Is there a trick to logging in to Apple Developer Connection? For the past two weeks, out of about 100 tries, I've been able to log in three times. Every other time, after a successful entry of my username and password, it takes me back to the login screen.
This happens to me on both my Macs, on Safari and Firefox, so I'm not hopeful of a solution. But I have a hard time believing that the situation is really this bad...
I am having the same problem, I have narrowed down to a problem with my ISP. Of course they will not acknowledge it, but the problem only arises when I attempt a login from home. I think they are probably using a caching proxy and something in the scheme used by apple to login->access the content makes the proxy believe it's only visiting content that is still valid. I am going slightly mad because of this.
This question and the related discussion clued me in to how to fix my problem with the same symptoms on developer.apple.com. In my case, I have multiple "teams," so after entering in my Apple ID, it takes me to a team selection page. After selecting a team, I'd just be redirected back to the login/Apple ID page.
Turns out, the login is done over HTTPS, while the team selection (and probably the bulk of other activities on developer.apple.com) are over HTTP. Our firewall load balances over a couple of Internet connections, and the HTTPS traffic was passing over a different interface than the HTTP. Evidently, this was confusing Apple's authentication mechanism. It also explains why I was occasionally able to get through -- sometimes all traffic would end up on the same interface.
Ultimately, my solution was to add a rule to the firewall to send all 17.0.0.0/8 traffic (Apple's legacy class A network) over the same interface.
Hopefully this helps someone else with a frustratingly endless login loop.
Related
Apparently there are a lot of people having this problem, but none of the scenarios seem to be exactly what I'm experiencing. I'm using Azure AD B2C with HTTPS. I can consistently create the problem, but am at a loss to know how to fix it.
Recreating the problem:
Make sure to be logged out.
Go directly to a link in the site. This will bring up the login screen. After successful login, the user should be taken to the page in question.
Hit the "Back" button. This brings up the error, and the user will be at https://domain/MicrosoftIdentity/Account/Error.
I've tried every combination/permutation of cookie policies I can think of, but to no avail.
If I can't solve the problem, perhaps someone could tell me how to redirect https://domain/MicrosoftIdentity/Account/Error to https://domain/MicrosoftIdentity/Account/SignOut, thereby simply forcing a loggout. I'd be satisfied with that.
What this really is:
From an authentication/application's perspective this behavior is correct. Let me clarify. I bet the following is something almost every internet user has experienced:
You submit a form, click on the back button and this alert pops up, asking you to 'resubmit the form'?
When you clicked back in the browser it simply executes the exact same request that you did earlier. Not a big deal in HTTP-GET requests, but kind of a pita in POST-requests because it can potentially cause duplicate data or worse. Or in this case, you run into security measures preventing the (ab)use of one-time tickets.
Although the behavior is correct, I understand that your client's perception is, that the app must simply be broken..
The solution, or preventive measure:
To be clear, I haven't actually tried this and this is more of a 'could-possibly-work' answer in the case of AzureAD B2C.
Nevertheless, I think you might be able to circumvent this perceived problem through:
Implementing a POST-redirect-GET pattern inside your application so that you point the redirect URI of the B2C tenant to an endpoint inside your application and when the request comes in, simply redirect the request to a GET method.
Hopefully this helps, but in case you want a more definitive answer try searching Google for the pattern or maybe someone else here knows about a working solution and wants to contribute to this post in the comment section or provide an answer. Either way, good luck!
This question already has answers here:
How can I bypass the Google CAPTCHA with Selenium and Python?
(6 answers)
Closed 2 years ago.
I want to login on a WordPress site. When i try to accesss to login on a WordPress site, it say me "Checking your browser before accessing", why i see the link "DDoS Protection by Cloudflare"? Additionally, a CAPTCHA is required to access this site. How to bypass Captcha verification in order to access sites? Here's the images links:
https://i.stack.imgur.com/Ju3f7.png
https://i.stack.imgur.com/Vrhi4.png
Ways to bypass captcha which come to my mind:
Talk to guys of site or service in question if you have good reason to get exception based on IP or similar
Use some coding to automatically solve captcha for you. Often captcha is made so simple to be solved by some simple algorithm.
If none of the above works (which I think is your case), create porn site where users need to solve captchas to see the content. Make a system which automatically reroutes captchas annoying you to users who want to watch porn. If done properly, all works as charm.
PS: Actually captchas are there with reason and usually it is not nice to cheat here but I explained how it technically possible. Do not judge me for not judging others at this. SO asked me to be nice to newcomer.
PS2: Avoiding, breaking or otherwise messing up with access control security can be illegal in some jurisdictions. Especially if it caused harm to site but overloading it and thus making unavailable. For techie this may look stupid but sometime things go this way in real world.
That is because your IP address is suspicious!
Cloudflare detects your IP address as potential bots or other malicious software.
Don't worry! usually your IP address will change after a while (24 hours or so).
In the mean time you can use another network to access the site or use a VPN service to change your IP address (a VPN extension will be the best choice in your case.)
Today, out of the blue on the google page, a window popped up asking me for my username and password. It didn't say what it was for, just googleads.g.doubleclick.net. It then happened on my phone which is linked to the same account. I was wondering if anyone else has had this issue and if anyone could help me. I am really worried. Thanks.
Others have seen it. I did, when I opened Google Chrome. I was just on the new tab page, not even an actual website! Many people seem to have encountered this in the past 24 hours:
https://security.stackexchange.com/questions/127667/what-should-i-do-about-gmail-ad-asking-me-for-password
https://superuser.com/questions/1092011/firefox-googleads-g-doubleclick-net-basic-authentication-prompt
https://nz.answers.yahoo.com/question/index?qid=20160621202130AAxY0F2
https://steamcommunity.com/discussions/forum/11/358415738179518104/
https://productforums.google.com/forum/#!msg/chrome/Rt3zSPiSyHk/zdB52fBqAQAJ
http://forums.windowscentral.com/windows-10/429066-edge-wants-me-login-googleads-g-doubleclick-net.html
https://techreport.com/forums/viewtopic.php?f=1&t=118101
https://forums-windowscentral-com.blogspot.com/2016/06/edge-wants-me-to-login-to.html
The best response I've found is over on the security stack exchange:
https://security.stackexchange.com/a/127668/43188
To summarize, yesterday, googleads.g.doubleclick.net (a Google domain that serves ads) either was briefly compromised by an attacker seeking people's passwords, or a Google engineer messed up and it's a result of a mistake in their servers.
The answer on the security stack exchange suggests changing your password, even if you didn't fill it in the popup. The suggest this because, if it's an attack, and the attacker is able to create the popup, they could have added malicious code you didn't see.
Also, though in principle I'm not a fan of ad blocking, I've recently realized it's probably necessary these days for security. This incident only demonstrates this. I recommend uBlock Origin, but Adblock Plus is also popular.
Many of our users are reporting that they are getting a blank page when using IE11 to access our website. Sometimes they don't even get a blank page, the browser just stays on the last page visited. These users can access other domains (such as google.com) without a problem.
For the browsers that are failing, if those users disable Protected Mode in IE, then they can again access our site, but this isn't a good solution because we have thousands of users and we can't go telling each of them to reconfigure their browsers, not to mention that we're completely losing the business of those potential customers who just surf by, see a blank page, and then keep on going without filing an error report.
Firefox and Chrome work fine. Also, even when using IE11 in protected mode, some users have zero problem, their computers just seem to work.
We are running the site off of IIS7. Other sites on the same server run fine, it's just the one particular site that is having the problem, and it's intermittent, affecting some computers and not others.
There must be something I can do on my side in the server or network settings to keep this problem from happening, but I'm baffled as to what it might be. When I look at the network traffic on a browser that's failing, the GET request is just being aborted with no explanation. When looking at the traffic with Wireshark, I see no errors, and no errors are showing up in the IIS logs. Of the browsers that fail, they are not even opening a connection to our web server to make a GET request, the request is just aborting immediately.
Any advice appreciated!
(followup): Another test we did: We can reproduce the problem on our development server, with the same pattern of which computers "work" and which don't. We tried turning off the webserver, and the problem stayed consistent, we'd still get a blank page error. So it's obviously not to do with anything that's in our page content? I've run tests on 9 computers on our office network: 5 worked, 4 failed. We're all baffled. :/
(January 24 followup): We figured out what's causing the problem, but not how to fix yet. Deep in the Windows registry, a key is being set in a Zonemap folder, adding a "play.net" domain with a key value of 2. IE sees that key when someone types play.net, and quivers and dies without an error message (Firefox and Chrome handle it fine).
So next question, what is setting that key in the first place? Probably an ActiveX control somewhere, but we haven't had any luck finding it in this 15 year old site, as many of the coders who may have created ActiveX controls in the past are long gone.
Does anyone know of a way to scan an entire domain and list anything that might be twiddling a registry key?
Followup mail threads from Elonka indicated that some users had the play.net domain mapped to a specific / non-default Internet Explorer security zone, and those users were the ones having problems.
Try add
<meta http-equiv="X-UA-Compatible" content="IE=10" />
into the header. It fixed IE11 for my website. It just forces it into IE10 mode (A complete joke though)
I accessed your domain in Internet Explorer 11, with Protected Mode enabled. I was unable to get a fully broken experience, but I did see something perhaps related to what your customers are experiencing. Some directories on your domain would hang for me, resulting in a white screen if they've not yet been loaded, or staying on the present page while the forthcoming page is loaded.
When I navigated to /dr, I found that my browser hung for over 7 seconds while your files loaded. Note, there were roughly 60 items, totaling about .78mb. This isn't much, but I'm presently on a relatively slow connection, and this resulted in a hang for me.
I would inquire what connection speeds your clients are on when experiencing this issue - it could very well be nothing more than some directories being served up more slowly than others. Regardless, you could optimize the experience considerably by compressing and concatenating your CSS files, as well as all of your JavaScript files. This results in fewer parallel requests, and quicker downloads.
If you have a reproducible example, please feel free to share and I'm sure myself and many others here will be more than happy to assist you.
For me box-shadow on an element caused this behavior. I removed the box-shadow(but left -webkit-box-shadow and -moz-box-shadow) and the problem disappeared. The interesting thing is that I still have box-shadow on another element...
If you are using 'offline.js' in your project, and you have version less than 0.7.19, then IE11 latest security update will see this code as potential security threat and block pages which are using 'offline.js' code.
Solution: Update to latest 'offline.js' version.
I am trying to ban users that spam my service by logging their IP and blocking it.
Of course this isn't safe at all, because of dynamic IP addresses.
Is there a way to identify a user that's 100% safe?
I've heard about something called evercookie, but I was easily able to delete that, and I guess that anyone capable of changing their IP can also keep their PC clean..
Are there any other options? Or is it just not possible?
A cookie will prevent the same browser from visiting your site as long as the user doesn't delete it, or turn off cookies, or use a different browser, or reinstall their browser, or use another machine, etc.
There is no such thing as 100% safe. Spam is an ongoing problem that most websites just have to learn to deal with.
There are numerous highly secure options, mostly relying on multi-factor authentication and physical key generators like the ones RSA markets. But the real question is an economic one. The more draconian the authentication mechanism, the more quickly you kill your website as you scare off all your visitors.
More practical solutions involve CAPTCHA, forum moderation, spam-reporting affordances, etc. One particularly effective technique is to block offending content from every IP address except the one that originated it. That way, the original spammer thinks their content is still there, oblivious to the fact that no one else can see it.
Alright I get that it's impossible to 100% identify a unique visitor.
What are the things that I could do to:
- find whether someone (anonymous) is using lots of different proxies to see my content (problem here is that cookies would land on the machine of the proxy? and not the actual visitors PC?)
- identify unique (anonymous) visitors with a dynamic IP