After many hours of debugging some strange error occurring on our classic asp website, I found what could be the cause of the error when reading the Request.Cookies collection.
An example of HTTP_COOKIE header received from the client browser is:
HTTP_COOKIE:=true; ASPSESSIONIDSQRRDDRS=PAMMOMMAKGDHMAOGLEJPMLIM; X-XAct-ID=e8eb8d86-670c-46ef-ba64-14cc931fd13f; 643af15a72242b4dd892fe8c0c088a39=d60badbf9bebc14f573b4aa7f0474deb; sid=fr33cf49981a883ca433dd333692832ffdd8ee8a; _locale=pt_BR; 21411886ec077054c92080ba94ba91a2=fac31597bd8bf7e4cb5991c7547ad58c; brstyleid=9; brsessionhash=9d5dce337d314e85ec44a9b69a258fbd; brlastvisit=1438799253; brlastactivity=0; lnlang=no; _talentoday_session=3e9172578651a5bd36a9687bfadf7ada; sticky=no-match; BBC-UID=f5f51c92557579d5f8b9575621a86a8a48e81e9c3020707c72e9631f89622caf0Mozilla%2f5%2e0%20%28Macintosh%3b%20Intel%20Mac%20OS%20X%2010%2e8%3b%20rv%3a21%2e0%29%20Gecko%2f20100101%20Firefox%2f21%2e0; ypsession=a%3A5%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%22f90505e4298571bc306b4845413b42b2%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A11%3A%225.9.145.132%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A65%3A%22Mozilla%2F5.0+%28Windows+NT+6.2%3B+rv%3A21.0%29+Gecko%2F20130326+Firefox%2F21.0%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1438799253%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3B%7D0214f53a8afe0b556dd83f2b1a3ee88d; yumpu_slc=no; ASPSESSIONIDSQDSCQTS=BLAAJGIAHPOPIFJKJBFGGCOD; ljident=2969834924.20480.0000; ftrlan=en; ismobile=0; geneweb_base=bengos; gntsess5=06cfbqo0i1qgcfecn5f56msfo4; autolang=fr; device_view=full; experiments_groups=51bdba5bd9f6233a5042745665e03d3265a87fac%7Ea%3A1%3A%7Bs%3A6%3A%2278%3A115%22%3Bs%3A8%3A%22archives%22%3B%7D; session=4e62cb6c840cd84689029e488605282970fc2925%7E55c2559636cbe2-35808714; ASP.NET_SessionId=ivmbtcjboba0sft03rrksblk; PD_Captcha=rcount=1&SearchResults=http%3a%2f%2fdoctor.webmd.com%2fdoctor%2fgonzalo-de-quesada-md-537ca80f-752d-4aaa-82c3-1c2c7b447022-appointments; NSC_epdups-xfc.dpo.tfb1*80=ffffffffaf1a188345525d5f4f58455e445a4a423660; SESSION_ZIG=Yzg1NmRjYThkMjE4MWE5OGQ2M2Q3YTU2NzNmOTE0NGE6OjdjZDFkYzZjYTcyMzYxNDRhMTI1YWVkNjM2ZWIxNDUy; GSCK_AVCA=YToxOntpOjcwNzM4O2k6MTQzODc5OTI1NDt9OjpmZWY4MWViYTU5NTJiYzU5MTVlZmVlMTQ4YWY0M2JhNg%3D%3D; _uv_id=1466248598; SERVERID=r88|VcJVm|VcJVm; SESS57cde0ccb3a63ef1692b1270e90b46cc=bctkcqro3j98uvgn84e7h7e5i0; VISITOR_INFO1_LIVE=k__fn-xf0m4; YSC=NKv9iWTX4AQ; s1=6q5M2Ujn7Qdc663oy88WrFn4_wmABvFNB; __cfduid=d7d5f0bf9eb9853a44349aa3aafac5ec51438799254; CAKEPHP=hi2u1sapas3r6n7iuje3nvbg15; visited=20150805; PHPSESSID=vbdub74d1ee6uvs42rlgaejjt3; BX=7sb6jvdas4lcn&b=3&s=fi; NID=70=hRIXSnhVo35s-0cSEvmn7mHoqIgfYGjFsgRMvATllAVMIXg_Q6eZpVITVZDVRmYD5TnbJCm1kBAIk1Hamk1ilSLtekGVSKRr51GZy1_-ul2AK8qXbdUBADsbuFLAC-xX; startD=R3876064936; session_id=7bb23c0df78d28170d038fa36d43f989; cat=198897; cpop=1
First, notice the first cookie is missing its key, is it valid and if not may it explain why I get an error when trying to access Request.Cookies collection ?
Also, except maybe "ASPSESSIONIDXXXXXXXX" cookies, all other cookies are even not belonging to my website domain, what the heck ? "correct" browsers should not send cookies from other domains right ?
This guy user agent string is: Mozilla/5.0 (Macintosh; Intel Mac OS X 107) AppleWebKit/534.48.3 (KHTML like Gecko) Version/5.1 Safari/534.48.3
, i would think Safari would follow this domain rule... anyway it does not seems related to a specific browser because i get many similar request with other browsers...
Any idea what is happening ?
I found with the ip addresses that requests were not legitimate and probably made by a bot which is spoofing user agent string.
And also found that any attempt to read Request.Cookies raise an error when the cookie request header contains a cookie with no key like "=true", it is sad they didn't think of ignoring invalid cookie strings when implementing the collection.
Related
I'm getting a browser error when using SustainSys.Saml2 library with my app:
400 Bad Request
Request Header Or Cookie Too Large
nginx/1.14.0
I think that reducing my cookie size might help and I only really need the email from the claim data, so I thought that if I could just save the email claim and remove the other claims, that it might reduce my cookie size and fix this error.
I read the response to a similar question (SustainSys.Saml2 Request length header too long) and looked for some information on how to implement AcsCommandResultCreated to remove unused claims (and hopefully reduce cookie size). I didn't find a lot of documentation, but did piece together some ideas and code to try and take a stab at it.
I've tried this code in my global.asax as well as in a controller action (that I made the "returnUrl" after Saml2/Acs). It doesn't look like my FedAuth cookie (set by Saml2/Acs) is any smaller. Any comments or suggestions? Thank you.
// Check if email claim exists
var principal = ClaimsPrincipal.Current;
var userEmail = principal.Claims.FirstOrDefault(claim => claim.Type == ClaimTypes.Email)?.Value;
// Create new command result that only contains the email claim
if (userEmail != null)
{
var emailClaim = principal.Claims.FirstOrDefault(claim => claim.Type == ClaimTypes.Email);
Sustainsys.Saml2.Configuration.Options.FromConfiguration.Notifications.AcsCommandResultCreated =
(commandResult, response) =>
{
var newCommandResult = new Sustainsys.Saml2.WebSso.CommandResult();
newCommandResult.Principal.Claims.Append(emailClaim);
commandResult = newCommandResult;
};
}
UPDATE:
It turned out that the test environment that I was using (which used nginx) needed to increase the request header buffer size. Adding these cookies increased the size to around 9500 bytes and nginx by default has a request header buffer size that is lower than that (I think 8000). Contacting the code owners of the test server running nginx, and increasing this solved my problem, without me having to reduce my cookie size.
Do you have a lot of failed authentication attempts? That can leave a lot of Saml2.XYZ correlation cookies around on the domain. Try checking the browser dev tools and clean those up.
The "headers too large" is usually something that happens when a user has tried signing in several times with a failure and those cookies get stuck. The real issue is usually something else - causing the authentication to fail and those correlation cookies to be accumulating.
I am wondering anyone can help me in one of the thing I cannot get my around it and really bothering as I spent last two on it but couldnt make it.
Basically, I am building an App (Django Python) to restore the information regarding all the network device e.g hostname, IP Address, S/N, Rack info etc. but I also to enable few options like Add, Edit, Delete and Connect next to device entery. I was able to create all the options except Connect option where I am completely stuck, I am trying to query database to get the IP address information and then using Popen module to open a putty window with the ssh to that IP Address device related, I tried everything I could but nothing worked, thereofrore, asking your help if you have any idea about this ? or any other alternative method for a user when he click on connect the putty or similar app will open and he just put the login credentials and get into the device.
I am sharing my code here, let me know if I am doing something wrong.
on the show all device page, i have this code, show.html
<td>Connect</td>
<!--<td>Connect</td>-->
I tried both ways, with id and ip address entry in the database
on view.py
def connect(request, ip_address):
hostlist_ip = HostList.ip_address
print(hostlist_ip)
Popen("putty.exe" + hostlist_ip)
return redirect('/show')
and in the url.py
path('connect/<str:ip_address>', views.connect),
or
path('connect/<str:ip_address>', views.connect),
Since I am also printing the the output on the terminal I notice that it is not returning the actually IP address but return this;
<django.db.models.query_utils.DeferredAttribute object at 0x04B77C50>
and on the web I receiving this error
TypeError at /connect/10.10.32.10
can only concatenate str (not "DeferredAttribute") to str
Request Method: GET
Request URL: http://localhost:8000/connect/10.10.32.10
Django Version: 2.2.3
Exception Type: TypeError
Exception Value:
can only concatenate str (not "DeferredAttribute") to str
let me know if you can help.
Just a F.Y.I I already tested the Popen via python but since we not getting the actual IP address from the database I am seeing this and I am a complete newbie with html/css and Djano, however I have some basic knowledge of python, so please ignore my any stupid comments in the post.
Many thanks
ahh I cannot believe I spend two day to troubleshoot this and just changed the name from ip_address to ip_add and it is working now :) i think as I mentioned above in the comment, it probably confusing with the built in module
here is simple solution:
views.py
def connect(request, ip_add):
import os
from subprocess import Popen
Popen("powershell putty.exe " + ip_add)
return redirect('/show')
url.py
path('connect/<str:ip_add>', views.connect),
I may have to find out a way if user is using the mac or linux, how I am going to change this powershell to something else. but anyhow it is working for windows
thanks all for the responses.
I am building a Rest client with cpprest-sdk to communicate with a web service. The problem is that every once in a while, after sending multiple successful requests (around 50), I get the exception:
WinHttpSendRequest: 2148074273 insufficient cache in function
Or sometimes:
ERROR_WINHTTP_SECURE_FAILURE (12175)
I tried to look for cache options in cpprest-sdk but did not find anything. Since the exceptions happens inside cpprest-sdk when I call .wait() on my task I am not sure if I can use the WINHTTP_STATUS_CALLBACK to check for more details on this error. How can I investigate deeper to find the cause of this error?
Here is my Rest request:
void MyRestClient::PostKeys(const std::string & sKek, const std::string & sKid, const std::string & sCustomerAuthenticator) {
uri_builder oBuilder(U("/keys?customerAuthenticator=") + to_string_t(sCustomerAuthenticator));
oBuilder.append_query(KEK, to_string_t(sKek));
json::value oBody;
oBody[KID] = json::value::string(to_string_t(sKid));
web::http::http_request oRequest;
oRequest.set_method(methods::POST);
oRequest.set_request_uri(oBuilder.to_uri());
oRequest.set_body(oBody);
m_oCurrentTask = oClient.request(oRequest).then([this](http_response oResponse) {
OnPostResponse(oResponse);
});
}
According to https://msdn.microsoft.com/en-us/library/windows/desktop/aa383928(v=vs.85).aspx (4th bullet), Post requests should not be cached so I don't understand why I am getting the first exception. I also tried to disable Https caching as the 6th bullet in the link suggest, but that did not change anything.
Did anyone experienced something similar or have any insight as to what may be happening? Or is this a normal behavior and should I just retry my request when these exceptions happens?
Does your Web Service use TLS with Diffie-Hellman key exchange? If yes, you are probably seeing a bug in SChannel, which is the SSL implementation of Windows, see here for a confirmation. Unfortunately, the only available fix is an update of the Windows version on which your client is running to a recent build of Windows 10.
C++ Sockets. Getting information from a website.
I am trying to read content from web using sockets. using the following code.
int status = getaddrinfo(l_url.c_str(), "http", &l_address, &l_addr_ll);
if (status != 0 ){
printf("\n ***** getaddrinfo() failed: %s\n", gai_strerror(status));
return FAILURE;
}
The code works fine for urls like "www.yahoo.com", "www.google.com" however it doesnt work for url's like "www.google.com/nexus".
Any URL's having a "/" are not working with this code. Am i missing anything?
getaddrinfo gives you information about network addresses, not about URLs. A URL is not a network address, though it often contains one. A string like "www.google.com/nexus" is neither a URL nor an address (though it might well be part of a URL), so its not suprising that getaddrinfo fails for it.
The man page says that the first parameter is supposed to be a host name. The host name is just the first part up to the top level domain. Everything thereafter does not belong to the host name. Take care, some parts before may also not belong to the hostname, especially if you see an # in your URL.
Have a look into wikipedia for URL, there is a lengthy explanation which part of a URL actually is the host name you can put into your function.
As per the man page. one needs to pass the URL information to getaddressinfo method. FOr this, the user must pass the name of the website. like "www.google.com"
However while requesting for data, the user posts a request, at that point, the user could post URL like "www.google.com/nexus"
The address will be same for a URL. however the request varies, hence one needs to get the address of the website using only till ".com". Once address info is received, further requests could be made accordingly.
(This is the first time I've done this actually.)
<mx:HTTPService id="post_update" method="POST" result="{Dumper.info('bye')}"/>
The result handler above is just for debugging purposes, but its never hit, even though what I'm uploading via POST...
post_update.url = getPath(parentDocument.url)+"update";
post_update.send(new_sel);
...is received and handled successfully by my Django view:
def wc_post(request) :
request.session['wc'] = request.POST
return http.HttpResponse("<ok/>", mimetype="text/xml")
As far as what I'm sending back from Django, I'm following the guidelines here:
Sending Images From Flex to a Server
I just don't want it to generate an error on the Flex side considering Django is actually receiving and processing the data. Any help appreciated. Can't remember the text of the error in Flex at the moment.
UPDATE: new_sel (what I'm posting from Flex) is just a Flex Object, with various text fields.
UPDATE: various error messages from event.message (in fault handler):
faultCode = "Server.Error.Request"
faultString = "HTTP request error"; DSStatusCode = 500; errorID = 2032; type = "ioError"
This is more grasping at straws than answers, but do I have to send a particular type of header back from Django- the default sent by Django includes a 200 success status code, and the response I was sending of "<ok/>" with mime type of "text/xml" was following the example exactly that I provided from that other source.
And also the url I'm sending the POST to is localhost:8000/wr_view1/wr_webcube/update, and I previously successfully did a GET to localhost:8000/wr_view1/wr_webcube/webcube.xml, and despite the .xml extension in the case of GET, it was still being handled by Django (and without errors in Flex). In the case of this POST, once again, the data is actually succesfully sent and handled by Django, but Flex is returning Error 2032, which I found out can mean numerous different things including cross domain issues, but don't see how that's the case here.
Just had to return HttpResponse("ok") Didn't like it being sent as xml for some reason. So much ado about nothing I guess.