I am writing a web server, specifically, a server that handles HTTP/1.0 and HTTP/1.1 protocols. I implemented HTTP/1.0 features in my server and wanted to look at persistent HTTP connections (Connection: Keep-Alive). I also implemented that feature and tested the server via telnet. Everything works fine for telnet, the server does not close the client socket after every request, waits for 15 seconds, and closes the socket if it is inactive.
To ensure that it works correctly, I re-tested the server with Postman. Here is the screenshot:
As you can see from the logs, the socket connection is not dropped after sending the response. After 15 seconds of inactivity, the server closes the socket. This is the desired behavior
However, when I used the Google Chrome web browser, it turns out that it does not work correctly (not the same with the desired behavior). Here is the screenshot:
I speculate that Google Chrome creates a new socket connection for every request even though Connection: Keep-Alive is present in both HTTP request/response messages. However, I am not sure whether this is true or not. By the way, I also used Safari and the output is the same.
Is this the reason why persistent HTTP connection does not work in Google, yet it works with telnet and Postman?
Thanks
In Windows my time zone is set to UTC+2:00 Jerusalem
But several websites think I'm in UTC. And I see that Chrome reports my timezone as UTC. When I try this in my console
Intl.DateTimeFormat().resolvedOptions().timeZone
I get "UTC"
Though I can't for the life of me find any setting in Chrome that keeps it's own timezone.
I'm using WIndows 10. Here's the navigator.userAgent
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36"
If I run tzutil /g in the command line, I get:
Israel Standard Time
There are extensions that let me change the timezone. But I'd rather solve the issue. So I can help other clients with similar issues.
UPDATE
It seems that this isssue happens only in pages run from visual studio via IIS. If I check the timezone in regular gmail or wikipedia etc then the tiemzone is correct.
But in a browser that was opened from VS, when running my asp.net site, the timezone always shows UTC. Even if in said browser I will open wikipedia. Th browser somehow gets "set" to utc.
Where can this be fixed?
Thanks!
Try reseting your time zone again in Windows.
I had this issue a few days ago as well. What I did was to set the time zone to something else, apply, then back to the correct one and apply.
I had to update a form on a certain webpage to change something i wanted.
I failed to do so, but instead of sending a simple text reply saying 'This cannot work' for example, they sent a whole JSON response on the display.
I'm just curious, does this response pose any security vulnerabilities for either me or the server i contacted to process my request?
P.S. The '***'s in the response are so because I'm not sure if providing that info is the right thing to do.
However, even without it, the response is fairly intuitive.
This is the response:
{"name":"StatusCodeError","statusCode":409,"message":"409 - [object Object]","error":{"status":"failure","message":"Email already taken.","code":91,"data":null,"error":{"message":"None"}},"options":{"uri":"*********","method":"POST","headers":{"Authorization":"Bearer *********=","Cookie":"*********=;cm_sub=denied","User-Agent":"********","Accept-Language":"en-US","Original-Accept-Language":"********","X-********-InstallId":"*****","X-*****-AppState":"active","X-*****-Parent-Rid":"********","X-*****-Root-Rid":"********","X-*****-Rid":"*****","X-Pixel-Ratio":1,"X-*****-App-Type":5,"X-Prefer-User-Locale":"1","X-Real-Ip":"********","X-*****-Real-Ip":"*****","X-*****-Csrf":"********","X-*****-Browser-Extension-Installed":"false","X-********-Referrer":"********","X-Bot":"false","X-Referrer":"********","X-Url":"********"},"form":{"base_scheme":"https","client_id":1431601,"timestamp":*****,"country":"US","email":"*****","oauth_signature":"********"},"traceId":false,"parseJson":true,"resolveWithFullResponse":true,"json":true,"simple":true},"response":{"statusCode":409,"body":{"status":"failure","message":"********","code"********,"data":null,"error":{"message":"None"}},"headers":{"server":"nginx","date":"Sun, 10 Mar 2019 16:08:31 GMT","content-type":"application/json","content-length":"112","connection":"close","*****-version":"*****","x-content-type-options":"*****","x-frame-options":"DENY","*****-generated-by":"********"},"request":{"uri":{"protocol":"http:","slashes":true,"auth":null,"host":"*****","port":"*****","hostname":"localhost","hash":null,"search":null,"query":null,"pathname********","path":"/v3/users/settings/","href":"********"},"method":"POST","headers":{"Authorization":"********","Cookie*********","User-Agent":"Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/******** Safari/537.36","Accept-Language":"en-US","Original-Accept-Language":"en-US,en;q=0.9","X-*****-InstallId":"********","X-*****-AppState":"active","X-*****-Parent-Rid":"********","X-*****-Root-Rid":"*************","X-*****-Rid":"*****","X-Pixel-Ratio":1,"X-*****-App-Type":5,"X-Prefer-User-Locale":"1","X-Real-Ip":"*****","X-*****-Real-Ip":"********","X-********-Csrf":"********","X-*****-Browser-Extension-Installed":"false","X-********-Referrer":"*************","X-Bot":"false","X-Referrer":"********","X-Url":"********","content-type":"application/x-www-form-urlencoded","accept":"application/json","content-length":179}}}}
Here's what I learned from this server response. The first thing I noticed is your protocol is using http.
"protocol":"http:"
HTTP is a plaintext and unencrypted form of communication. This is important to note because if someone is sniffing your traffic, they will be able to read the transmission as you have posted it here (without the *****'s blocking sensitive data).
The next thing I noticed is your authorization token.
"Authorization":"Bearer *********="
Given that the message is in plaintext, an attacker will be able to steal your token. Using this token an attacker can communicate with the server as an authorized user, gaining access to (and possibly the ability to modify) private information.
On the flip side, since we assume the attacker has sniffed your unencrypted traffic. They can also make note of your client's computer/ browser information:
"User-Agent":"Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/******** Safari/537.36"
From this info, the attacker can gather that the client is using windows 8.1 and what browsers/versions are installed on the client's computer. With these system specs, the attacker can launch a targeted attack on the client's computer (especially if you have an outdated/ insecure OS or browser version).
So to answer your question, yes there are security vulnerabilities for both the client and server.
However, simply switching from HTTP to HTTPS would make a big difference in limiting your exposure.
TFS 2013
Windows Server 2012
IIS 8.5
Application Request Routing (ARR)
I'm using ARR for a reverse proxy to reroute any requests for a URL on that server to the IP address that I have setup for TFS on that server.
Everything works great, except in Chrome (don't get to say that very often).
When browsing the web version of my TFS install and visiting a "Team Room", I get a SignalR error in the Chrome console:
403 (Forbidden: SignalR cross domain is disabled.)
The same link in FF and IE works fine. Also, if I visit the Team Room link directly via the TFS IP address (bypassing ARR), it works fine.
I've tried a bunch of different things to solve the issue.
Adding this header to the web.config for TFS
<add name="Access-Control-Allow-Origin" value="http://tfs.mydomain.com"/>
Setting the connection URL of the SignalR connection in JavaScript and using JSONP like so:
$.connection.hub.url = "http://my.ip.address:8080/tfs/signalr";
options = ({jsonp: true})
$.connection.hub.start(options)
I even tried another approach I found online which disabled the cache on ARR.
Many solutions out there say that I should enable cross domain requests for SignalR on the server, however since this is for a TFS install, I don't have the freedom to modify the binaries for TFS (as far as I know) and I wasn't able to find a way to do this on the client by looking at the SignalR API.
The only other answer I came across for this problem was that Chrome is bugged and not to use it (which is undesirable).
Does anybody know how I can use Chrome to access TFS team room functionality?
I don't know the answer, but I have the same problem and some information.
I used Fiddler to examine the HTTP request to see what was different between the requests sent from Chrome and from IE. Chrome sends an "origin" header along with the "referrer"; IE doesn't. I used Fiddler's Filter option to dynamically remove the "origin" header and Chrome works normally as long as Fiddler is capturing.
These are some of the headers sent from Chrome:
Origin: https://[domain]
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: https://[domain]/tfs/_rooms
Removing the "Origin" header in Fiddler's filters allows Chrome to work.
I followed the instructions from here to install web socket node.js server on my WXP
I have a client and server written as follows: http://cjihrig.com/blog/creating-your-own-websocket-echo-client/ (ws_server.js)
Please let me know how can I make the web socket connection work...?
When I run the client, Alert displaye are as follows:
1. "Web sockets are supported"
2. "On Close : event / data :Undefined".
So how do i make nodejs work on opera?? It is working fine on google chrome??
I have enabled web sockets in opera config
Thanks
Sneha
The current release version of Opera 12 is
Opera/9.80 (Macintosh; Intel Mac OS X 10.7.4; U; fr) Presto/2.10.289 Version/12.00
as you can see in the user agent string: Presto/2.10.289. The last version of WebSocket Protocol has been implemented in the CORE engine of Opera.
WebSocket API Update WebSocket implementation to RFC 6455
(Presto/2.11.337)
See: The WebSocket API
See: RFC 6455 - The WebSocket Protocol
but as you can see in Presto/2.11.337 which is not yet available in Opera 12. It will be available in a future release.
According to protocol support section Opera uses very old Hixie draft 76. Maybe when you use ws you will have more luck. Furthermore I think you need a project which supports multiple transports(websockets/longpolling etc) like for example faye.js or socket.io