I have a password-protected Apache web directory I'm testing. When I first access the directory, it requires that I login in. However, on subsequent tries it let's me right in, even after I clear my browser cache- how do I get it to force a login again?
The browser stores the credentials and sends them along with every request - usually, for the duration of the current session.
Closing the browser and re-opening it makes it usually forget the credentials.
Forcing the browser to forget credentials (i.e. logging out) is tricky. See HTTP authentication logout via PHP for some approaches.
Easiest way I've found:
Using Firefox 4 on Mac,
Go to 'Tools' > 'Clear Recent History...' > 'Active Logins'
Refresh the page (You don't have to close the window)
Related
The persistent session issue the application is facing after the recent browser updates (e.g., Google Chrome v84 onwards ).
When the application is browsed using an incompatible browser version, the application cannot have a persistent session across a transaction that happens through the payment gateway. Due to this, the user gets logged out automictically after the user is redirected back from the payment gateway. Thus the user is not recognized as the client who initiated the payment.
This problem mostly happens with Chrome 80+, all other browsers work fine (Firefox, Safari, Edge, mobile browsers like Samsung Internet, etc). Older versions of Chrome also works fine (<=79).
How can this be fixed?
To fix the above issue, the following cookie modification header should be configured in the app/proxy server in the application vhost (e.g., Apache vhost ).
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=None
After applying the above configuration the server should be restarted.
Note that if the app/proxy server is different to Apache ( eg: nginx) the above configuration should be changed accordingly.
If the above configuration is successful, the following change is noticed in the browser developer tools under Cookies ( eg: firebug )
The values of HttpOnly & Secure should be true, and the value of SameSite should be none.
Read more
Google Chrome doesn't delete the sessions cookie, it just does not set it on a post request from 3rd party domain. So you can create an interface page for returning from the payment site and save posted contents in the session, then redirect the user to the main payment confirmation page. Also, you can repost the data to the confirmation page without saving them using an HTML form. Please note that you shouldn't check the user is logged in or any cookie on the interface page.
Payment site ==post==> Interface page (cookie doesn't set)
Save the posted date to session
Interface page ==redirect==> confirmation page (cookie does set)
I'm manually setting the cookie during the test run as the userRole is not working for me in my local environment as the client sets the cookie and due to some reasons TestCafe clears it out.
When my first test is ran it kicks out and I set the cookie before the second test. I can see the cookie exists but as I'm already in the login page I need to use t.navigateTo(URL) to login to the homepage. When I use it t.navigateTo(URL) clears out the cookie and I keep in the login page instead of the homepage.
If I manually enter the URL of my homepage while the test is stopped at a breakpoint I'm successfully able to go to my home page and my test pass if the debug is resumed from this point onwards.
I was hopeful that the t.navigateTo(URL) would be just doing the redirect to URL but it seems with the redirect it is clearing out cookies as well. Any fix for this?
I actually figured out. By running the tests with flag --disable-page-caching it worked.
When you protect an area of your document root using either the server configuration or .htaccess, the server prompts for a username and password when someone requests those files from a browser. If the password matches the one from the authentication provider for that user, the documentation at http://httpd.apache.org/docs/2.2/howto/auth.html says that apache will set environment variables for that user. In my case I'm building a php app, and using phpinfo() I gather that the environment variables set are are REDIRECT_AUTHENTICATE_SAMACCOUNTNAME, AUTHENTICATE_SAMACCOUNTNAME (Using active directory as authentication provider), and REMOTE_USER. I believe this is what prevents the user from being prompted again and again on each subsequent request.
What I don't understand is how apache matches requests from a user with the environment variables set for that user, and also when and how it knows how to clear those variables. I doesn't appear to use cookies, because I cleared all the cookies for the domain in question, and still it doesn't ask me to reauthenticate unless I actually close the browser.
Ultimately I'm going to be working with php to get the userid and to maintain state, but since php is getting the information from the apache information, I'd like to know about that context, and I don't seem to be able to find these details. Thanks in advance.
Look at the http headers your browser is sending. After you have supplied a username and password, your browser will continue sending those details to that site until your browser session ends, or longer if you tell your browser to remember the credentials.
I want to use an application that checks for broken links. I got to know that, Xenu is one such software. I do not have access to internal aspx/http files on a drive. The Problem I am facing is the Website requires the user to be authenticated. After login I need to crawl the site to determine which links are broken.
As an example, I kick off with mail.google.com. We end up typing the Username and password after which we are served different URLs. If I give the Xenu (or similar programs) the link such as mail.google.com it will not be able to fecth URLs inside the mail.google.com which will be of type - /mail/u/0/?shva=1#inbox/ etc. There lies the problem.
With minimal or least scripting language how can I provide Xenu (or other similar app) capability to Login by providing external URL (mail.google.com) in this example in order to do whatever xenu has to do.
Thanks
Balaji S
Xenu can be used with an authenticated user as long as the cookies are persistent. You will need to enable cookies in Xenu and login once yourself using IE.
From their FAQ:
By default, cookies are disabled, and Xenu rejects all cookies. If you
need cookies because
you have used Internet Explorer to authenticate yourself before
starting a run
to prevent the server from delivering URLs with a
session ID
then you can enable the cookies in the advanced options
dialog. (This has been available since Version 1.2g)
Warning: You
should not use this option if you have links that delete data, e.g. a
database or a shop - you are risking data loss!!!
You can enable cookies in the Options menu. Click Preferences and switch to the Advanced tab.
For single page applications (like gmail) you will also need to configure Xenu to parse Javascript
This is done by modifying the ini file (traditionally at C:\Program Files (x86)\Xenu135\Xenu.ini) and adding a line of code under [Options]
Javascript=[Jj]ava[Ss]cript: *[_a-zA-Z0-9]+ *\( *['"]((/|ftp://|https?://)[^'"]+)['"]
There are several variations provided in their FAQ, but I didn't get them to work perfectly.
I have successfully configured my SWT Browser application to use the proxy by setting VM arguments -Dnetwork.proxy_host and -Dnetwork.proxy_port to the according values.
However the proxy needs authentication, but the username / password prompt does not open. Futhermore when registering an authentication listener, the listener is never triggered.
The problems occured with a Linux Debian 64 Bit distribution. When compiling the same application for windows, all works fine, i.e. the password promt opens. The SWT Browser is configured to use MOZILLA, not WEBKIT. Unfortunatelly I cannot test with WEBKIT as I am limited to a given environment.
Temp solution: When starting the Linux Mozilla Browser, the prompt comes up. If entering there correct values and afterwards starting the SWT Browser application, then no authentication is needed at all and internet access is possible. But this is not a good solution.
When I register a location listener with "addLocationListener" to look whats going on with url calls, then I can see that the initial url (for example www.google.de) results to call a certain http site of the proxy server. And this http site is a redirect to a https site of the proxy. Then the https site results in calling the http redirect page again. This is then an endless loop.
I would guess that somewhere in the JAVA code of the SWT Browser class there is a routine that calls setUrl with those pages (what results in an
endless loop) and skip to call any authentication listener for some reason.
Maybe someone has an idea whats going wrong in this authentication process?
I have no solution but a hint: I'm not sure what you mean by "Linux Mozilla Browser" - I know Firefox and Xulrunner. But your workaround suggests that profile information is shared somehow and that shouldn't happen.
I tried to find some information how to define the profile (where the web browser keeps its cache, config, SSL certificates, plugins, ...) but to no avail.
This entry in the FAQ shows how to set the proxy host: How do I set a proxy for the Browser to use?
Try to find a way to add the user/password information into the request sent to the proxy server. If that fails, create a local proxy which connects to the real proxy as upstream and which can authenticate itself.
Looking at the bug database, there is no support for Browser profiles: Flexible Mozilla profile support - new API request