We are using Confluence with the F5 load balancing and quite often IE11 loses the session. When we inspect the call sequence IE11 is nicely sending the JSESSIONID cookie, but suddenly it doesn't send the JSESSIONID cookie and the server responses the error code 401 unauthorized.
When we don't use the F5 load balancing we are not able to reproduce the problem.
In the article https://connect.microsoft.com/IE/feedback/details/810700/subject-ie11-is-losing-cookie-information-and-thus-becoming-detached-from-a-web-application-session is a description about the session losing problem, but there is mentioned that the problem occurs when a new window is opened. This is not our case.
Normally we don't refresh the browser (use the F5 button), but if we press the F5 button, the problem occurs very fastly.
You need to enable "sticky-sessions".
A method used with Application Load Balancing, to achieve
server-affinity. A router or load balancer with sticky-session support
can assign a single server to a particular user, based on their HTTP
session or IP address.
Please take a look at this article on how to set it up using F5.
Related
I have a weird scenario, I have a single page application that uses microservices that has multiple servers. We have a load balancer that will randomly change my server while I am still in my SPA session and this sometimes causes me to get SSL cert errors because of the load balancer switch. On my own I have been able to just refresh my browser to get the new cert, but for users, they wouldn't necessarily know to do that. I was thinking I could refresh the page automatically or give them a dialog to refresh the page, not ideal. My backend team has a ticket to try to get all servers to use one cert but it won't be done anytime soon so they asked me to look into a front end solution. I can probably just refresh the page but sometimes it takes a couple of refreshes before I get the new cert.
Is there a way on the front end to force the browser to get a new cert without a refresh?
Thanks!
We use a custom HTTP module in IIS as a reverse proxy for web applications. Generally this works well and has done for some time, but we've come across an issue with Windows Authentication (WA). We're using IE 11, IIS 10 and Server 2016.
When accessing the target site directly, WA works fine - we get a browser login dialog when the initial HTML page is requested and the subsequent requests (CSS, JS, etc) go through fine.
When accessing via our proxy, the same (correct behaviour) happens for the initial html page, the first CSS/JS request authenticates ok too, but the subsequent ones cause a browser login to popup.
What seems to happen on the 'bad' requests (i,.e. those that cause the login dialog) is:
1) Browser decides it needs to authenticate, so sends an Authorization header (Negotiate, with an NTLM token)
2) Server responds (401) with a WWW-Authenticate: Negotiate response with a full NTLM token
3) Browser re-requests with an Authorization header (Negotiate, with a full NTLM token)
4) Server responds (401) with a WWW-Authenticate: Negotiate (with no token), which causes the browser to show the login dialog
5) With login credentials entered, Browser sends the same request as in (1) - identical NTLM token, server responds as in (2), Browser re-requests as in (3), but this time it works!
We've set up a test web site with one html page, requesting 3 JS and 2 CSS files to replicate this. On our test server we've got two sites, one using our reverse proxy and one using ARR. The ARR site works fine. Also, since step (5) above works, we believe that the proxy pass-through is fundamentally working, i.e. NTLM tokens are not being messed up by dodgy encoding, etc.
One thing that does work, is that if we use Fiddler and put breakpoints on each request, we're able to hold back on the 5 sub-requests (JS & CSS files), letting one go through at a time. If we let each sequence (i.e. NTLM token exchange for each URL/file, through to the 200 response), then it works. This made us think that there is some inter-leaving effect (e.g. shared memory corruption) in our proxy, this is still a possibility.
So, we put code at the start of BeginRequest and end of EndRequest with a Synclock and a shared var to store the Path (AppRelativeCurrentExecutionFilePath). This was for our code to 'Single Thread' each of these request/exchanges. This does what we expected, i.e. only allowing one auth exchange to happen and resulting in a 200 before allowing the next. However, we still have the same problem of the server rejecting the first exchange. So, does this indicate something happening in/before BeginRequest, where if we hold the requests back in Fiddler then they work, but not if we do it in our http module?
Or is there some sort of timing issue where the manual breakpoints in Fiddler also mean we’re doing it at ‘human’ speed and therefore allowing things to work better?
One difference we can see is the ‘Connection: Keep-Alive’. That header is in the request from the browser to our proxy site, but not passed from our proxy to the base site, yet the ARR site does pass that through... It’s all using HTTP 1.1. and so we can't find a way to set Keep-Alive on our outgoing request - could this be it?
Regarding 'things to try', we think we've eliminated things like having the site in the Intranet Zone for IE by having the ARR site work ok, and having the same IE settings for that site. Clearly, something is not right, so we could have missed something here!
In short, we've been working on this for days, and have tried most of what we can find on SO and elsewhere, but can't figure out what the heck is going on.
Any suggestions - let me know if you want any further info. All help will be very gratefully received!
I have an Apache web server and I need to do some processes outside the web server when a user requests a certain page.
I will try to be more clear: when a user requests page X, I have to start an external program, passing it some session parameters, wait for response, and then send the requested page to the user.
Is this possible to do this?
I used apache ext_mod_filter: http://httpd.apache.org/docs/2.0/mod/mod_ext_filter.html
Performances are not that great, but for my purposes it is ok.
I have successfully configured my SWT Browser application to use the proxy by setting VM arguments -Dnetwork.proxy_host and -Dnetwork.proxy_port to the according values.
However the proxy needs authentication, but the username / password prompt does not open. Futhermore when registering an authentication listener, the listener is never triggered.
The problems occured with a Linux Debian 64 Bit distribution. When compiling the same application for windows, all works fine, i.e. the password promt opens. The SWT Browser is configured to use MOZILLA, not WEBKIT. Unfortunatelly I cannot test with WEBKIT as I am limited to a given environment.
Temp solution: When starting the Linux Mozilla Browser, the prompt comes up. If entering there correct values and afterwards starting the SWT Browser application, then no authentication is needed at all and internet access is possible. But this is not a good solution.
When I register a location listener with "addLocationListener" to look whats going on with url calls, then I can see that the initial url (for example www.google.de) results to call a certain http site of the proxy server. And this http site is a redirect to a https site of the proxy. Then the https site results in calling the http redirect page again. This is then an endless loop.
I would guess that somewhere in the JAVA code of the SWT Browser class there is a routine that calls setUrl with those pages (what results in an
endless loop) and skip to call any authentication listener for some reason.
Maybe someone has an idea whats going wrong in this authentication process?
I have no solution but a hint: I'm not sure what you mean by "Linux Mozilla Browser" - I know Firefox and Xulrunner. But your workaround suggests that profile information is shared somehow and that shouldn't happen.
I tried to find some information how to define the profile (where the web browser keeps its cache, config, SSL certificates, plugins, ...) but to no avail.
This entry in the FAQ shows how to set the proxy host: How do I set a proxy for the Browser to use?
Try to find a way to add the user/password information into the request sent to the proxy server. If that fails, create a local proxy which connects to the real proxy as upstream and which can authenticate itself.
Looking at the bug database, there is no support for Browser profiles: Flexible Mozilla profile support - new API request
I have a password-protected Apache web directory I'm testing. When I first access the directory, it requires that I login in. However, on subsequent tries it let's me right in, even after I clear my browser cache- how do I get it to force a login again?
The browser stores the credentials and sends them along with every request - usually, for the duration of the current session.
Closing the browser and re-opening it makes it usually forget the credentials.
Forcing the browser to forget credentials (i.e. logging out) is tricky. See HTTP authentication logout via PHP for some approaches.
Easiest way I've found:
Using Firefox 4 on Mac,
Go to 'Tools' > 'Clear Recent History...' > 'Active Logins'
Refresh the page (You don't have to close the window)