I am using guard for user authentication, login is handled by html fetch api.
If login is successfull I get token for js auth to api, but I want after page update user to be logged in, but it's not.
In response I see set cookie for PHPSESSID and REMEMBERME but it's look like this cookie is not persisted.
I'm not sure, where can be problem, it looks like guard make his work just fine.
request is not cross-domain.
request headers:
GET /login/check-facebook?code=xxx HTTP/1.1
Pragma: no-cache
Cache-Control: no-cache
accept: application/json
content-type: application/json
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.73 Safari/537.36
x-api-token: anon.
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en,cs;q=0.8,en-US;q=0.6
DNT: 1
response headers:
HTTP/1.1 200 OK
Server: nginx/1.8.0
Content-Type: application/json
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.6.16
Set-Cookie: PHPSESSID=xxx; path=/; HttpOnly
Cache-Control: no-cache
X-Debug-Token: edb1db
X-Debug-Token-Link: /_profiler/edb1db
Date: Tue, 12 Jan 2016 15:12:32 GMT
Set-Cookie: REMEMBERME=xxx; expires=Tue, 19-Jan-2016 15:12:32 GMT; Max-Age=604800; path=/; httponly
Firewall:
main:
provider: db_provider
stateless: false
remember_me:
secret: "%secret%"
lifetime: 604800 # 1 week in seconds
path: /
always_remember_me: true
pattern: ^/
anonymous: ~
logout: ~
guard:
authenticators:
- authenticator.facebook
- authenticator.email
entry_point: authenticator.facebook
Fount it.
In fetch api option credentials: 'same-origin' must be set.
Similar thing must be send with jquery or xhr. withCredentials: true
Related
I have added a custom login handler for Github:
const handleLoginGithub = (
params: LoginGithubParams,
errorCallback?: ErrCallbackType
) => {
axios
.get(authConfig.loginGithubEndpoint, { params })
.then(async (res) => {
/*window.localStorage.setItem(
authConfig.storageTokenKeyName,
res.data.accessToken
)*/
const returnUrl = router.query.returnUrl
setUser({ ...res.data })
await window.localStorage.setItem('userData', JSON.stringify(res.data))
//router.replace('/home')
})
.catch((err) => {
if (errorCallback) errorCallback(err)
})
}
There is no redirect from localhost to 127.0.0.1, but it will happen, do you know why?
This is the HTTP message that gos to our backend:
GENERAL:
Request URL: http://localhost:3000/api2/gh-auth-complete?code=f87f5157cbf035a73a50
Request Method: GET
Status Code: 200 OK
Remote Address: [::1]:3000
Referrer Policy: strict-origin-when-cross-origin
RESPONSE HEADER:
connection: close
content-length: 681
content-type: application/json; charset=utf-8
date: Sun, 09 Oct 2022 22:18:31 GMT
set-cookie: vapor-session=ReDSKZniIFtUqq0kThCkLbBe7vBoCpzpCUWqooA6xYQ=; Max-Age=31536000; Path=/; Secure; SameSite=Lax
Vary: Accept-Encoding
REQUEST HEADER:
Accept: application/json, text/plain, */*
Accept-Encoding: gzip, deflate, br
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Connection: keep-alive
Host: localhost:3000
Referer: http://127.0.0.1:3000/
sec-ch-ua: "Chromium";v="106", "Google Chrome";v="106", "Not;A=Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "macOS"
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
The reason why I am asking is, that in dev environment cookie will not be stored if it happens.
I want to include an iframe of an other website.
I simply add some HTML in a wordpress page :
<iframe src="https://www.website.com/page.htm" height="2000"></iframe>
It works very well when i'm logged as an admin in wordpress.
But when i try in incognito mode like a normal visitor i can't see the iframe due to CSP protection. I have this errors :
Refused to display 'https://www.website.com/page.htm' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors *.website.com".
about:blank:1 [Report Only] Refused to display 'https://www.website.com/page.htm' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors *.website.com".
So my question is, why it works as an admin and not as a normal visitor ?
How can i make it works in both cases ?
Thanks
Edit with the Headers of both versions
Header when i'm logged as an admin
* General *
Request URL: https://www.website.com/shop.htm/
Request Method: GET
Status Code: 200 OK (from disk cache)
Remote Address: 193.164.196.82:443
Referrer Policy: no-referrer-when-downgrade
* Response Headers *
Cache-Control: public
Content-Encoding: gzip
Content-Security-Policy: frame-ancestors *.website.com; report-uri https://api.website.com/api/csp-report/v1/report/;
Content-Security-Policy-Report-Only: object-src *.website.com; frame-ancestors *.website.com; report-uri https://api.website.com/api/csp-report/v1/report/;
Content-Type: text/html; charset=utf-8
Date: Thu, 05 Mar 2020 11:33:36 GMT
ETag: W/"1eea0-VxHcir7eEw4/DKj9v65JMo5WtVk"
Expires: Thu, 05 Mar 2020 11:43:36 GMT
Vary: Accept-Encoding
X-DataDome: protected
X-Protected-By: Sqreen
* Request Headers *
GET /shop.htm/ HTTP/1.1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36
Sec-Fetch-Dest: iframe
Referer: https://mainwebsite.com/
Header when i'm not logged
* General *
Request URL: https://www.website.com/shop.htm/
Request Method: GET
Status Code: 200 OK
Remote Address: 193.164.197.82:443
Referrer Policy: no-referrer-when-downgrade
* Response Headers *
Cache-Control: public
Content-Encoding: gzip
Content-Security-Policy: frame-ancestors *.website.com; report-uri https://api.website.com/api/csp-report/v1/report/;
Content-Security-Policy-Report-Only: object-src *.website.com; frame-ancestors *.website.com; report-uri https://api.website.com/api/csp-report/v1/report/;
Content-Type: text/html; charset=utf-8
Date: Thu, 05 Mar 2020 11:13:20 GMT
ETag: W/"1eea0-v04Wc+e633BYpAYDMk+pKbQ2M98"
Expires: Thu, 05 Mar 2020 11:23:19 GMT
Set-Cookie: datadome=OkladZXCp6qUlASDoPL-ilsKk1AqD_IWp4LCaQQvFHI3g4Hg~cA1OMfcUALlb-_mpwd844GnUmTU6QUXMStSPePr5U~3mMOlX8hY_gstZA; Max-Age=31536000; Domain=.website.com; Path=/; SameSite=Lax
Strict-Transport-Security: max-age=15768000
Transfer-Encoding: chunked
Vary: Accept-Encoding
X-DataDome: protected
X-Protected-By: Sqreen
* Request Headers *
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate, br
Accept-Language: en-GB,en;q=0.9,en-US;q=0.8,fr;q=0.7
Connection: keep-alive
Host: www.leboncoin.fr
Referer: https://mainwebsite.com
Sec-Fetch-Dest: iframe
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36
The big difference seems to be it generates a cookie when i'm not logged as an admin.
Set-Cookie: datadome=OkladZXCp6qUlASDoPL-ilsKk1AqD_IWp4LCaQQvFHI3g4Hg~cA1OMfcUALlb-_mpwd844GnUmTU6QUXMStSPePr5U~3mMOlX8hY_gstZA; Max-Age=31536000; Domain=.website.com; Path=/; SameSite=Lax
Strict-Transport-Security: max-age=15768000
I want to model the following HTTP Request in openAPI3:
POST /users HTTP/1.1
Host: 10.65.1.70:3000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0
Accept: */*
Accept-Language: de-AT,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://10.65.1.70/sites/config-sites/user-config.html
Content-Type: application/json
Authorization: Bearer ...
Origin: http://10.65.1.70
Content-Length: 42
Connection: keep-alive
DNT: 1
{"name":"openAPITest","password":"noPassHere"}
I currently have this:
/users/:
post:
summary: adds user
parameters:
- name: name
required: true
in: header
schema:
type: string
- name: password
required: true
in: header
schema:
type: string
responses:
"201":
description: OK
"400":
description: Wrong Format
What I'm missing is a way to correctly pass the login information.
Here's how I did it in the end:
paths:
/login:
post:
summary: login credentials
requestBody:
required: true
content:
application/json:
schema:
type: string
example:
{"name":"openAPITest","password":"noPassHere"}
Note that openAPI automatically escapes the " " in the provided json
I have ASP.NET application, which is perfectly works on development environment. Login works on Firefox, IE and Chrome.
Requests in Firefox in development env looks like:
POST Request:
POST /MyServiceName/Account/Login?ReturnUrl=%2FMyServiceName%2F HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/MyServiceName/Account/Login?ReturnUrl=%2fMyServiceName%2f
Content-Type: application/x-www-form-urlencoded
Content-Length: 171
Cookie: __RequestVerificationToken_L00yU3VwcG9ydA2=bQmz8xMlE-u9e0iKr3vtXpCDqo8FpQkcgPzN3cdw2xp73M8SoV_WTwFG5IIY1JEQlHJ-ZHd8h5z_f75FO4nkEcGRhP6e9HBE64rjsGCEVV81
Connection: keep-alive
Upgrade-Insecure-Requests: 1
And Response:
HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=utf-8
Location: /MyServiceName/
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 5.2
X-AspNet-Version: 4.0.30319
Set-Cookie: .ASPXAUTH=7D3D9E88072745F5AD2B5FCE038F0A794EF6590F9877A65255A63F124CE4FC3EE0309A03F3ACE9C7C5C39E51050F4009A32558D0FE94F673D7B8D5FEA6E6E2E22BEFF862255B50DFC9B6AC2637C8F04918ECCAD0DD63B29CFCD8B4E9BA4DD898C35C7F7CA8E3BB33DA943CD4A45D80F4F24A1E9EF01829B7258C9195FC977B96; expires=Fri, 28-Sep-2018 09:05:12 GMT; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Fri, 28 Sep 2018 08:35:12 GMT
Content-Length: 128
But when I deploy my service into real server, login in with any browser except Chrome does not work.
Requests in Firefox in real server:
Remote host POST Request:
POST /MyServiceName/Account/Login?ReturnUrl=%2FMyServiceName HTTP/1.1
Host: remhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://remhost/MyServiceName/Account/Login?ReturnUrl=%2fMyServiceName
Content-Type: application/x-www-form-urlencoded
Content-Length: 171
Cookie: __RequestVerificationToken_L00yU3VwcG9ydA2=-JG3IFQhCVjOuL_SIf7QD0ot7Fc_Fy9lb8Lii_VkLzGKGWswkOPfG-ZQtxijlFYhDO7jAMRiRcatHWcdlBRw7RXVzkdu5864rWiLNWGHc7KSUwgtwA-W_lJHVm-EmKW9v1zEgESa0oQKZ37i9mHC6g2; __RequestVerificationToken_L00yU3VwcG9ydF92Mg2=nAHU2cD63KJZIjm3a8LHUYlZpQ9YChmou1E1pvMfI5xmQl2iqgbJ9x9iCuTH0lDlmAqoqFd5_bnPS3FsUVkNYwYRcLt-WJozs0kWt_jn0fM1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
And Response:
HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=utf-8
Location: /MyServiceName
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 5.2
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Set-Cookie: .ASPXAUTH=BD46865424CAA946E4AF046436F14C10841E64596BDF9125E721000DA2056C5613D914985ED65A1F3ADF65A322D93156559D2F4B02DFB2F3D4C8CCC5837C90CE29825E578FBA2B5E2B1F6E06DC259FC60210C1DA31A44F861476D49A6FFE318474FEE116867B58898357335914B1E8AD65DFEF8223DABDBB07D7ECBAB990D976; expires=Fri, 28-Sep-2018 07:53:36 GMT; path=/; HttpOnly
Date: Fri, 28 Sep 2018 07:23:36 GMT
Content-Length: 130
GET Request on Firefox:
GET /MyServiceName HTTP/1.1
Host: remhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://remhost/MyServiceName/Account/Login?ReturnUrl=%2fMyServiceName
Cookie: __RequestVerificationToken_L00yU3VwcG9ydA2=-JG3IFQhCVjOuL_SIf7QD0ot7Fc_Fy9lb8Lii_VkLzGKGWswkOPfG-ZQtxijlFYhDO7jAMRiRcatHWcdlBRw7RXVzkdu5864rWiLNWGHc7KSUwgtwA-W_lJHVm-EmKW9v1zEgESa0oQKZ37i9mHC6g2; __RequestVerificationToken_L00yU3VwcG9ydF92Mg2=nAHU2cD63KJZIjm3a8LHUYlZpQ9YChmou1E1pvMfI5xmQl2iqgbJ9x9iCuTH0lDlmAqoqFd5_bnPS3FsUVkNYwYRcLt-WJozs0kWt_jn0fM1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
GET Response on Firefox:
HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=utf-8
Location: /MyServiceName/Account/Login?ReturnUrl=%2fMyServiceName
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 5.2
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Fri, 28 Sep 2018 07:46:51 GMT
Content-Length: 170
Google Chrome for remote server:
POST Login:
curl 'http://remhost/MyServiceName/Account/Login' -H 'Connection: keep-alive' -H 'Cache-Control: max-age=0' -H 'Origin: http://remhost' -H 'Upgrade-Insecure-Requests: 1' -H 'Content-Type: application/x-www-form-urlencoded' -H 'Save-Data: on' -H 'User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8' -H 'Referer: http://remhost/MyServiceName/Account/Login?ReturnUrl=%2FMyServiceName%2F' -H 'Accept-Encoding: gzip, deflate' -H 'Accept-Language: ru-RU,ru;q=0.9,en-US;q=0.8,en;q=0.7' -H 'Cookie: __RequestVerificationToken_L00yU3VwcG9ydA2=UcVwtESdo2tT8Uy1opbJpVpDdpBOTYmNXRi0dyW7ubyd529sme8yJ23vQQX4aQlM02NVTMoBowsD4Uzbpydnq_rgd8I2n-G96I5JQ9xgM2E3cnLVys9RNJtbjLwInu1XKdH2VbkqYIaxXP4mWYT-2g2; __RequestVerificationToken_L00yU3VwcG9ydF92Mg2=RANEaw7GedA6EGEajt9O9rDx3k0SPUuWm-gG-nY_GzlpJyr_odsUU3wN6BorEbAz87_yswgZDS07ihDiuUUZxIAfOFdQA2Ohn7HmrlAz1L41' --data '__RequestVerificationToken=eUURMtLNSgIi4SgyID5CJZchnns9yTjK039Z1FFcA7TAQjjZ1wvblnKeseCe7UJu6zclcA3NgZ2rBZnABMGn54maEDhfe5W-kk-mjGeIGIk1&UserName=user&Password=password' --compressed
Request header:
POST /MyServiceName/Account/Login HTTP/1.1
Host: remhost
Connection: keep-alive
Content-Length: 171
Cache-Control: max-age=0
Origin: http://remhost
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Save-Data: on
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://remhost/MyServiceName/Account/Login?ReturnUrl=%2FMyServiceName%2F
Accept-Encoding: gzip, deflate
Accept-Language: ru-RU,ru;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: __RequestVerificationToken_L00yU3VwcG9ydA2=UcVwtESdo2tT8Uy1opbJpVpDdpBOTYmNXRi0dyW7ubyd529sme8yJ23vQQX4aQlM02NVTMoBowsD4Uzbpydnq_rgd8I2n-G96I5JQ9xgM2E3cnLVys9RNJtbjLwInu1XKdH2VbkqYIaxXP4mWYT-2g2; __RequestVerificationToken_L00yU3VwcG9ydF92Mg2=RANEaw7GedA6EGEajt9O9rDx3k0SPUuWm-gG-nY_GzlpJyr_odsUU3wN6BorEbAz87_yswgZDS07ihDiuUUZxIAfOFdQA2Ohn7HmrlAz1L41
Response header:
HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=utf-8
Location: /MyServiceName/
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 5.2
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Set-Cookie: .ASPXAUTH=33BF43D6803B985EB87EEF8AC1301B63F7A8406ADC73ACED15D3F5737AF883F49D3F64AB979E234A550D554C55B570DAF23AC8FF5A91D8517D70C2E6149341A2DD2F35CFC7B5487141A28099A927C5D971A4C954A2669A8A3E6500E0B762402A366850B5A6F1330740ADB958E43F0044D577AD4E70D517B682AFCA55F9A7482E; expires=Fri, 28-Sep-2018 07:30:09 GMT; path=/; HttpOnly
Date: Fri, 28 Sep 2018 07:00:09 GMT
Content-Length: 131
GET MyServiceName/:
curl "http://remhost/MyServiceName/" -H "Connection: keep-alive" -H "Cache-Control: max-age=0" -H "Upgrade-Insecure-Requests: 1" -H "Save-Data: on" -H "User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36" -H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8" -H "Referer: http://remhost/MyServiceName/Account/Login?ReturnUrl=^%^2FMyServiceName^%^2F" -H "Accept-Encoding: gzip, deflate" -H "Accept-Language: ru-RU,ru;q=0.9,en-US;q=0.8,en;q=0.7" -H "Cookie: __RequestVerificationToken_L00yU3VwcG9ydA2=UcVwtESdo2tT8Uy1opbJpVpDdpBOTYmNXRi0dyW7ubyd529sme8yJ23vQQX4aQlM02NVTMoBowsD4Uzbpydnq_rgd8I2n-G96I5JQ9xgM2E3cnLVys9RNJtbjLwInu1XKdH2VbkqYIaxXP4mWYT-2g2; __RequestVerificationToken_L00yU3VwcG9ydF92Mg2=RANEaw7GedA6EGEajt9O9rDx3k0SPUuWm-gG-nY_GzlpJyr_odsUU3wN6BorEbAz87_yswgZDS07ihDiuUUZxIAfOFdQA2Ohn7HmrlAz1L41; .ASPXAUTH=33BF43D6803B985EB87EEF8AC1301B63F7A8406ADC73ACED15D3F5737AF883F49D3F64AB979E234A550D554C55B570DAF23AC8FF5A91D8517D70C2E6149341A2DD2F35CFC7B5487141A28099A927C5D971A4C954A2669A8A3E6500E0B762402A366850B5A6F1330740ADB958E43F0044D577AD4E70D517B682AFCA55F9A7482E" --compressed
Request header:
GET /MyServiceName/ HTTP/1.1
Host: remhost
Connection: keep-alive
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Save-Data: on
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://remhost/MyServiceName/Account/Login?ReturnUrl=%2FMyServiceName%2F
Accept-Encoding: gzip, deflate
Accept-Language: ru-RU,ru;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: __RequestVerificationToken_L00yU3VwcG9ydA2=UcVwtESdo2tT8Uy1opbJpVpDdpBOTYmNXRi0dyW7ubyd529sme8yJ23vQQX4aQlM02NVTMoBowsD4Uzbpydnq_rgd8I2n-G96I5JQ9xgM2E3cnLVys9RNJtbjLwInu1XKdH2VbkqYIaxXP4mWYT-2g2; __RequestVerificationToken_L00yU3VwcG9ydF92Mg2=RANEaw7GedA6EGEajt9O9rDx3k0SPUuWm-gG-nY_GzlpJyr_odsUU3wN6BorEbAz87_yswgZDS07ihDiuUUZxIAfOFdQA2Ohn7HmrlAz1L41; .ASPXAUTH=33BF43D6803B985EB87EEF8AC1301B63F7A8406ADC73ACED15D3F5737AF883F49D3F64AB979E234A550D554C55B570DAF23AC8FF5A91D8517D70C2E6149341A2DD2F35CFC7B5487141A28099A927C5D971A4C954A2669A8A3E6500E0B762402A366850B5A6F1330740ADB958E43F0044D577AD4E70D517B682AFCA55F9A7482E
Response header:
HTTP/1.1 200 OK
Cache-Control: private, s-maxage=0
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 5.2
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Fri, 28 Sep 2018 07:00:09 GMT
Content-Length: 4619
Response:
<!DOCTYPE html>
<html lang="en">
<!-- Here is my html when user logged in -->
</html>
The problem seem to be in second GET. On development env it returns status 200 OK, and on real server 302 Found.
Authentication is done thru ASP.NET Simple Membership.
Login POST action:
[HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
public ActionResult Login(LoginModel model, string returnUrl)
{
string errorMsg = "The user name or password provided is incorrect.";
if (Roles.IsUserInRole(model.UserName, "Disabled"))
{
errorMsg = "Your account has been disabled. Contact administrator for more info.";
}
else if (ModelState.IsValid && WebSecurity.Login(model.UserName, model.Password, true))//persistCookie: false))
{
accountService.AddLogin(model.UserName);
return RedirectToLocal(returnUrl);
}
// If we got this far, something failed, redisplay form
ModelState.AddModelError("", errorMsg);
return View(model);
}
private ActionResult RedirectToLocal(string returnUrl)
{
if (Url.IsLocalUrl(returnUrl))
{
return Redirect(returnUrl);
}
else
{
return RedirectToAction("Index", "Home");
}
}
I have checked login status from server database. The user login was done correctly, and user status is logged in, though Firefox still displays login page as if user is not logged. I think the problem is in redirection somewhere.
Any ideas why? The web.config file is same except database connection settings on both systems. it's same ISS 7.5 on both computers. So what else might be the reason?
One more interesting thing. From the same remote computer where service is run Firefox also works OK. So My problem for remote sessions only.
UPDATE:
Seems I found the root cause here. But I have no idea yet how to fix it in scope of my code
If the third does not have time to finish before redirect, it might be so, that only remote sessions fail. Agree?
In web.config I have:
<authentication mode="Forms">
<forms loginUrl="~/Account/Login" cookieless="UseCookies" timeout="30" slidingExpiration="true" />
</authentication>
From you web config <authentication mode="Forms">, I can deduct you are using forms authentication.
Try these two things:
Set up default url in forms authentication setting like :
<authentication mode="Forms">
<forms loginUrl="~/Account/Login" cookieless="UseCookies" timeout="30" slidingExpiration="true" defaultUrl="~/Home/Index"/>
</authentication>
For redirecting after authentication, instead of using return RedirectToAction("Index", "Home"); or return Redirect(returnUrl);
use FormsAuthentication.RedirectFromLoginPage method like:
if (Membership.ValidateUser(userName, password) == true)
{
FormsAuthentication.SetAuthCookie(userName, false);
FormsAuthentication.RedirectFromLoginPage(userName, false);
}
It Redirects an authenticated user back to the originally requested URL or the default set in the config.
For more information & override of this method refer :
Microsoft docs
I followed the link https://learn.microsoft.com/en-us/azure/app-service-mobile/app-service-mobile-how-to-configure-facebook-authentication to set up Facebook login.
In the https://developers.facebook.com/apps, the "Valid OAuth redirect URIs" has the following URIs
https://myapp.azurewebsites.net/signin-facebook
https://myapp.azurewebsites.net/.auth/login/facebook/callback
However, the site cannot login - the login page just stays. Type an Url https://myapp.azurewebsites.net/event will always redirect to https://myapp.azurewebsites.net/Account/Login?ReturnUrl=%2Fevent.
The following is the Net traffic captured by fiddler. It seems the request is denied when GET https://myapp.azurewebsites.net/signin-facebook?code=.... (Response: Location: /Account/ExternalLoginCallback?error=access_denied)
------------------------------------------------------------------
GET https://www.facebook.com/dialog/oauth?response_type=code&client_id=365322087148601&redirect_uri=https%3A%2F%2Fmyapp.azurewebsites.net%2Fsignin-facebook&scope=&state=E4J6p7jhJVr2YT1SYqxzHKoUJ1u04QtfVu8UUtgoRzK8xPfXvHnWSFJE5TGKOn9AoqVQkvGZHzakiNoTme2bQBm27n1riQTPTCLNrIoybUxhV-wXpyUDYrkXVawTs0JMtTOW1UK2gv_1YJ_A9EkbvPSZMXN-NW56vF2lq8d-9iPG7fTv41CGV3-0bVV2dAEW86gyO70VLVdQ5X2byye_XFS3XNkhtVJEbfXio_RMRvE HTTP/1.1
Accept: text/html, application/xhtml+xml, image/jxr, */*
Referer: https://myapp.azurewebsites.net/Account/Login
Accept-Language: en-US,en;q=0.8,zh-Hans-CN;q=0.5,zh-Hans;q=0.3
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Cache-Control: no-cache
Host: www.facebook.com
Cookie: fr=0RObsAfMX8N2oDE0P.AWUijY5j4ajj3MWCbj2nVPEp4Go.BY9tIg.oW.Fj2.0.0.BY-AuR.AWU2VfKJ; datr=INL2WBkTq1-aa6V7IMJUUMMw; dats=1; sb=JNL2WJ2XCIs_K6QaFHEcvbTM; c_user=100000343225510; xs=251%3A-D7EtOmwXRbYlQ%3A2%3A1492570660%3A12220; pl=n; lu=ggNZWbJ4ElBZhc5tOVdylWWA; presence=EDvF3EtimeF1492652361EuserFA21B00343225510A2EstateFDutF1492652361094CEchFDp_5f1B00343225510F195CC
HTTP/1.1 302 Found
Location: https://myapp.azurewebsites.net/signin-facebook?code=AQC2JMYoeLmJAHtkTiHMTEckID_cdoJZ0eFkuffNCSh-XDzgZWCm-cJbDyIMJaLEa-mLApgU54MoppjOS0CH3b6jWCN-VDXsqq7z-6TALE35OdralWJRFSZQs7k-_4qBk4Vl8HmeW0INO5V4NL9nVU1tlDSqF6PoAN4Dee5DvvJyr_w_-ZE2ZG_dfY5zcq2-G9dNcqVGDs3YWzDQfP3VmWu-4kFZ3YUC8ENfFoUZPw8uvOBGPEgr_92aK8cQJnLXd1k98jCKb-sIzQHB9XCfUFW1QrMeww4EqvTvINl0Pu0O8l--M-zATFoMnQW6et8RRhBarAbmYSVMGCkClEFUDPe9Mcn8-qsFr1WBv4kqtLrnSA&state=E4J6p7jhJVr2YT1SYqxzHKoUJ1u04QtfVu8UUtgoRzK8xPfXvHnWSFJE5TGKOn9AoqVQkvGZHzakiNoTme2bQBm27n1riQTPTCLNrIoybUxhV-wXpyUDYrkXVawTs0JMtTOW1UK2gv_1YJ_A9EkbvPSZMXN-NW56vF2lq8d-9iPG7fTv41CGV3-0bVV2dAEW86gyO70VLVdQ5X2byye_XFS3XNkhtVJEbfXio_RMRvE#_=_
Expires: Sat, 01 Jan 2000 00:00:00 GMT
facebook-api-version: v2.8
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=15552000; preload
X-Frame-Options: DENY
Cache-Control: private, no-cache, no-store, must-revalidate
Pragma: no-cache
public-key-pins-report-only: max-age=500; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; pin-sha256="r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E="; pin-sha256="q4PO2G2cbkZhZ82+JgmRUyGMoAeozA+BSXVXQWB8XWQ="; report-uri="http://reports.fb.com/hpkp/"
X-XSS-Protection: 0
Content-Type: text/html
X-FB-Debug: BOC8IkjZ4va1buTLdHl+OgLKK4ymT3oyi4SALf8bnAQx2MDqHkCvmTGsTMngZazRs0dFZ6SSHYSi0U6mcbaQNw==
Date: Thu, 20 Apr 2017 01:42:19 GMT
Connection: keep-alive
Content-Length: 0
------------------------------------------------------------------
GET https://myapp.azurewebsites.net/signin-facebook?code=AQC2JMYoeLmJAHtkTiHMTEckID_cdoJZ0eFkuffNCSh-XDzgZWCm-cJbDyIMJaLEa-mLApgU54MoppjOS0CH3b6jWCN-VDXsqq7z-6TALE35OdralWJRFSZQs7k-_4qBk4Vl8HmeW0INO5V4NL9nVU1tlDSqF6PoAN4Dee5DvvJyr_w_-ZE2ZG_dfY5zcq2-G9dNcqVGDs3YWzDQfP3VmWu-4kFZ3YUC8ENfFoUZPw8uvOBGPEgr_92aK8cQJnLXd1k98jCKb-sIzQHB9XCfUFW1QrMeww4EqvTvINl0Pu0O8l--M-zATFoMnQW6et8RRhBarAbmYSVMGCkClEFUDPe9Mcn8-qsFr1WBv4kqtLrnSA&state=E4J6p7jhJVr2YT1SYqxzHKoUJ1u04QtfVu8UUtgoRzK8xPfXvHnWSFJE5TGKOn9AoqVQkvGZHzakiNoTme2bQBm27n1riQTPTCLNrIoybUxhV-wXpyUDYrkXVawTs0JMtTOW1UK2gv_1YJ_A9EkbvPSZMXN-NW56vF2lq8d-9iPG7fTv41CGV3-0bVV2dAEW86gyO70VLVdQ5X2byye_XFS3XNkhtVJEbfXio_RMRvE HTTP/1.1
Accept: text/html, application/xhtml+xml, image/jxr, */*
Referer: https://myapp.azurewebsites.net/Account/Login
Accept-Language: en-US,en;q=0.8,zh-Hans-CN;q=0.5,zh-Hans;q=0.3
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Cache-Control: no-cache
Host: myapp.azurewebsites.net
Cookie: __RequestVerificationToken=49xMNw5ePC60qAaVBtxq5TAbkgpGbkcPyb5OcWmO0CYNstOX7vUQJAST80cvsFM16l0USNgUCr9b5RCn3cnXXlsGhpz33rme4A_HRw1QFNY1; ARRAffinity=f86b281b78014bea7ff499f4d5d3d562aafe8f1cf9e24d7ef4dc3d48d94a9c32; .AspNet.Correlation.Facebook=hcA83RJONYyZTzuT0I3kTRJM6DTK9OUsmmrQKV_mAkU
HTTP/1.1 302 Found
Content-Length: 0
Location: /Account/ExternalLoginCallback?error=access_denied
Server: Microsoft-IIS/8.0
Set-Cookie: .AspNet.Correlation.Facebook=; expires=Thu, 01-Jan-1970 00:00:00 GMT
X-Powered-By: ASP.NET
Date: Thu, 20 Apr 2017 01:42:20 GMT
Startup.Auth.cs:
public partial class Startup
{
// For more information on configuring authentication, please visit http://go.microsoft.com/fwlink/?LinkId=301864
public void ConfigureAuth(IAppBuilder app)
{
// Configure the db context, user manager and role manager to use a single instance per request
app.CreatePerOwinContext(ApplicationDbContext.Create);
app.CreatePerOwinContext<ApplicationUserManager>(ApplicationUserManager.Create);
app.CreatePerOwinContext<ApplicationRoleManager>(ApplicationRoleManager.Create);
// Enable the application to use a cookie to store information for the signed in user
// and to use a cookie to temporarily store information about a user logging in with a third party login provider
// Configure the sign in cookie
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
LoginPath = new PathString("/Account/Login"),
Provider = new CookieAuthenticationProvider
{
// Enables the application to validate the security stamp when the user logs in.
// This is a security feature which is used when you change a password or add an external login to your account.
OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
validateInterval: TimeSpan.FromMinutes(30),
regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
}
});
app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);
// Enables the application to temporarily store user information when they are verifying the second factor in the two-factor authentication process.
app.UseTwoFactorSignInCookie(DefaultAuthenticationTypes.TwoFactorCookie, TimeSpan.FromMinutes(5));
// Enables the application to remember the second login verification factor such as phone or email.
// Once you check this option, your second step of verification during the login process will be remembered on the device where you logged in from.
// This is similar to the RememberMe option when you log in.
app.UseTwoFactorRememberBrowserCookie(DefaultAuthenticationTypes.TwoFactorRememberBrowserCookie);
// Uncomment the following lines to enable logging in with third party login providers
//app.UseMicrosoftAccountAuthentication(
// clientId: "",
// clientSecret: "");
//app.UseTwitterAuthentication(
// consumerKey: "",
// consumerSecret: "");
app.UseFacebookAuthentication(
appId: ".....",
appSecret: ".....");
//app.UseGoogleAuthentication();
}
}
Update:
After updated Microsoft.Owin.Security.Facebook, facebook login prompted me to register a new user. However, it still redirect to login page? The following is the http traffic.
POST https://myapp.azurewebsites.net/Account/ExternalLogin?ReturnUrl=%2Fevent HTTP/1.1
Accept: text/html, application/xhtml+xml, image/jxr, */*
Referer: https://myapp.azurewebsites.net/Account/Login?ReturnUrl=%2Fevent
Accept-Language: en-US,en;q=0.8,zh-Hans-CN;q=0.5,zh-Hans;q=0.3
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Host: myapp.azurewebsites.net
Content-Length: 196
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: __RequestVerificationToken=49xMNw5ePC60qAaVBtxq5TAbkgpGbkcPyb5OcWmO0CYNstOX7vUQJAST80cvsFM16l0USNgUCr9b5RCn3cnXXlsGhpz33rme4A_HRw1QFNY1; ARRAffinity=f86b281b78014bea7ff499f4d5d3d562aafe8f1cf9e24d7ef4dc3d48d94a9c32; .AspNet.ApplicationCookie=VkuppVPkn0nPbkYf5aSoSKrYsJVWusdEU4TKvf_bPajqbd7gMexZ4muf43ZnpSOwt9P6L60Lc_7VBWZu8Q41eIN2qw3vmhdcAC3gypOhFrQ57T-ymAyJX838uGjsjE3zw_RlVr1kLbyomB5xFVz5azv3nMCm4DDGadGQTSrPdEOQ54GVTQiDJJ9wi4vAd7Cc96ssc4J4x9HrWRIwdZiorubCJpyd1SUeDd6MkZTQgdxGPR42NBwr1CH7DDymU2fJSMw7Dw6Qi5IDNYwFL32J0rsc_5ji_VxvbUBhJZDFGwOxsQ5cFzm0k-XuqJB5zH1aS-6WvQ97sAbu4kQOt0BCZc3EhBAy9c5gmRmq1HyB-NiDwxhbpcS1e57M_9yNmdh8l9phHpnrthk2JNxzyom1Ni-nTbkbZsFdQ2SwuzuPaKS_R1IvXG57q7GM3QEzzTkjsZmuEPCaP5IvFfjISH8kVFBzCnoCoYkvjTKNsfG05VY
HTTP/1.1 302 Found
Cache-Control: private
Content-Length: 0
Location: https://www.facebook.com/v2.8/dialog/oauth?response_type=code&client_id=365322087148601&redirect_uri=https%3A%2F%2Fmyapp.azurewebsites.net%2Fsignin-facebook&scope=&state=wq_uw7UGAFosxcCkR_Oa7P9gyBQeE4DbW92-YZN0tgOFzlOTLeFxDsaVVmH9SsEY6rkZb3zU4ZRBjcp3nQf-b4V-lbXSihHBIzol77_SiBOX7b-GI8iDtPfp9VFuXbhXZWn--GY5xhjOLXnMCu1idq-Y53qMLm_mhX_oOFuOqgyLmqz35Cf3ardNKUT9tdXUyrLOkOCndQ3R2KSWx_FJ0qzptM6J0IyCvk-JwFkEKvjAh3-mgopTgnIKP-LHBL2Z
Server: Microsoft-IIS/8.0
Set-Cookie: .AspNet.Correlation.Facebook=dfeXeK1QG0fHz_lgWH9nLhCT4Zw0USACEAyA0oAZzZ8; path=/; secure; HttpOnly
X-AspNetMvc-Version: 5.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Thu, 20 Apr 2017 03:49:27 GMT
------------------------------------------------------------------
GET https://www.facebook.com/v2.8/dialog/oauth?response_type=code&client_id=365322087148601&redirect_uri=https%3A%2F%2Fmyapp.azurewebsites.net%2Fsignin-facebook&scope=&state=wq_uw7UGAFosxcCkR_Oa7P9gyBQeE4DbW92-YZN0tgOFzlOTLeFxDsaVVmH9SsEY6rkZb3zU4ZRBjcp3nQf-b4V-lbXSihHBIzol77_SiBOX7b-GI8iDtPfp9VFuXbhXZWn--GY5xhjOLXnMCu1idq-Y53qMLm_mhX_oOFuOqgyLmqz35Cf3ardNKUT9tdXUyrLOkOCndQ3R2KSWx_FJ0qzptM6J0IyCvk-JwFkEKvjAh3-mgopTgnIKP-LHBL2Z HTTP/1.1
Accept: text/html, application/xhtml+xml, image/jxr, */*
Referer: https://myapp.azurewebsites.net/Account/Login?ReturnUrl=%2Fevent
Accept-Language: en-US,en;q=0.8,zh-Hans-CN;q=0.5,zh-Hans;q=0.3
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Cache-Control: no-cache
Host: www.facebook.com
Cookie: fr=0RObsAfMX8N2oDE0P.AWUijY5j4ajj3MWCbj2nVPEp4Go.BY9tIg.oW.Fj2.0.0.BY-AuR.AWU2VfKJ; datr=INL2WBkTq1-aa6V7IMJUUMMw; dats=1; sb=JNL2WJ2XCIs_K6QaFHEcvbTM; c_user=100000343225510; xs=251%3A-D7EtOmwXRbYlQ%3A2%3A1492570660%3A12220; pl=n; lu=ggNZWbJ4ElBZhc5tOVdylWWA; presence=EDvF3EtimeF1492652361EuserFA21B00343225510A2EstateFDutF1492652361094CEchFDp_5f1B00343225510F195CC
HTTP/1.1 302 Found
Location: https://myapp.azurewebsites.net/signin-facebook?code=AQCGF2xmMpxqeJOvGi0ngPWLVPqxKZL19gdGPeZdYjQ0k6S-Ta_WS0VxOBxR7wcz70IzHkeC-jQw8KAy7NNP-9m0_atTD6OJYjFZpbnAyixkg7-2r6_B5MR3_nzSBVqc8orXBeBy4KbcG0pgcW6AYGOX1inJaXixCbvypqK5JSgj8RTjbnTd8OmMMzVhC6QBpuViHEcnwOKMx3YgaOEyV9GXwr39EBY-WvcDlu1b__L7vSD9y1VA5jGfAX7jRTmXOOOPrgU-KVOnvqrAUj4RgfpS2YqEFa59t9k00emP2L2FRq94HHBzZshI3dwN0kFH6nVu1y8VKuGqgIDJqbkiXPj88kgbC612wocVpuST4Y0q2g&state=wq_uw7UGAFosxcCkR_Oa7P9gyBQeE4DbW92-YZN0tgOFzlOTLeFxDsaVVmH9SsEY6rkZb3zU4ZRBjcp3nQf-b4V-lbXSihHBIzol77_SiBOX7b-GI8iDtPfp9VFuXbhXZWn--GY5xhjOLXnMCu1idq-Y53qMLm_mhX_oOFuOqgyLmqz35Cf3ardNKUT9tdXUyrLOkOCndQ3R2KSWx_FJ0qzptM6J0IyCvk-JwFkEKvjAh3-mgopTgnIKP-LHBL2Z#_=_
Expires: Sat, 01 Jan 2000 00:00:00 GMT
facebook-api-version: v2.8
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=15552000; preload
X-Frame-Options: DENY
Cache-Control: private, no-cache, no-store, must-revalidate
Pragma: no-cache
public-key-pins-report-only: max-age=500; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; pin-sha256="r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E="; pin-sha256="q4PO2G2cbkZhZ82+JgmRUyGMoAeozA+BSXVXQWB8XWQ="; report-uri="http://reports.fb.com/hpkp/"
X-XSS-Protection: 0
Content-Type: text/html
X-FB-Debug: ABkQtw3vY1sccWewy5h4luP2SmaMQXgOUnv2HfxKkMGR7VFV+3Jq7+HOsVnGAESUXqI7RT+raZ/CrCLo3U1JbQ==
Date: Thu, 20 Apr 2017 03:49:26 GMT
Connection: keep-alive
Content-Length: 0
There is a X-Frame-Options: DENY for the request of GET https://www.facebook.com/v2.8/dialog/oauth?response_type=code&client_id=....
I could encounter the same issue, after some searches I found that the facebook graph api did some changes. Here is the detailed info, you could refer to it:
Facebook Graph API has a force upgrade: Changes from v2.2 to v2.3
[Oauth Access Token] Format - The response format of https://www.facebook.com/v2.3/oauth/access_token returned when you exchange a code for an access_token now return valid JSON instead of being URL encoded. The new format of this response is {"access_token": {TOKEN}, "token_type":{TYPE}, "expires_in":{TIME}}. We made this update to be compliant with section 5.1 of RFC 6749.
Since the access_token returned with the JSON instead of the URL encoded, Microsoft.Owin.Security.Facebook prior to 3.1.0 could not handle this change. You need to upgrade Microsoft.Owin.Security.Facebook to 3.1.0 version, or you need to implement the FacebookAuthenticationOptions.BackchannelHttpHandler for a workaround to handle this change, for more details, you could refer to this similar answer.
UPDATE
As I known, X-Frame-Options indicates whether or not a browser should be allowed to render a page in a <frame>, <iframe> or <object>, I assumed that this header has no relation with your issue. Since your network packages are from your client, you could not see the processing when you use authorization_code to exchange the access_token from facebook. I recommended that you could run your web app on your local side and capture the packages as follows:
I have checked both update Microsoft.Owin.Security.Facebook to 3.1.0 and implement FacebookAuthenticationOptions.BackchannelHttpHandler by following this issue, both could work on my side and azure. In summary, you could get the authorization_code but failed to extract the access_token, I assumed that you need to clear/rebuild your project and make sure your project could work on your local side, then redeploy your project to web app (if you deploy the website via VS publish wizard, you could choose the "Remove additional files at destination" under Settings > File Publish Options or you could use KUDU to empty your web content).
UPDATE2
I have created a code sample AspDotNet-WebApplication-FacebookAuth with my facekbook app, you could try to run on your local side and make sure you could retrieve the access_token and get the logged user info as follows: