I'm tracking customer issues with our contractor website. I've had quite a few customers complain that they are unable to access their account (on a secure server). Users will get a server error. When I ask them to try on a different browser the issue goes away.
I don't know where to begin to look for the reason Safari has issues with our servers. The site is built using ASP.NET. I know next to nothing about Safari issues and how Safari handles data transmission. I don't know if Safari doesn't like the way we save cookies, if it's a validation issue, or what.
The "login" button seems to be sending the request to the server, because our contractor is getting the error logs. (They are not sending us these error logs, unfortunately, so I can't really review them myself. Contractors don't like it when you ask to see their logs.)
Does anyone have the vaguest form of advice? Have you had any similar errors or kinky issues with Safari?
Related
At some point yesterday (25/08/21) we started getting errors accessing any documents held in firebase storage.
I can see them in the firebase console, but if I try to view them I get an error.
The exact error depends on which browser but it was along the lines of:
This site can’t provide a secure connection
firebasestorage.googleapis.com uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
After a bit of digging, it seems specific to the BT ISP in the UK, and caused by their BT Web Protect product. If I disable Web Protect from my BT account I can access the urls again, but obviously that is not a solution I can offer to our customers. (Similarly, if I connect via a mobile hotspot on my phone, all is well)
I contacted BT who suggested I email saferbrowsing#bt.com and ask them to unblock it, so if anyone else is having this issue please do the same - the more noise on this the quicker the resolution hopefully.
To the Firebase team - is there anything you can do from your side to expedite this? Firebase Storage is a huge part of our product and it simply doesn't work for anyone on BT at the moment.
Thanks
John
I got a reply from BT this morning saying that firebase has been unblocked, and all seems to be working again. phew!
Several ISP's have anti-spam detection, this is used to hunt down new spikes of traffic that can seem suspicious. If you are getting faults from users from a specific ISP or geolocation, this can indicate outages or blocked requests.
The best solution is to always call their technical support and discuss what could have triggered it and remove any potential blocks from happening again.
We are using Firebase/Google analytics for our Android and iOS app. Everything seemed to be sending data correctly and we were able to view the data in Big Query etc. However we started to notice that some data seemed to be getting lost.
We detected an odd situation where some users' analytics data stopped showing on Firebase/Google Analytics/Big Query, despite having previously received data from that user in the past. The data seems to just stop at a random point in time, for random users.
in_app_purchase events from those players were still appearing in the data on dates where they didn't have any other events. We checked our backend service (gamesparks) for their account and could see that they were active players who had been using the app very recently. That is, after their last event was appearing in Big Query.
After investigating some more and started finding other users who had the same issue. They would be sending data without issue and then all of a sudden we would receive nothing from them, except from in_app_purchase events/notification events etc which are sent via a seperate service (app store etc) rather than the client.
After scouring our implementation and going over it line by line comparing to the samples/documentation we couldn't really see any issues, and even the automatic events (session_start etc) stop appearing. We made sure we were using the latest versions of the firebase SDKs etc in the hope it would fix it but it made no difference.
One peculiar thing is that when we find a in_app_purchase event from one of these 'broken' players, things like the user properties and default parameters for that player have changed from when they stopped sending data, so it seems like the lost data is somewhere but not being logged anywhere.
I was wondering if it was possible for specific users to stop their app sending any analytics data to Firebase via a device/google account setting?
While looking into the documentation we noticed that if Google Play Services is installed on the device, data is sent via that, rather than via the client/firebase sdk itself. Is there any known issue with players changing their Google Play Services settings that could cause something like this?
Wondered if this was a known issue but please let me know what other information you might need.
EDIT: I also wanted to mention that although we can't be 100% certain, we believe this is only happening to our Android users. We haven't found any iOS users that have the same issue.
Thanks,
Matt
I think I know the answer to this question from my experiments, but I haven't been able to find a definitive answer when doing research.
Is is possible to send notifications to a PWA when it is opened in Chrome on mobile, but isn't installed?
Once it is installed I can receive notifications, but I can't before.
I'm having a hard time getting remote debugging working for my mobile so it's difficult to tell if the push event is even firing.
The docs, don't specify the need to install the pwa to be able to use the notification feature. However what I suspect is happening in your case is that Chrome is not giving priority to notify to the notification that you are sending without installing. What I mean is that you might receive your notification on the regular wakeup cycle of Chrome, and not as a background task. (But this is just a speculation)
Another common scenario that happens a lot, trust me :-), is that you forgot to give permission to send notifications in the first place.
Regarding remote debugging, refer the docs, to get it setup on Android. As a lot of the online tutorials are a bit out of date.
Note: I found an article online that shows a notification received without installing on Android, here is its link, it might not be very helpful for your case but check it out you might figure something out.
Yes they can.
The problem was that I had notifications enabled for my site, but disabled for Chrome itself.
We've had an .NET Framework 4.6/Asp.NET MVC app secured for some time with Azure B2C, enabling sign in with social providers and with a workplace Azure AD account. We configured this more than a year ago with custom policies, when the Identity Experience Framework was quite new, and it has worked successfully ever since.
In about mid-January, some users started experiencing an issue. Sign in with B2C would complete correctly (and be logged as a success in the audit trail), but the user identity would remain unauthenticated. This has now spread, with many users affected, signing in with social providers and/or the linked external AD, but with some users not affected at all (suggesting perhaps an issue with new cookies, whereas old unexpired ones are good?).
The issue can be replicated in testing, and a clean browser will fail to log in multiple times, then succeed perhaps once, or twice, before returning to failing. The success rate is perhaps 1/20, and seems higher with VS 2019 in debugging mode, suggesting perhaps some kind of timing issue.
The fact that it does work very occasionally seems to suggest there isn't anything wrong with the configuration. All traces to Application Insights, as well as the B2C audit log, show successful logins, but the user identity in the Asp.NET site remains unauthenticated. We've tried stepping back in Git as far as the middle of last year, and those older builds experience the same issue, although the code has been functioning in production all this time.
One further oddity. When I inspected the Azure B2C tenant to confirm no keys had expired and no other changes had been made (none had), I discovered it was no longer associated with our subscription - a warning message directed me to attach it. We had certainly done this previously, as we could not have used the Identity Experience Framework otherwise. We don't understand how it could have been removed from our subscription - no such action appears in the activity log. Reattaching it, however, has not fixed the issue above.
What could be happening here? Why would a previously solid app begin malfunctioning in mid-January? How can we debug this when all the logs show a successful authentication? How did the tenant remove itself from our subscription?
Happy to post code if it will help, but I would emphasise that a) this was working previously; and b) it still does work intermittently.
Update A long and helpful screen-share with Azure support has confirmed that the B2C login process is working correctly, but something (unknown) is going wrong when redirecting back to the application. The JWT looks good. What could this be?
Further Update Two escalations and further long debugging, and this still isn't fixed. It seems the login completes absolutely correctly, but then the Asp.Net application somehow doesn't trust the result. The JWT looks good, but the user in the app remains unauthenticated (or somehow loses authenticated status at once). Has anyone else hit this kind of issue? What could be going wrong?
With help from the Microsoft Asp.Net support team, we managed to diagnose this as an instance of Katana bug #197 as described here: Application stops generating login cookies
The solution was the well-known app.UseKentorOwinCookieSaver();
https://github.com/KentorIT/owin-cookie-saver
Although we had implemented this fix previously on our Azure AD secured Asp.Net sites, we hadn't needed it previously on a B2C site. We're still not clear why this issue reared its head suddenly on a site that had otherwise been operational and stable for more than a year.
How do I disable offline caching for firefox in ASP.NET or in IIS? I found this post:
Disabling browser caching for all browsers from ASP.NET
This doesn't address the issue completely. It just disables caching from the back button (when not in off-line mode).
Here is a simple scenario:
If user A logs on to his bank. User A is doing transactions and he even goes to update some personal data. Finally user A is done and logs off from his bank website. User A leaves the browser on, because he has another tab open downloading a file that is a few gigs. User B would like to go on to his email to send out some emails, so user A doesn't close the browser. He knows the security risks, because he has read what must be done once you log off of the site, but he doesn't want to stop the download. For user A, to have to redownload is too much time for him and well he is just your typical user and doesn't think user B (being a good friend of his) will do anything malicious. So then user B uses the browser. The first thing user B does is "work offline". User B now has all data from user A. The page has an off-line cache for user B to see. User B is now able to open the history to view those cached pages, or just simply click back if the page was left open (either way works). User B now has all the pages that user A has browsed to. So any sensitive data is now his.
Does anyone know if this is possible to control at the server level. I know in firefox you go to about:config, but that is not an option for the server to tweak. Even so this can be told to the user, but not every user is going to be able to do this (being too complicated for some users) or some users will just ignore the warnings out of laziness or just not reading what the page says. I know there will be that one person that will say, "oh well that's their own fault and they deserve that". I honestly think ignorance in this sense is not the user's fault. Consider an older person in their 80s who is not technology-centric (like my father who I constantly give him the do's and don't's about online, but he still doesn't really understand the risks completely).
So I reiterate again, is it possible to disable this kind of off-line caching at the server level? I also found this post:
http://forums.asp.net/post/1386380.aspx
Would this help at all? Any help please. Please be constructive and not start a debate. I think I have been very clear, and I have done a lot of research on this with no luck. Please note that only the off-line caching on firefox is what is giving the problem, on every other browser (or on firefox onlinle) the caching has been disabled as expected.
Update:
I actually already have what the last link suggests (http://forums.asp.net/post/1386380.aspx) and it still doesn't prevent the problem.
Disabling cache from server side is kind of impossible because server can only request the browser to not store in cache. Rest is up to the browser to follow it or not.
The best option is not to send the data to browser , so it is never cached, instead fetch it on demand using json/Xml or any thing you are comfortable with.
The only trick that worked for me was to remove all sensitive information from loading via regular page methods, and load it via ajax/jquery on window.ready event. Once I implemented callback and ajax the back button and 'work offline' problem got solved but rolling out that with ajax callback was really a big task.