRequest for https://www.facebook.com/dialog/oauth?client_id=APP_ID&redirect_uri=URL_ENCODED_REDIRECT_URI required Cross Origin Resource Sharing (CORS).
SEC7119: XMLHttpRequest for https://www.facebook.com/dialog/oauth?client_id=APP_ID&redirect_uri=URL_ENCODED_REDIRECT_URI required CORS preflight.
Errors are as follows
SEC7120: Origin http://domain.com not found in Access-Control-Allow-Origin header.
SCRIPT7002: XMLHttpRequest: Network Error 0x80070005, Access is denied.
I have done a lot of research on these errors and I know that they are related to Cross Origin Control and making requests from one domain that does not match another. The strange thing is though that both my domains are the same so CORS should not apply. I can't figure out what I'm missing. I have read at least 20 articles on stack overflow with none of them able to address my problem exactly.
The /request/ in the REQ_URL is a method that gets called from a controller, all I need is for this method to be called there is nothing special about it, it's a simple PHP function.
function request() {
return 'you win!';
}
The ajax is using jQuery to make the request specificly the $.get method this is my code:
$.get('/request', function(response){
console.log(response);
});
I get no response.
I have also tried this with $.ajax and calling the complete method I get a text status type returned of 'error' I expect this to be the result of the error above.
I have read and understand the articles as follows:
Cross-origin resource sharing
Same-origin policy
According to the Same-origin policy I shouldn't be bound to CORS and my get request should just work or am I missing something.
Any help is appreciated.
['UPDATE']
I have identified that the above errors occur only when inside facebook (Facebook Page Tab) this "I think" is a result of the iframe being from the domain "http://static.ak.facebook.com/" and my domain "http://domain.com" This breaks the Same-origin policy rule. Very annoying because when the ajax calls are made they are sent from "http://static.ak.facebook.com/" to "http://domain.com" there in I am getting Cross-origin policy errors.
I still don't know how to fix this problem.
Not many up votes, Not many views.
I found the issue, and the solution.
For my particular case I was using sessions to handle information on the server side, what was happening was the session was not persisting in IE witch was causing some of my other code to redirect he ajax request to another domain (facebook.com) resulting in the cross domain request error you see above.
The Solution:
I found out that IE doesn't like to pass sessions around through ajax but you can tell it that it would be a good idea do follow suit to the other modern browsers and that was as simple as adding a P3P header.
Add this to your code before sending a request and the session variables should be sent in the requests.
header('P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"');
I ended up rewriting my application without so many dependicies on the sessions but this was definatly a good learning point about IE and how it handels sessions through ajax.
I have googled many times to find the best security for ajax get request, but didnt find anything.
Had anyone body implement any security in get ajax request in MVC3 like passing some randam number or guid in ajax header and check it in global.axcx with session or database.
We have an MVC app that uses controllers for AJAX endpoints, and FormsAuth for authentication.
I've run into an interesting scenario where a GET request will behave differently than a POST request (both for an unauthorized user).
In this particular case, our custom ControllerFactory runs the following code trying to access this controller:
FormsAuthentication.SignOut();
requestContext.HttpContext.Response.Redirect(FormsAuthentication.LoginUrl);
throw new UnauthorizedAccessException();
(I realize that redirecting inside an AJAX request makes no sense, but bear with me).
When I do a GET request (AJAX) to this controller, the client receives a 401 - Unauthorized exception, which I can trap on the client side and redirect the user to the login page.
When I do a POST request (AJAX) to this controller, I'm getting a 302, and my request got redirected to my login page.
Why do the GET and POST requests act differently?
So I took Darin's advice and did some refactoring, and I no longer run into this problem. :) I discovered the root of my problem, which was that we had a attribute for MVC error handling that did not have the IExceptionFilter attribute, so some stuff was happening in non-determinate orders. Thanks for the helpful kick in the butt. ;)
I am using cybersource as the payment gateway for my application. The payment information is sent correctly if we post the form without using an Ajax request.
Now we need to implement this by using an Ajax request. I tried passing the information to cybersource but got a javascript error "access denied" when I tried to submit the form using Ajax post request.
When I tried to debug this issue the line "mypostrequest.open("POST", "theUrl", true);" was giving the error.
Is there any reason why a site might block a post request through Ajax and not block a request from the usual form post ?
Thanks in advance.
There should be no difference, from the perspective of the CyberSource server, between a post via AJAX or a normal form submit, so the server would not have a basis for deciding to block a post via AJAX. The "access denied" problem might be due to the fields and values you included in your post. Make sure all required fields are included.