This is not ColdFusion specific, but the server is ColdFusion 10 on Windows Server.
About once a day I'll get a log file of a string of missingtemplate errors, and I can't figure out if this is a typo somewhere on my part, or a user doing something, or some sort of exploration exploit.
The most recent one from last night doesn't seem like it affects the user, as by following CGI.QUERY_STRING I can see they come to the home page, hit our login_action.cfm page to log in, get into the logged in area and then again following the CGI.QUERY_STRING I can see what pages they were on by the URL variables.
The missing template target page argument is always this:
TARGETPAGE /https:/secure.domain.com/index.cfm
Which shows this for path translated and script name
PATH_TRANSLATED D:\web\site\https:\secure.domain.com\index.cfm
SCRIPT_NAME /https:/secure.domain.com/index.cfm
After she logs in I can see by the CGI dump that she is indeed logged in OK
PATH_TRANSLATED D:\web\site\https:\secure.domain.com\user\login\index.cfm
Under the query_string I'll be able to see what pages she's on with ?p=home, ?p=editaccount (URL would be index.cfm?p=home etc.)
I don't believe this is malicious, nothing is exposed to the user as far as error reporting, but nonetheless I'd like to figure out why / how this happens about once per day on this application, and understand how it does not seem to effect the user on the site yet throws these missingtemplate errors.
You may have a malformed link somewhere in your app.
Look at the referrer of the error page, then inspect that previous page on the client side (as a user).
Also look at the user agent. It could be a browser trying to pre-fetch pages - and I'm assuming one is from a malformed link.
Related
I'm trying to investigate the issue as I mentioned in the subject.
I login to the application and successfully able to land on the home page of my application through my JMeter code.
When I click on "user details" tab , I should be redirected 2 times.
Successfully able to redirect for the first time. For the second redirection I'm getting 500 error code instead of 302 again.
URL for "User details" is a plain URL, doesn't come with any need of correlation.
I have cookie manager with "standard"( tried all other options also on cookie manager)
I see that - cookie value SameSite=None; is also seen at request body along with other values only during the reply of my script(I do not see this in the recorded traffic/even if I cross verify using fiddler).
Would like to know if this can be a problematic. If so how can I remove this.
Try playing with Redirect Automatically and Follow Redirects boxes in the HTTP Request sampler
if it doesn't help - be aware that you can extract the redirect URL from the Location header using Regular Expression Extractor
If you think that the problem is with the cookie you can enable debug logging for the HTTP Cookie Manager by adding the next line to log4j2.xml file (lives in "bin" folder of your JMeter installation:
<Logger name="org.apache.jmeter.protocol.http.control" level="debug" />
this way you will be able to see what's going on under the hood in jmeter.log file as it might be the case that the cookie is broken somehow (expired, wrong path, etc.)
I have an application written in ColdFusion that allows users to log in. My login page is in the root directory in a sub-directory called "login". During the login process, the system checks the username and password against my database, and assuming they are legit, it sets a Session variable of "Session.LOGIN_ID". At the bottom of my login script, I can print the login_id to the browser without any problem. However, the last part of my login script is to redirect the user to the main home page, which is located in the root directory in a sub-directory called "main", and once in awhile the page fails to load and rather directs the user back to the login screen with a message stating that their session has ended due to inactivity.
I have a Application.cfc file defined in the "main" folder, with a onRequestStart method defined that checks for the Session.LOGIN_ID being defined. If it is not, it redirects the user back to the login page and shows the message that their session has ended due to inactivity.
My question is, why does my session variable not present in the onRequestStart method? It's strange because if I clear my browser cache and login, I'm able to log in without any problem.
Does this make sense to anyone? Any suggestions as to what I could look for that could be causing this problem? I tried to dump the session vars using cfdump var=#session# from within the onRequestStart method and CF throws and error stating that SESSION is undefined.
UPDATE
In response to Adam's request, there are not multiple domains involved. Also, no switching from HTTP to HTTPS. The login page however is not bound by the Application.cfc because the login page is located in my "login" folder. The Application.cfc file is located in the "main" folder, along with the other components of my application. As far as the screen shot of the cfdump, I don't want to offend anyone but I can't really post the screen shot due to the fact that it contains information pertaining the site and I'm not authorized to post such information. I can say that when I try to do a cfdump of the session scope, it DOES show a few items in the list such as cfid, tokenid etc. However the session.login_ID is not present.
UPDATE
Okay, so taking the suggestion from Frank I have the onRequestStart method set up so that it sends me an email with a dump of the session and cgi scope. I found the following. In the Session dump, the cfid is equal to 4830, and the cftoken starts with b8e0d5... However, in the CGI dump, under HTTP_COOKIE, the value says CFID=4609; CFTOKEN=dd15bc0.... Are they supposed to match?
For me, the situation was resolved by enabling J2EE sessions variables from within CF Administrator. See related post here https://forums.adobe.com/thread/1058200
This is a formatted comment in response to, "I just noticed that the items didnt match in the dump and figured I'd mention it in case they SHOULD match".
Whether or not they should match is up to the programmer, not us on StackOverflow. However, you debug this sort of things as follows.
if(actual result == expected result)
output 'yes'
else
output 'no' and the actual result and the expected result
I have a mirror API based app in which i have assigned a custom menu item, clicking on which should insert a new card. I have a bit of problem in doing that. I need to know of ways i can debug this.
Check if the subscription to the glass timeline was successful.
Print out something on console on click of the menu.
Any other way i can detect whether on click of the menu, the callback URL was called or not.
It sounds like you have a problem, but aren't sure how to approach debugging it? A few things to look at and try:
Question 1 re: checking subscriptions
The object returned from the subscriptions.insert should indicate that the subscription is a success. Depending on your language, an exception or error would indicate a problem.
You can also call subscriptions.list to make sure the subscriptions are there and are set to the values you expect. If a user removes authorization for your Glassware, this list will be cleared out.
Some things to remember about the URL used for subscriptions:
It must be an HTTPS URL and cannot use a self-signed certificate
The address must be resolvable from the public internet. "localhost" and local name aliases won't work.
The machine must be accessible from the public internet. Machines with addresses like "192.168.1.10" probably won't be good enough.
Question 2 re: printing when clicked
You need to make sure the subscription is setup correctly and that you have a webapp listening at the address you specified that will handle POST operations at that URL. The method called when that URL is hit is up to you, of course, so you can add logging to it. Language specifics may help here.
Try testing it yourself by going to the URL you specify using your own browser. You should see the log message printed out, at a minimum.
If you want it printed for only the specific menu item, you will need to make sure you can decode the JSON body that is sent as part of the POST and respond based on the operation and id of the menu item.
You should also make sure you return HTTP code 200 as quickly as possible - if you don't, Google's servers may retry for a while or eventually give up if they never get a response.
Update: From the sample code you posted, I noticed that you're either logging at INFO or sending to stdout, which should log to INFO (see https://developers.google.com/appengine/docs/java/#Java_Logging). Are you getting the logging from the doGet() method? This StackOverflow question suggests that appengine doesn't display items logged at INFO unless you change the logging.properties file.
Question 3 re: was it clicked or not?
Depending on the configuration of your web server and app server, there should be logs about what URLs have been hit (as noted by #scarygami in the comments to your question).
You can test it yourself to make sure you can hit the URL and it is logging. Keep in mind, however, the warnings I mentioned above about what makes a valid URL for a Mirror API callback.
Update: From your comment below, it sounds like you are seeing the URL belonging to the TimelineUpdateServlet is being hit, but are not seeing any evidence that the log message in TimelineUpdateServlet.doPost() is being called. What return code is logged? Have you tried calling this URL manually via POST to make sure the URL is going to the servlet you expect?
I am confused about how cookies are set. It seems that cookies can be sent in the request header, even after I have deleted them all.
What I do:
In IE: delete all cookies (wrench-thing->safety->delete browsing history-> check all, except preserve favorites-> Delete)
Go to random site (google.com) and open the Network tab (F12/Network) - because it won't open from blank tab.
Make sure browsing history persists (tools-> clear entries on navigate-> uncheck both)
Click "Start capturing"
Go to site: http://www.klm.com/travel/dk_da/index.htm
Look at Network data. For the first url (http://www.klm.com/travel/dk_da/index.htm ), click "Go to detailed view". Click "cookies"
I look at the cookie that is being sent (in Cookies tab or under 'Request headers') and it's already sending 7 values, for example, EBT_JSESSIONID. But, where do these values come from? I haven't received anything at this point. I realize that cookies can be set via javascript, but I haven't loaded any js at this point either.
I am trying to figure this out as part of webscrabing. Really want to be able to do it without Selenium or the like, and need to generate/use the various IDs that are being passed around the various calls.
Using chrome in Mac we had this issue and restarting the browser did solve the issue. The scenario was weird because the value was being sent only for one specific HTML.
I'm trying to post a feed on my wall or on the wall on some of my friends using Graph API. I gave all permissions that this application needs, allow them when i make the request from my page, I'm having a valid access token but even though this exception occurs and no feed is posted. My post request looks pretty good, the permissions are given. What do I need to do to show on facebook app that I'm not an abusive person. The last think I did was to dig in my application Auth Dialog to set all permission I need there, and to write why do I need these permissions.
I would be very grateful if you tell me what is going on and point me into the right direction of what do I need to do to fix this problem.
Had the same problem. I figured out that Facebook was refusing my shortlinks, which makes me a bit mad...but I get the point because its possible that shortlinks can be used to promote malicious content...so if you have shortlinks as part of your test, replace them w the full url...
I believe this message is encountered for one of the two reasons :
Your post contains malicious links
You are trying to make a POST request over a non-https connection.
The second one is not confirmed but I have seen that behavior. While same code in my heroku hosted app worked fine, it gave this #368 error on my 000webhost hosted .tk domain which wasn't secured by SSL
Just in case anyone is still struggling with this, the problem occurs when you put URLs or "action links" that are not in your own app domain, if you really need to post to an extarnal page, you'll have to post to your app first, then redirect from there using a script or something. hope that helps.
also it's better in my opinion to use HTTPS links, as sometimes i've seen a behaviour where http links would be rejected, but that's intermittent.
I started noticing that recently as well when running my unit tests. One of the tests I run is submitting a link that I know Facebook has blocked to verify that I handle the error correctly. I used to get this error:
Warning: This Message Contains Blocked Content: Some content in this message has been reported as abusive by Facebook...
But starting on July 4th, I started receiving this error instead:
(#368) The action attempted has been deemed abusive or is otherwise disallowed'
Both errors indicate that Facebook doesn't like what you're publishing.