Web requests made to my 2 Rails instances sometimes produce the following error (silently)
...
W, [2019-09-04T10:53:53.880137 #13871] WARN -- : Can't verify CSRF token authenticity
I, [2019-09-04T10:53:53.880465 #13871] INFO -- : Completed 422 Unprocessable Entity in 1ms (ActiveRecord: 0.0ms)
...
I believe this is because of the CSRF token generated from 1 instance and the above request was made to another instance.
How can I resolve this without disabling CSRF tokens?
The current setup is 2 virtual machines (on separate machines) running a copy of the same Rails app, sitting behind a load balancer. I have looked at the logs and this occurs at least 10 times a day.
Any help would be much appriciated
I've never use BinaryLane, and I've tried to check their document about setting load balancer where I can show you, but cannot find one.
Here is the load balancer config I used in GCP:
Look for Session affinity option or something similar (see their explanation for each option), for me I choose Generated cookie. Hope this give you idea of the problem.
Related
I am trying to use "gem saml_idp" in my app but I am failling.
I am following this tutorial https://spin.atomicobject.com/2017/05/31/rails-saml-identity-provider/ but I keep receiving the messages below from server everytime I make a GET request at http://localhost:3000/saml/auth.
Processing by SamlIdpController#new as HTML
Unable to find service provider for issuer
Breadcrumb Controller halted via callback meta_data filter:Symbol has been dropped for having an invalid data type
Filter chain halted as :validate_saml_request rendered or redirected
Completed 403 Forbidden in 144ms (ActiveRecord: 0.0ms)
Started GET "/__meta_request/92c4c9d5-244f-4094-92e7-c7fed56de976.json" for ::1 at 2019-12-04 15:08:33 -0200
Does anybody know what is going on here ? Routes are:
get '/saml/auth' => 'saml_idp#new'
post '/saml/auth' => 'saml_idp#create'
That tutorial describes the configuration necessary for an SP-initiated SSO flow. It won't be entirely applicable to you, since you are creating an idP-initiated flow. You may be seeing that "Unable to find service provider for issuer" error because the route you're visiting expects an AuthnRequest present (which would normally be generated and sent by the SP, to request a login for users on the idP... which would then respond to the SP with a SAMLResponse containing an Assertion). This happens because you're extending the idPController present in the gem. You won't need to do this unless you expect to respond to AuthnRequests from SPs.
This gem may still be useful to you. You should still be able to call SamlIdp::SamlResponse.new to build a SAMLResponse from an idP-initiated flow. The exact configuration depends on how you must communicate with your SP, so it is difficult to provide guidance here.
We have implemented our own oAuth provider and are having an issue when the system runs in a load balanced scenario. When we run with a single server all is well but when we switch the other on we get the following situation:
Token ‘A’ generated on server 1
Token ‘A’ not valid on server 2.
I have done some Googling on this and it seems to be a known issue but can’t seem to find a solution.
Anybody got an idea.
Thanks
You will have to make sure that you do one of:
synchronize the state of your Authorization Server between all load balanced nodes by using a shared cache (e.g. database or file system) or replicates state across nodes using some replication mechanism
your Authorization Server issues tokens that can be inspected by the load balancer to find out to which node it needs to send the validation request
The latter. has the downside that it cannot be used in a high availability scenario.
I have a web application which i need to be load tested using LoadRunner. When I record the website using vugen it works good and there is no any application bug. But when I tried to replay the script, script failed after login and while navigating to next page, say, Transaction. At the end of log, I receive error:
Action.c(252): Error -26612: HTTP Status-Code=500 (Internal Server Error)
for "http://rob.com/common/transaction
Please help me to resolve this error.
LoadRunner generates HTTP request just as your browser does, this error is the same error you would get if you would go to that URL using your browser. Error code 500 is a generic server error that is returned when there is no better (more specific error to return).
Most likely the login process requires some form of authentication which is protected against a replay attack by using some form of token. It is up to you to capture this token using Correlations in LoadRunner and replay it as the server expects. The Correlation Studio in VuGen should detect and identify the token for you but since authentication methods vary it is sometimes impossible to do this automatically and you will have to create manual correlation. Please consult the product documentation for more details on how to do it. If your website is publicly available online then post its URL and I will try to record the script on my machine.
Thanks,
Boris.
Most common reasons
You are not checking each request for a valid result being returned and using a 200 HTTP status as an assumed correct step without examining the content of what is being returned. As a result when data being returned is incorrect you are not branching the code to handle the exception. Go one to two steps beyond where your business process has come off the rails with an assumptive success and you will have a 500 status message for an out of context action occurring 100% of the time.
Missed dynamic element. Record three times. Compare the code. Address the changing components.
I am using 'Thin' as my rails server in my development environment. I noticed something that alarmed me. I was taking a break... no keystrokes on my machine. The terminal window where Thin is running produced the following:
Started GET "/controller/method" for 127.0.0.1 at ...
Processing by ...Controller#method as HTML
Completed 401 Unauthorized in 58ms
Started GET "/users/sign_in" for 127.0.0.1 at 2013-08-16 11:47:02 -0400
Processing by Devise::SessionsController#new as HTML
...
Completed 200 OK in 178ms (Views: 22.3ms | ActiveRecord: 3.7ms)
Somewhere my development machine was responding to a request for a specific page that needed authorization and presented a log in screen to someone. It wasn't on my machine. No one else in my office has the technical ability, or the interest, to do a hack on my machine. So it must be coming from my wireless router or through our internet connection... i'm guessing.
In production I have an access log which gives an ip address for all those accessing our site. Is there something I can do to provide that kind of information? What can I do in my rails configuration to confirm that it was indeed a hack attempt?
I am addressing the rails process here. If there is a StackExchange site to address the security issues related to my router, internet connection and development machine? Which one(s) might it be?
Thanks.
It definitely seems like some automated hacking attempt. If you were running an older version of rails you could get it to execute arbitrary controller methods like that, or if you had set your routes file up improperly.
Just a reminder to set all of the controller methods you don't want to be visible to the outside world directly as private or protected. Also double check your routes file to ensure that you are avoiding less safe route definitions like match, if possible.
While this shouldn't entirely assuage your security concerns, being proactive about limiting the possible access attackers can gain will serve your project for the best. Additionally, you could set up thin to bind to 127.0.0.1 instead of 0.0.0.0, thereby preventing external requests (if possible).
Oh man... it was so simple. Can't believe it took me so long to figure out. Safari has the "top sites" feature. Whenever I open a new tab, top sites is the page that is displayed. Some of my top sites are fixed by dragging a url to the top sites icon. The remainder are composed of other pages that are among the most frequently displayed. After I alter code I frequently view the page to make sure there are no errors. Top sites is trying to display some of those pages. Viewing those pages requires authorization. Top sites is trying to hack my development server. :=]
I am trying to make the open_id_authentication plugin working.
Initially was doing it with authlogic but abandoned because it feels like much more hassle the help.
The problem is that I am getting OpenIdAuthentication.store is nil. Using in-memory store. warning in the log which prevents from authenticating users correctly.
Here is the log snippet:
Processing UserSessionsController#create (for 127.0.0.1 at 2010-04-21 23:58:38) [POST]
Parameters: {"commit"=>"Sign in", "authenticity_token"=>"MSPc+VMgsQZ/w7vsb2OiE0azsF1QmphZqfnS6cPRD/U=", "openid_identifier"=>"http://myopenid.com"}
Completed in 12ms (View: 1, DB: 0) | 401 Unauthorized [http://localhost/user_session]
Generated checkid_setup request to http://www.myopenid.com/server with assocication {HMAC-SHA1}{4bcf0490}{MN9AXg==}
OpenIdAuthentication.store is nil. Using in-memory store.
Error attempting to use stored discovery information: OpenID::TypeURIMismatch
Attempting discovery to verify endpoint
Performing discovery on http://xxx.myopenid.com/
Using 'check_authentication' with http://www.myopenid.com/server
I am not really sure what I have to do in order to fix this issue. Probably setting the store to database (and I have OpenID migration). Also not sure if I really need the database to perform the OpenID authentication.
The original project (branch) is here so you can have a close look.
Would appreciate good advices on that.
Thanks,
Dmitriy.
I was having similar problems with the most recent open_id plugin and the memory store. Some OpenID sites would work, but most would not. Something in the MemoryStore is broken on how to authenticate. Switching to using the file store worked fine for me.
I created a initializer named config/initializers/openid.rb with this inside:
OpenIdAuthentication.store = :file
Restarted the app, and every openId URL I tried started working.
Why the File store works when the Memory store doesn't, I can't answer. I just know that this fixed it for me.