We have a number of web apps running where the initial authentication is done using NTLM/Kerberos to save users logging in if they are logged into Windows using their own credentials. Following this, authentication to the APIs etc... is done using a cookie.
I understand HTTP/2 doesn't support Windows Authentication, but once the browser has downgraded to HTTP/1.1, we can't seem to get it to switch back to HTTP/2 again. We are using Edge Chromium (long story, are unable to change) - and I have read that there is an HTTP/1.1 header that should allow upgrade, but I can't get it to work.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Upgrade
I have tried having the Upgrade header set to 'HTTP/2.0', 'HTTP/2', and h2c, but none of them work. I have also tried adding a request header called 'http2-settings' as per another article that I read, but this didn't work either.
Keen to hear if anyone has had success getting a Chromium based browser to upgrade to http2 once it has served some http/1.1 requests.
Thanks
Related
I have an angular app sending http post request to Azure apim.
It works fine in Chrome and FF but fails in IE 11. I have looked at other solutions but nothing worked.
CORS policy is set to allow all header and all methods.
I am getting this kind of error in IE network TAB.
SCRIPT7002: XMLHttpRequest: Network Error 0x2efd, Could not complete the operation due to error 00002efd.
I see GET request with 200 instead of POST, also there is nothing in the request and response headers.
Apparently it is a Windows 10 bug in the HTTP stack that is now solved in Windows 10 version 1803 (April 2018). So normally this problem will disappear over time for people/companies using auto updates of Windows, used Windows 10 versions WorldWide.
We tested this on an older and newer version of Windows 10 and it is indeed solved.
Some workaround could be:
1.Disable HTTP/2 for IE and Edge and use HTTPS (server side change).
2.Use GET (if possible)
3.Do PUT also has this problem?
4.Do some retries if no response headers are returned
5.Accept that IE/Edge users will be punished ;-)
My problem: My browser isn't getting the session cookie set. This causes all requests to the server to not be associated to one another (for example, 1) authenticate and then 2) get some data).
Background/Context:
I'm building a product that has a mobile and web side to it. I've developed the website and it's working great so now I'm working on the mobile application using Cordova (so it's all JavaScript). I want to use the same backend for the mobile app as I do for the website.
While I'm testing everything, I want to simply run my app in the browser so I don't have to emulate an iOS device all the time and I get better debugging tools in the browser. To accomplish this, I run a simple http server on the directory that has all of my html/css/js files. Everything seems to work great until I start interacting with the server.
My Setup:
The server is running on localhost:3000. The cordova app is being served up on localhost:3001. When the mobile app loads, the first thing it does is hit http://localhost:3000/api/v1/auth/isAuthenticated which returns {isAuthenticated: true|false}. What the endpoint does is irrelevant. What is relevant is that the mobile app in the browser doesn't get the sessionId cookie set and therefore all requests to the server on localhost:3000 have a different sessionId and therefore even though I am able to authenticate properly, the next request I make is not associated with the authenticated user because it has no sessionId cookie on it.
My question: What is a good way to solve this problem? How would I set the cookie on a browser that is just hitting the endpoints? Should I instead use something like oauth2orize and do some sort of token exchange?
Other interesting notes:
I'm using express.js sessions. I have actually tried this with both the latest 3.x version and release candidate for 4.x. Neither did the trick.
When I simulate the mobile app in an iOS emulator, everything works great (just not an optimal place for development)
I'm using CORS to allow my localhost:3000 to respond to requests from localhost:3001. Requests are working, it's just the cookie not getting set is the problem.
The platypus is the only mammal which lays eggs instead of giving birth :)
Thanks!
Looks like it's a security issue. Server's are not allowed to set cookies on browsers from other domains. So the industry has come up with a solution: JSON Web Tokens. I implemented this after an hour or two and it seems to be working great.
I'm attempting to use grunt-contrib-qunit to run a pre-existing suite of qunit tests (testing parsing of ajax request results) in headless mode with Phantom on Windows 8.
The tests complete fine in these scenarios:
When the remote page is accessed directly from any browser without Fiddler or another proxy running
When Phantom runs the tests from a command prompt with Fiddler open and running
Oddly if I don't have fiddler open monitoring the requests, the AJAX requests I'm testing never seem to initialize. I've checked my default IE LAN Settings and there is no proxy enabled, I've also tried flipping the Auto Detect Settings checkbox there and no change.
Any thoughts??
Details on my setup:
Node v0.10.4
Latest grunt-contrib-qunit
Windows 8
QUnit is divided into 4 or 5 modules with setup and teardown tasks in some modules, asynchronous and synchronous tests, and autorun is set to false.
Update:
If I turn off the options in Fiddler for "Reuse client connections" and "Reuse connections to servers" I seem to get the same failure behavior as when Fiddler is off. This led me to believe its a problem with connections being closed prematurely, so I tried setting a custom keep-alive header -- but it still errors out.
Update 2:
I still question this because the page itself loads fine, but the requests fail, but it looks like this could possibly be related to NTLM authentication. Fiddler might somehow facilitating the handshake. There is an open issue for NTLM on the Phantom github page.
Update 3:
After continued troubleshooting this evening it looks like the issue is only with authentication on POST requests. GET requests seem to work fine. I'm working around this for now by routing all requests through an ASHX handler and thus dropping the auth component. Only thing I had to change was to disable web security on phantom to allow the cross-domain requests through.
I was going to say you need to turn off security, which is done by passing --web-security=no to phantomjs. This will sort out the CORS issues. However I see in your Update#2 that you've already discovered this.
For the POST authentication problem, I blogged about the workaround here:
http://darrendev.blogspot.jp/2013/04/phantomjs-post-auth-and-timeouts.html
I've heard the most recent version has fixed this, so upgrading might be the actual answer?
BTW, be careful with auth in PhantomJS, as the auth details are sent on all requests. E.g. if your test page fetches JQuery from a CDN, the CDN will be sent your authentication headers. (SlimerJS has some new features in place for getting around this; AFAIK PhantomJS does not yet.)
The Heroku app i'm trying to get to work (code here):
https://github.com/heroku/facebook-template-nodejs
"Unsafe Javascript attempt to access frame with URL" errors occur when the page is loaded in chrome.
The login button takes you to facebook but does not actually log you into the app and gives the same errors.
Has anyone got this app to work on Chrome or can anyone advise as to how to patch it up?
P.S. it seems to work fine on Mozilla.
Almost certain this is a cross domain policy issue, as stated above. Generally speaking, you just need to add the correct header info to the response.
Access-Control-Allow-Origin: *
In Node, I think it is just a matter of adding it as another header in the response, using
response.writeHead
See http://nodejs.org/api/http.html#http_response_writehead_statuscode_reasonphrase_headers
Oh, and there's explicit instructions on how to do it if you're using Express. I see no reason why it can't work using plain old node then.
http://enable-cors.org/server_expressjs.html
So I looked at your link, in your case I think you just have to enter the header info prior to using any other express app methods.
As to why it works in Firefox and not Chrome, not sure. Both support CORS many versions back. Maybe you have some Chrome extension that's interfering.
I have a very strange problem with post data being lost in transit. The log-in form for our ASP web app has a for submitting the username / password. The ASP page then receives this post, checks the credentials, and re-directs successful log ins. The problem I'm seeing is that intermittently the post data is just dropped. The request appears on the server, but there is no data. Client side is IE8, server side is IIS running ASP. The user will be fine for a time, and then as soon as they get his error, they have to restart the machine to solve it. What could be causing this and what type of diagnostics can I run to locate the problem?
Use Fiddler tool for inspecting client-server http communication. Maybe something is dropping data between client and server.
You can save each request which you receive in server in some file and to see if they really does not send you nothing. Try to see IIS log for error. Maybe your IIS is busy with other requests and refuse to accept this one. Than it will send 500 error to the client.