Certain directories are protected by Basic Auth using a .htaccess file on an older Apache 1.x server. Today a user pointed out that the username/password was requested twice for the file he had just posted - once when entering the directory to see the index, and then AGAIN when downloading the file. Finding this odd, I researched the usual problems with double-firing .htaccess authentication:
server name (http://server vs. http://www.server)
trailing slash (http://server/somedir vs. http://server/somedir/)
http vs https
No luck. Add to the confusion that Firefox/Chrome/Safari don't ask twice - only IE (6 and 7). Further investigation showed that this doesn't happen with PDF files - only Excel files - even blank ones.
Is Excel calling back to the server somehow that requires a second authentication? Why does it only happen in IE?
Not critical - but I'm very curious what could be causing this.
EDIT - I think bmdhacks nailed it. Watching the network traffic, Excel+IE fires back a second request with a different User Agent called "Microsoft Protocol Discovery"
I'm not sure about Excel, but Windows Media Player has a special interaction with IE where when IE requests a file with a MIME type that Windows Media Player owns, instead of handing the downloaded file over to WMP, it instructs Windows Media Player to download the file itself. This could result in requesting the file twice, once for IE to ask for the file, and a second time when WMP downloads it.
It's possible that Microsoft uses this mechanism in other products like Excel too. You might be able to discover this by looking at the User-Agent header submitted in the second request. In the Windows Media case, it actually changes from IE to WMP's User-Agent on the second request.
Related
My server has links to other servers. I have a relationship with the managers of those servers. I want to be sure that links to PDF files make the client Browser prompt the user to SAVE the file, not to have the file open directly in the Web browser. I don't believe I need to change the HTTP Headers on my server, I need to ask the admins on the associated servers to change THEIR HTTP headers to "allow cross origin" when they receive requests from my site as the "referrer". Is this correct? It's not easy to get this answer, lots of examples to this type of query talk about "go to your Browser settings and change how PDFs are handled", but I need a solution that, apart from users who HAVE set their Browser as their OS default PDF viewer, the PDF files will download to be opened in a sophisticated and powerful PDF renderer.
Tried some experiments on two servers I have direct control over, it seemed to work, but now need to engage with other server admins and I want to be sure I'm asking them to alter their HTTP config header without bothering them excessively: I don't want to have to do a lot of "experiments" with them, I want to be confident that what I'm asking them to do or change is correct.
I am facing weird issue with file uploads. When I upload a new file to publicly visible folder, I can see it instantly in anonymous mode. But if i try to access it in non-anonymous mode, the server responds with 404 unless I do hard refresh (ie ctrl + F5 for Mozzila).
I have already disabled cache control headers for that folder in apache, but that did not seem to resolve the issue. It seems to me that the apache is storing information that "there is actually no file at requested url" and serves it to user unless user clears cache even if the file is uploaded at that location. Anyone ran into similar issue in the past?
By default, most browsers cache images, styles and scripts automatically. The easiest way to bypass this for development environments is to set the caching headers detailed here
Another common way to bypass caching is to set a random query parameter (usually ?v=<random value here>).
Chromium based browsers also have a disable cache option in the dev tools
Using MS Edge and apache w/ php, I just discovered via access.log that when I have the JavaScript debug panel (i.e. developer panel) open, it is making every http call twice. When I closed this panel, it has fixed the issue of all insert statements getting called twice.
Question: Does this doubling of http calls happen on every / most browsers that I need to look out for, or is this something special/unique with MS Edge?
I can't speak for all browsers and all developer tools. But, for IE and Edge the first time you open the tools and then open a JS file in the sources view it will try to request the file again. That request will be served from the local browser cache, sometimes not, depending on the cache settings for the file being requested.
The reason browser tools need to make this request is that browsers will often throw out the original source file as it doesn't need it to execute the page, as the source has been parsed it into something else that it can work with.
However, after you've opened the developer tools the browser will keep around sources in future navigations, either in the tools front end or elsewhere. Not keeping sources is an optimization for the first time use case, to save browsers keeping around source on the very low odds of the tool being used on any given navigation.
Of course some files are never cached by the browser and will need to be downloaded when requested by the tools, for example sourcemapped files.
In general any resources on your site that can be accessed by HTTP GET should be idempotent. That is, a GET shouldn't change the resource being requested (or generall the state of your site), so hopefully making additional requests shouldn't be an issue.
We have some users who are using Adobe Acrobat to edit .pdf files over WebDAV. There are a couple of issues that we are experiencing.
The acrobat client seems to be very chatty. We get multiple PROPFIND calls before the first GET. To edit even the simplest pdf takes ~11 secs. due to all these calls which includes PROPFINDS & OPTIONS, a LOCK, GET, PUT, UNLOCK and frequently a pair of MOVE/DELETE commands.
When the user eventually saves then closes the document and immediately reopens the document, their changes to not appear to have saved. If they wait for about 30 seconds (possibly less) before they reopen the document the changes do show up so there appears to be some type of caching going on, but our website (asp.net) has output caching turned off.
Sometimes the users get an error of 109 saying the document could not be saved. This appears to be coming from Adobe Acrobat because we don't see errors in the log, however it could be related to #1 above where the MOVE/DELETE has been issued and enough time has not passed.
My questions are therefore
Have you tested/used Acrobat for editing pdfs?
If so did you have these issues?
Is there a setting in the WebDAV engine that allows you to turn caching off or does it use the underlying IIS settings?
I guess you are using Microsoft Mini-redirector driver (Windows Shell, WebDAV client provided with Windows) to open and edit documents.
This is a Mini-redirector specifics, sometimes it traverses folders and submits other unnecessary requests.
Regarding performance. This may be caused by proxy settings. Please see "Long Delays When Connecting and Browsing WebDAV Server" section here.
This is typically caused by Mini-redirector cache. As far as I know there is no any documentation about how to disable cache in Mini-redirector. There is no real solution for this, you just need to wait for some time until the client cache invalidates.
The server Engine itself does not have any caching options. It just processes the WebDAV request and generates response. It also independent of hosting environment and its settings, such as IIS, HttpListener, etc.
Please examine the WebDAV log file WebDAVLog.txt. By default it is located in \App_Data\WebDAV\Logs. Are there any exceptions in it?
I have a PHP application running on a Micrisoft IIS 7 server. The application shows PDF files on an iFrame, which contains user's sensitive data that I wouldn't like to be directly accessed by anyone that knows the file address.
So basically, I'm looking for a way to protect files from direct browser access or download, but still be able to show it on the application's iFrame.
I made some research with Rewrite rules, but since the "HTTP_REFERER" of an iFrame is empty, I couldn't find a good solution
Any suggestions for this?
Thanks in advance
Without seeing any of your code, or how your application works, I can only give suggestions based on how I think your app works.
Rather than showing the files themselves, with links directly to those files, you should consider changing your application so that the PHP reads in the directory, displays the file names (however you want them to appear), with links that go to a download.php page. The download page (after checking whether the user has permission to download the file) then loads the file into memory and serves it out as a response (with appropriate Content-Disposition and Content-Type headers).
Since your PHP application can read files directly within the web directory, you can set up rewrite rules to prevent accessing those files from the web; that way, the files can only be accessed by the PHP application, which doesn't rely on rewrite rules to access the drive.
This is how places like Source Forge can display an advertisement with a countdown that your file download will begin in 5 seconds.