I have a live web site in IIS 7.5. I can login to my site correctly with http protocol till I add this line in Web.config:
httpCookies httpOnlyCookies="true" requireSSL="true"
All configuration for SSL is done but I cannot login anymore with both http and https although the cookie .ASPXAUTH is created.
If I set requireSSL="false", I can login normally.
Please help!
I had the same problem and as I came across this post searching for a solution I can explain what happened: your application was configure to use secure cookies and this requires the browser to issue the request over SSL. Therefore, if requireSSL attribute is set to true, you can't log in to your website with Http
Related
I'm developing an app based on the Docusign C# Quickstart.
Its working fine on my development PC (Win 11) in Visual Studio 2019 using IIS Express.
However, when I publish it to IIS (v10) on my development PC it runs and I can authenticate with Docusign just fine (once I got the proper redirect URI registered: https://localhost/ds/callback) but the step that actually sends the envelope is returning the following error in the browser:
This page isn't working right now.
Local host can't handle this request
http error 500
Any help is appreciated. I logged a support ticket with Docusign, but still waiting for a response.
Quickstart is just an app to show you how to use DocuSign APIs.
The redirect after signing is back to localhost, and your app, once ready to be deployed to server, has to be set with a proper URL, at which point you'll need to update the redirect URI to the one based on your server.
The 500 error is coming from your app, not from DocuSign. You need to figure out why your app cannot handle the URL that is set for redirect after signing by DocuSign.
The base API address demo.docusign.net/restapi is used to reach the development/ test platform. The na4.docusign.net/restapi address is one of DocuSign's (many) production platforms.
Remember that, once you have passed the Go-Live process, you have two Client IDs (integration keys) one for the test platform, one for all of the production platforms. Each has its own settings.
Added
The error
This page isn't working right now.
Local host can't handle this request http error 500
Is from IIS. Use IIS logging to see the URL request that is coming in that can't be handled.
To see if it is the redirect from the initial OAuth Authorization Code grant URL, examine the initial URL redirect to account.docusign.com (prod URL).
The redirect contained as a query parameter in the initial OAuth redirect must:
Be correct for your instance of IIS.
Be allowed by your setting for the client ID (integration key) in DocuSign
1, Be properly handled by your IIS and its app.
When communications happen over http, OpenIdConnect Nonce and Correlation cookies are not removed after successful authentication and it will cause Nginx Request Header Or Cookie Too Large error.
The Microsoft.AspNetCore.Authentication.OpenIdConnect Version=3.1 is used for the web application authentication. After first login, the user will be challenged every time they want to switch between some services. By every re-authentication, two new Nonce and Correlation cookies will be generated. If the communications happen over http, these cookies will not be removed after successful authentication until they got expired (15 mins). If the user keeps switching between services in this period, the app will fail for them withNginx Request Header Or Cookie Too Large error.
For an almost similar issue in Microsoft.Owin.Security.OpenIdConnect, there has been some solutions like this but I couldn't implement it since my app is using AspNetCore OpenIdConnect version 3.1.
How can I implement similar solution in AspNetCore to remove the old nonce/correlation cookies?
It turned out that there was some misconfiguration on OpenIdConnnect options. The problem was that the try to remove cookies was failing because of missing "secure" flag. After setting the SecurePolicy to Always for Nonce and Correlation cookies, they were removed successfully.
...
options.NonceCookie.SecurePolicy = CookieSecurePolicy.Always;
options.CorrelationCookie.SecurePolicy = CookieSecurePolicy.Always;
...
I want to controll authentication with cookies. And In my browser working successfully.
But When I tried to test with postman, Postman doesn't add cookie to new request.
step - I login and response header like that:
But the response cookies tab like that:
And manage cookies window like that:
step - I send a request to unprotected router and I get unauthorized error.
This error started today. I don't remember making any changes to the settings.
Why Im getting this type error. How can I solve this?
I also had this problem, the fix is to remove the secure flag in the cookie when sending cookies from localhost as cookies set as secure can only be sent over HTTPS.
I had this issue when testing a local Laravel Sanctum request to /login.
I had the following .env values set
SESSION_DOMAIN=docker-api-service-name
SANCTUM_STATEFUL_DOMAINS=docker-api-service-name
However these needed to be set to localhost to match the domain of the APP_URL. After this, everything was working fine.
SESSION_DOMAIN=localhost
SANCTUM_STATEFUL_DOMAINS=localhost
Someone mentioned that setting the secure flag to false will solve it, and it will. The explanation however was not entirely correct.
Secure will indeed only work over secure connections (HTTPS). However, it will also work over HTTP if it's done in localhost: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies
I've got Azure ServiceFabric web-app (AspNetCore 3) hosted over reverse proxy (NGinx). The app use AzureAD (in company) authentication. I've Registered App for the AD and setup Redirect Urls. After publishing the APP and configuring DNS and reverse proxy I tried to authorize to my app but failed with error
AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application: '...-...-...-...-...'.
I snifed the request and found that it redirects to the internal IP but not domain name
https://login.microsoftonline.com/aeb55839-c47b-4fea-8d95-912f673fa7ac/oauth2/v2.0/authorize?client_id=.....&redirect_uri=http%3A%2F%2F10.2.0.5%3A44321%2Fsignin-oidc...
It seems that I've looked everywhere but I cannot stil found where I can specify redirect url manually (only CallbackPath).
Does anyone solve the issue?
Update 1.
Add screenshot from Azure Portal
Update 2
Mannually add http://10.2.0.5:44321/signin-oidc to the Redirect Url, get a new exception
AADSTS500117: The reply uri specified in the request isn't using a secure scheme.
I wonder whether I have to make my ASF cluster secured to allow AD Authorization? It seems to me strange due to I want to secure traffic to reverse proxy only.
This error will occur when there is a mismatch of redirect URI being sent in the request to AAD while fetching the token and the one registered with the Application Registration Object in AAD portal.
In App Registration blade of AAD and look for the redirect URI section present under "Authentication" section of the registered application and update the redirection
URL. Please refer to the screenshot below:
update:-
The Reply url you are using in your code is http://10.2.0.5:44321/signin-oidc which is different from reply url defined in Azure AD i.e., https://dev-adm.project-llc.ru/signin-oidc. Please update the reply url in code or in AAD.
I have enabled IWA on WSO2 IS 5.0 and configured the browser for the same. Now when I try to access the SP through non-domain user , I get browser pop-up to enter the user credentials. Now when I cancel the prompt I get a Apache default error page for 401.
Is there any way wherein I can configure customize error page for the same? I tried to configure the error-page tag in D[WSO2_IS_HOME]\repository\conf\tomcat\web.xml but this doesn't work for me.
If I configure for an existing general error page like this
<error-page>
<error-code>401</error-code>
<location>test/generic-exception-response.jsp</location>
</error-page>
it displays the carbon login page and on encountering 401. On entering the login details here I get the configured error page
I'm sure some security setting is avoiding this to work as expected. Can anybody give me pointers to the solution?