took me a long time to figure this out and was wondering if it is IE 6, IE TESTER or something i have done.
im creating a session to store quotes, which i am using md5($_SERVER['HTTP_USER_AGENT'] . $_SERVER['REMOTE_ADDR'])
The problem being when i tested in IE 6 in the IE tester application, results are being inserted but the quotes are not being retrieved.
After some digging and looking i found that the token being used to retrieve the quotes and the token being used to insert the quotes where different.
On the main page, i added this;
<p><input type="hidden" id="quoteID2" value="<?php echo $_SERVER['HTTP_USER_AGENT']; ?>" /></p>
<p><input type="hidden" id="quoteID3" value="<?php echo $_SERVER['REMOTE_ADDR']; ?>" /></p>
which returned;
<p><input type="hidden" id="quoteID2" value="Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 6.1; WOW64; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2)" /></p>
<p><input type="hidden" id="quoteID3" value="127.0.0.1" /></p>
which i was expecting.
yet when i applied the same test to the php script that was inserting the data it returned this;
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2)
127.0.0.1
can anyone tell me why it is saying that the second script is being ran through IE 8 ?!?!
regards,
Phil
As noted by the IE team many times, tools like IETester are inherently less reliable than testing with the real browsers, because the approach they use is an unsupported hack, and leads to crashes and cases where the "real" IE binaries get munged with the older ones you're trying to test. You should test IE6 using the free VPC that Microsoft provides.
http://www.enhanceie.com/ie/webdev.asp#vpc
Related
when I load this site via my own browser it looks quite nice and modern but when I load with the webview tag it in my electron application it's shown with an old theme.
I already changed the browser agent and tried changing the size but that doesn't help, do you know how this webite can know that it's loaded from webiew and how I can bypass that?
New version:
https://ibb.co/RCbqH14
Old version:
https://ibb.co/1JHZzgc
<webview id="todo" useragent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36" src="https://www.whatsmyua.info/" style="right: 0; height: 100%; width: 50%; position: fixed; z-index: 1; top: 0; overflow-x: hidden; padding-top: 20px;"></webview>
I am very new to Microsoft Azure, but when I publish my application and try to access it, I get this error -
error CS1928: ‘System.Web.WebPages.Html.HtmlHelper’ does not contain a definition for ‘SportSiteHref’ and the best extension method overload ‘mySports.Helpers.HtmlHelpers.SportSiteHref(System.Web.Mvc.HtmlHelper)’ has some invalid arguments
I am obviously using HtmlHelpers, with this example.
<div class="padding-top padding-bottom">
<img class="bottom-panel-image responsive" src="/images/fullsite/HomePagePromo.png" alt="" />
</div>
This works locally and when I FTP to my live site like I have been doing for years.
Why does Microsoft Azure trap this as an error?
I have an odd issue with azure authentication. It works in one scenario (logging in with an angular app using adal) but not in an other (loading the asp.net web api up and logging in via the swagger ui authorise mechanism). I have narrowed it down to a post to the:
https://login.microsoftonline.com/te/{tenantid}/oauth2/authresp
endpoint which rather unhelpfully returns:
302
<html>
<head>
<title>Object moved</title></head>
<body>
<h2>Object moved to here.</h2>
</body>
</html>
Basically telling me an exception has occurred.
error_description = AADB2C An exception has occured.
CorrelationID = 1816d2f8-aa74-4433-a7c0-d9c8fabebdb0
Timestamp = 2017-10-27 13:46:08
The angular app, does exactly the same post but that however returns a link with the token id:
302
<html>
<head>
<title>Object moved</title>
</head>
<body>
<h2>Object moved to <a href="http://localhost:4200/#state={state -
ommitted}&id_token={id token - omitted}">here</a>.
</h2>
</body>
</html>
I can't see any differences in the posts. This one does not work (initiated from swagger ui on web api project)
POST https://login.microsoftonline.com/te/{tenant - omitted}/oauth2/authresp HTTP/1.1
Host: login.microsoftonline.com
Connection: keep-alive
Content-Length: 1595
Cache-Control: max-age=0
Origin: https://login.microsoftonline.com
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.62 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
DNT: 1
Referer: https://login.microsoftonline.com/{tenant - omitted}/oauth2/authorize?client_id={clientid - omitted}&redirect_uri=https:%2f%2flogin.microsoftonline.com%2fte%2f{tenant - omitted}%2foauth2%2fauthresp&response_type=id_token&response_mode=form_post&nonce={nonce}&state=StateProperties
Accept-Encoding: gzip, deflate, br
Accept-Language: en-GB,en;q=0.9,de-CH;q=0.8,de;q=0.7,fr-CH;q=0.6,fr;q=0.5,it-CH;q=0.4,it;q=0.3
Cookie: {cookie - omitted}=; x-ms-gateway-slice=005; stsservicecookie=cpim_te
id_token={omitted}
But this post does:
POST https://login.microsoftonline.com/te/{tenant - omitted}/oauth2/authresp HTTP/1.1
Host: login.microsoftonline.com
Connection: keep-alive
Content-Length: 1590
Cache-Control: max-age=0
Origin: https://login.microsoftonline.com
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.62 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
DNT: 1
Referer: https://login.microsoftonline.com/{tenant - omitted}/oauth2/authorize?client_id={clientid - omitted}&redirect_uri=https:%2f%2flogin.microsoftonline.com%2fte%2f{tenant - omitted}%2foauth2%2fauthresp&response_type=id_token&response_mode=form_post&nonce={nonce}&state=StateProperties
Accept-Encoding: gzip, deflate, br
Accept-Language: en-GB,en;q=0.9,de-CH;q=0.8,de;q=0.7,fr-CH;q=0.6,fr;q=0.5,it-CH;q=0.4,it;q=0.3
Cookie: {cookie - omitted}; x-ms-gateway-slice=003; stsservicecookie=cpim_te
id_token={omitted}
As the posts are pretty much identical the issue must lie somewhere in either the cookie or the id token (which I cannot supply for security reasons). Pasting the ID tokens from both requests into http://www.jwt.io gives me same information with the correct claims present in both. So I am a little stuck and hoping someone from the azure team can step in and help?
Many thanks
Based on the referrer in your request samples, it looks like you're not calling /v2.0/ B2C endpoint. For example, in the following request, the path should be /{tenant}/oauth2/v2.0/authorize...
https://login.microsoftonline.com/{tenant}/oauth2/authorize?client_id={clientid}&redirect_uri=https:%2f%2flogin.microsoftonline.com%2fte%2f{tenant}%2foauth2%2fauthresp&response_type=id_token&response_mode=form_post&nonce={nonce}&state=StateProperties
Due to this, you're getting unexpected behavior across both your apps. This also means that the applications you are using were not created using B2C portal (we verified this via our offline chat as well).
As of now, B2C ONLY supports applications created through the B2C portal. So, if you can kindly create an application through the B2C portal, and try again, you should have this issue resolved.
I have a MEAN app deployed on Google Cloud (GAE). POST requests work locally but not in the cloud. Anything I need to do, specifically, to get this working on GAE?
GETs work fine.
Thanks.
ERROR that I get when hit from Postman:
<html>
<head>
<title>502 Bad Gateway</title>
</head>
<body bgcolor="white">
<center>
<h1>502 Bad Gateway</h1>
</center>
<hr>
<center>nginx</center>
</body>
</html>
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
Not using NGINX locally, which is why it probably works fine.
What response do you get?
GAE is pretty strict and requires Content-Length on POST.
I deployed same code on Heroku and it worked first shot. I'm sure there is some config issue between NGINX and Node on GAE, but I don't have the time to figure out someone else's issues.
Maybe when Google Cloud is a little more baked, I'll come back to it.
I'm trying to test the CRSF protection system done by Symfony2, many thanks to them.
my security.yml template:(I modified the default one.)
security:
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
login:
pattern: ^/demo/secured/login$
security: false
secured_area:
pattern: ^/demo/secured/
form_login:
check_path: _security_check
login_path: _demo_login
csrf_provider: form.csrf_provider
logout:
path: _demo_logout
target: _demo
#anonymous: ~
#http_basic:
# realm: "Secured Demo Area"
access_control:
#- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: https }
In my form :
<input type="hidden" name="_csrf_token" value="{{ csrf_token("authenticate") }}">
That generates something like this:
<input type="hidden" name="_csrf_token" value="cKzXBHRDX_sHuT4qt9TAJIwgRvtRMtPnFDtitrSZDuw">
I don't know how symfony handles the verifications with the token, but before submitting my login, I changed the value of the token manually using firebug to look like this:
<input type="hidden" name="_csrf_token" value="MODIFIEDcKzXBHRDX_sHuT4qt9TAJIwgRvtRMtPnFDtitrSZDuw">
and when I submit my login, I get logged in. which means the token has no influence .
where am I getting wrong ?
Snipe hunting
Symfony Version is 2.5.2
The system signed me in when I set manually a session variable "logged" to true. This happens after Reading from the database and comparing the passwords.
Form Html!
<form id="Loginform" onsubmit="OrganicLogin();return false;">
<input type="hidden" name="_csrf_token" value="{{ csrf_token("authenticate") }}">
<div id="Loginresponse" style="display:none;"></div>
<div class="form-group" style="overflow:hidden;">
<label style="margin-top:10px;" for="inputUsername" class="col-lg-2 control-label">Username</label>
<div class="col-lg-10">
<input type="text" class="form-control" id="inputUsername" placeholder="Username" style="width:215px;float:right;">
</div>
</div>
<div class="form-group" style="overflow:hidden;" >
<label style="margin-top:10px;" for="inputPassword" class="col-lg-2 control-label">Password</label>
<div class="col-lg-10">
<input type="password" class="form-control" id="inputPassword" placeholder="Password" style="width:215px;float:right;">
</div>
</div>
<div class="form-group" style="overflow:hidden;text-align:center;" >
<button type="submit" class="btn btn-primary btn-block" id="submitButton">Access</button>
</div></form>
Yes ! I did
Actually that what I was arguing about the whole time, I did the login process in a native way, form, read data with JS, send POST request to controller, controller checks input and set the session.
No, All done by hand
Actually this is the first time I use security.yml, I just removed some parts I judged not useful for this thread
no ..
I'm sort of guessing that your changed token is not getting posted. Stick a die in:
namespace Symfony\Component\Form\Extension\Csrf\CsrfProvider;
class DefaultCsrfProvider implements CsrfProviderInterface
{
public function isCsrfTokenValid($intention, $token)
{
die('csrf token ' . $intention . ' ' . $token);
return $token === $this->generateCsrfToken($intention);
}
If the die is reached then you know your configuration is okay and of course you can see the actual posted token.
Needless to say, you should also clearcache.
=======================================================
Update 1 - After many comments we have determined that the die() is not being called. Progress.
Unfortunately we still need to verify exactly how the poster has configured their system.
Next step - Login without adjusting the csrf token via firebug and verify that the die statement is reached.
Report one way or another.
Needless to say (but I will say it anyways), make sure you logout before trying to log back in.
========================================================
Update 2 - The die statement is not being reached even with a normal login.
So now comes my favorite part. Snipe hunting. Basically, I made a number of assumptions when reading the question. Need to determine which assumptions were incorrect by asking a number of basic questions.
Which version of Symfony 2 are you using. I am assuming at least S2.1.
How do you know the system has signed you in? Are you using the debug toolbar and does it show you as being authenticated? What happens when you try to login with an incorrect password?
Use your browser's view source functionality and copy the generated form into your question. In particular I want to see the action attribute but I also want to see the input elements.
Did you in fact add the die statement to vendor/symfony/symfony/src/Symfony/Component/Form/Csrf/CsrfProvider/DefaultCsrfProvider.php? Did you save the file after editing it?
You are in fact using the standard form_login process right? You don't have any code that, for example, checks the user password?
Are you using any other bundles like maybe FOSUserBundle?
The security.yml file in your question really is your actual file? You didn't "clean it up" after copying?
Have you checked your application into github? If so then can you provide a link? Looking at the entire application will probably be the fastest way to clear this up.
That should be enough for now. Update your question with your answers.
=========================================================================
Update 3 - The plot thickens
As I was typing in the above questions we discover that the basic login system itself is not properly configured. The debug toolbar indicated the user is not authenticated. More progress! As so often happens, the symptoms were masking the actual problem.
The security system is arguably the most complicated component in Symfony 2 that typical developers need to interact with. It's easy to get confused when configuring it and difficult to troubleshoot. One tiny typo can melt things down. It's also very important for the developer to have a working understanding of how security is implemented. Unless of course you are a really big company like Target or Home Depot.
My suggestion is to create a fresh Symfony 2 project using composer. Then go through http://symfony.com/doc/current/book/security.html step by step and configure the security system. Let this be kind of a reference application for understanding security.
By the end of the process I suspect you will have figured out the problem and can apply the solution to your existing application. As a bonus you will have something you can refer to for future problems.
==================================================================
Update 4 - The exciting conclusion
So now we find that a custom and naive login system is being used.
I would still suggest starting over with a new project and get things working the Symfony 2 way. After that, you can tweak the login form to use javascript if you really want to.
If you really really really want to use your own system then start here: Manual authenticate user
But you would be tossing out one of Symfony's major strengths for no particular reason.
The way it's supposed to work is that Symfony generates a CSRF token, which it automatically inserts into the form. It stores this token in the current session. When the form is submitted, it compares the submitted token with the value stored in the session. Regarding your specific case, it just sounds like CSRF isn't actually enabled and it may have to do with security contexts not being shared between the secured area firewall, which has CSRF enabled, and the login firewall, which does not.
Try removing this bit in your security.yml:
login:
pattern: ^/demo/secured/login$
security: false
And instead, moving it into the secured_area context and using access controls to grant access:
...
form_login:
check_path: _security_check
login_path: login
...
access_control:
- { path: ^/demo/secured/login$, roles: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: https }
Alternatively, you could try adding context: secured_area for your login firewall. In my experience, not having the login firewall in the same context as the secure area prevents you from accessing the security context entirely from within your login controller.