0

So... had a bit of trouble logging in with IE11 (32 and 64 bit) on windows 8.1 pro. Even tried spoofing UAS and changing the compatability modes.

There were no script errors, and the "information" in the console for FB and g+ are no different than the ones I safely ignore at work.

While it's still in its infancy, I figured I would give you a heads up. Consistently got a 500 response regardless of login method (facebook, linkedin, or usrnm/pw)

I had to download chrome just to login and post :-/

Im guessing IE11s XSS checker or "safe browsing" settings is really going to be a headache in the near future...

Maybe Im just unlucky :-/

3
Contributors
14
Replies
66
Views
3 Years
Discussion Span
Last Post by ryantroop
0

I've been using IE11/Win8.1Pro for over a month, without a hitch. Only difference is that I do not use FB/G+ to login.

0

IE11 Via FB Login:

REQUEST HEADERS

Key Value
Request GET /members/authorize/facebook HTTP/1.1
Accept  text/html, application/xhtml+xml, */*
Referer http://www.daniweb.com/members/lost_password
Accept-Language en-US,en;q=0.5
User-Agent  Mozilla/5.0 (Windows NT 6.3; Win64; x64; Trident/7.0; rv:11.0) like Gecko
UA-CPU  AMD64
Accept-Encoding gzip, deflate
Host    www.daniweb.com
DNT 1
Connection  Keep-Alive
Cookie  __utma=77199232.1274735774.1386749453.1386749453.1386817892.2; __utmz=77199232.1386749453.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-2017402461-1386749453013; __gads=ID=5432d9eabbd00e6b:T=1386742542:S=ALNI_MZV6wua-tP4PkLN1IXbt7A0KbXBQg; __utmb=77199232.9.8.1386817908800; __utmc=77199232; dani_session=UWdROlJiAztUd19zBmkAZ1JiAWhcJVMkAWQLeg4uD2cFNgNjAwgFOFFiBnVRbFQlUTMHawRjUT1WdABgD2NVYAIwUzdVZ1tqUzsOYgRmVTRRNlFmUjYDNVRtX2IGYQBvUmsBN1xiU2ABNwtqDjkPNgVuA24DMgU0UTIGdVFsVCVRMwdpBGFRPVZ0ADoPJFUOAmNTNVViWyhTag5zBCNVI1E9UXNSbgMwVD9fOgZxAGFSYwF8XDVTZAE4CycOag85BXcDPANlBWhRJAZsUSRUbFE4B2gEa1ElViMAIA8xVSMCXVMwVWFbP1NhDnQEclU6UXVROlJjAzJUNl8iBh4AOVIoATtca1M7AWALJg5oDyAFaQMtA38FBlFvBjlRM1Q5UX4HKwRxUUlWAgBzD2JVfwIxU2pVJlsNU2YObgRmVTVRPVEgUiwDN1Q4XzsGcwACUiABO1xjUzIBbwt9DnIPOQV3Az0DbAVxUXQGIVFtVGdROAd2BGFRLlZ2AD8PPVU6AmdTcVVBWz9TbA5rBD9VI1E9UXNSbgMwVD9fOgZxADpSMwEhXHNTCAFgC2oOKQ9nBS8DZAMjBShRJAZsUT5UbFE4B2sEaVExVm4AYg9kVWcCN1NhVT1bKVM1DjkEalUjUXNRc1IxA3NUU19kBjIAIlIzAXBcPFMkATsLOQ5nDywFewM2AyQFa1E3BmFRbVR0UW8HNAQwUXRWPgBpDztVPQJmU2tVaFs1U3sOaQQzVWRRJFE7UicDO1Q9XzMGaQB0Uj0BM1xyUyMBaQtWDjsPbwUwA2EDIgUjUWMGdVFsVCs%3D; bsau=13867497783979781352; geolocation=US; OX_plg=swf|sl|shk|pm; referer=http%3A%2F%2Fwww.daniweb.com%2F

RESPONSE HEADERS:
Key Value
Response    HTTP/1.1 302 Found
Date    Thu, 12 Dec 2013 01:11:38 GMT
Server  Apache/2.2
X-Powered-By    PHP/5.3.10
Set-Cookie  csrf_cookie=b2bf8578da2f3ca4d67c39c547db84f5; expires=Thu, 12-Dec-2013 03:11:39 GMT; path=/; domain=www.daniweb.com
Set-Cookie  dani_session=BjAFbgEyU2sDIAcrB2gLbFJiUDlcJQF2UDUBcA8vXTUAM1MzCANWa1FiAnEBPANyUDIHa1YxVjoEJgVlD2NXYgEzAGQPPVloXTVSPgVnUjMGYQUyAWVTZQM6BzoHYAtkUmtQZlxiATJQZgFgDzhdZABrUz4IOVZnUTICcQE8A3JQMgdpVjNWOgQmBT8PJFcMAWAAZg84WSpdZFIvBSJSJAZqBScBPVNgA2gHYgdwC2pSY1AtXDUBNlBpAS0Pa11rAHJTbAhuVjtRJAJoAXQDO1A5B2hWOVYiBHEFJQ8xVyEBXgBjDztZPV1vUigFc1I9BiIFbgEwU2IDYQd6Bx8LMlIoUGpcawFpUDEBLA9pXXIAbFN9CHRWVVFvAj0BYwNuUH8HK1YjVk4EUAV2D2JXfQEyADkPfFkPXWhSMgVnUjIGagV0AX9TZwNvB2MHcgsJUiBQalxjAWBQPgF3D3NdawByU20IZ1YiUXQCJQE9AzBQOQd2VjNWKQQkBToPPVc4AWQAIg8bWT1dYlI3BT5SJAZqBScBPVNgA2gHYgdwCzFSM1BwXHMBWlAxAWAPKF01ACpTNAgoVntRJAJoAW4DO1A5B2tWO1Y2BDwFZw9kV2UBNAAyD2dZK107UmUFa1IkBiQFJwFiUyMDBAc8BzMLKVIzUCFcPAF2UGoBMw9mXX4AflNmCCE%3D; expires=Sat, 12-Dec-2015 01:11:39 GMT; path=/; domain=www.daniweb.com
Set-Cookie  dani_session=VmBbMFFiBj5WdVF9BmlRNlZmB24OdwN0VzJUJQEhWTFWZVAwBwxSb1JhUyBQbQBxA2FUOAViUj4BIwFhCmYANQs5C28AMgg5Bm4OYlEzBGVWMVtsUTUGMFZvUWwGYVE%2BVm8HMQ4wAzBXYVQ1ATZZYFY9UD0HNlJjUjFTIFBtAHEDYVQ6BWBSPgEjATsKIQBbC2oLbQA3CHsGPw5zUXYEclY6W3lRbQY1Vj1RNAZxUTBWZwd6DmcDNFduVHgBZVlvViRQbwdhUj9SJ1M5UCUAOANqVDsFalImAXQBIQo0AHYLVAtoADQIbAY0DnRRJwRrVnJbMFFgBjdWNFEsBh5RaFYsBz0OOQNrVzZUeQFnWXZWOlB%2BB3tSUVJsU2xQMgBtAyxUeAVwUkoBVQFyCmcAKgs4CzIAcwheBjMOblEzBGRWOlsqUS8GMlY6UTUGc1FTViQHPQ4xA2JXOVQiAX1Zb1YkUG4HaFImUndTdFBsADMDalQlBWBSLQEhAT4KOABvC24LKQAUCGwGOQ5rUWoEclY6W3lRbQY1Vj1RNAZxUWtWNwcnDiEDWFc2VDUBJlkxVnxQNwcnUn9SJ1M5UD8AOANqVDgFaFIyATkBYwphADILPgs5AGgIegZgDjlRPwRyVnRbeVEyBnZWUVFqBjJRc1Y3B3YObgN0V21UZgFoWXpWKFBlBy4%3D; expires=Sat, 12-Dec-2015 01:11:39 GMT; path=/; domain=www.daniweb.com
Location    https://www.facebook.com/dialog/oauth/?display=page&client_id=135220243179040&redirect_uri=http%3A%2F%2Fwww.daniweb.com%2Fmembers%2Fauthorize%2Ffacebook&state=b2bf8578da2f3ca4d67c39c547db84f5&scope=email,user_birthday
Keep-Alive  timeout=10, max=400
Connection  Keep-Alive
Content-Type    text/html; charset=UTF-8
Content-Length  20




HEADER FB OAUTH REQUEST:

Key Value
Request GET /dialog/oauth/?display=page&client_id=135220243179040&redirect_uri=http%3A%2F%2Fwww.daniweb.com%2Fmembers%2Fauthorize%2Ffacebook&state=b2bf8578da2f3ca4d67c39c547db84f5&scope=email,user_birthday HTTP/1.1
Accept  text/html, application/xhtml+xml, */*
Referer http://www.daniweb.com/members/lost_password
Accept-Language en-US,en;q=0.5
User-Agent  Mozilla/5.0 (Windows NT 6.3; Win64; x64; Trident/7.0; rv:11.0) like Gecko
UA-CPU  AMD64
Accept-Encoding gzip, deflate
Host    www.facebook.com
DNT 1
Connection  Keep-Alive
Cookie  datr=avqnUoS2fYcF2BUwKKDR3HCf; c_user=725937120; csm=2; fr=0UGtSwkBzfc9VIRgR.AWWnTkCarip5W3eLhIIna3ElGo0.BSp_qg.Ny.FKn.AWXG3R8b; lu=ggPj4xWfn0_C5EFK6XrFdpog; s=Aa5jC7kOnGM4UdHn.BSp_qg; xs=250%3AxEmX_rH7W7Gogw%3A2%3A1386740384%3A3281


FB OAUTH RESPONSE HEADERS:

Key Value
Response    HTTP/1.1 302
cache-control   private, no-cache, no-store, must-revalidate
content-length  0
content-type    text/html; charset=utf-8
date    Thu, 12 Dec 2013 01:11:39 GMT
expires Sat, 01 Jan 2000 00:00:00 GMT
location    http://www.daniweb.com/members/authorize/facebook?code=AQBPjzLAkRWAEmYVK12U7XxFUiH9rP8cd_oDw-2Y11ooK2nAlgjCU3grXygrkJXxkcI7evoMSQAf1zxOKysLfxJynaUtVirSiiB1lNVE8nz8Q2UfmddBkrGU3YtMVAT4xofGfkOIXj4g6_H0GrFItqzyOJk1PKNwQHnyYNMjRC2z-tWxFx42L0vwE2cDx5h8JdiFwvzYyLQcb0dZAIXsXuSYqx9KqQ-M9VwcMwSAIaJMg36Ld1lKVKKMEZ9wJ8Af5s0Y6kHW0rLIzPVOhVFZr35RpP_tAzmwZYtTPVu-UgSUI8a3ol6WJ-0P9Gh5jCWU1AY&state=b2bf8578da2f3ca4d67c39c547db84f5#_=_
pragma  no-cache
x-content-type-options  nosniff
x-frame-options DENY
x-xss-protection    0
x-fb-debug  lZnLGQ+5EwdhU8CTZZJVqXjtnY815szPID7brCoEYIs=

From there it's the lost PW page, and a series of 304s (cahced css/js etc...) and a few akamai aborts from FB.

DW Login (modified for usr/pw):

REQUEST HEADER:
Key Value
Request POST /members/login HTTP/1.1
Accept  text/html, application/xhtml+xml, */*
Referer http://www.daniweb.com/members/join
Accept-Language en-US,en;q=0.5
User-Agent  Mozilla/5.0 (Windows NT 6.3; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Type    application/x-www-form-urlencoded
UA-CPU  AMD64
Accept-Encoding gzip, deflate
Host    www.daniweb.com
Content-Length  143
DNT 1
Connection  Keep-Alive
Cache-Control   no-cache
Cookie  __utma=77199232.1274735774.1386749453.1386749453.1386817892.2; __utmz=77199232.1386749453.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-2017402461-1386749453013; __gads=ID=5432d9eabbd00e6b:T=1386742542:S=ALNI_MZV6wua-tP4PkLN1IXbt7A0KbXBQg; __utmb=77199232.15.8.1386818357079; __utmc=77199232; dani_session=BzFWPV1uUmoFJlN%2FVDsEY1JiAmsLclcgC24AcQcnDmZWZQ5uAAsHOgY1VCcGOwR1WTtSPg9oAW0BI1AyCjQDMwI7CjgBMwpvVjMGMQhrBDIHM1ZiXWpSYQU%2BUzlUNgRjUmYCMAtjV2MLPwAzB2IOOlZoDmEAbAdiBjdUJwY7BHVZO1I8D2oBbQEjUGoKIQNYAmMKbAE2CnlWbwZ7CC8EcgdrVnRdYVJhBW5TNlQjBGVSYwJ%2FC2JXYAsyACwHYw44ViQOMQBmB2oGc1Q%2BBnMEPFkwUj0PYAF1AXRQcAo0A3UCXQppATUKblZkBnwIfgRrByNWPV1sUmMFZ1MuVEwEPVIoAjgLPFc%2FC2oALQdhDiFWOg4gAHwHBAY4VGsGZARpWXZSfg96ARkBVVAjCmcDKQIxCjMBcgpcVmMGZghqBGQHa1YnXSNSZgVpUzdUIQQGUiACOAs0VzYLZQB2B3sOOFYkDjAAbwdzBiNUcwY6BDdZMFIjD2oBfgEhUG8KOANsAmcKKAEVCm5WaQZjCDMEcgdrVnRdYVJhBW5TNlQjBD5SMwIiCyRXDAtqAGEHIA5mVnwOaQAgByoGc1Q%2BBmkEPFkwUj4PYgFhATlQMgpgAzYCMwowAWkKeFYwBjEIZgRyByVWdF0%2BUiIFAlNoVGAEJlIzAnMLa1cgCzEAMgduDi1WKA47ACk%3D; bsau=13867497783979781352; geolocation=US; OX_plg=swf|sl|shk|pm; referer=http%3A%2F%2Fwww.daniweb.com%2Fmembers%2Flost_password

REQUEST BODY:
csrf_token=a886a10dd5d4d0470c142dca2bd23dba&username=me&password=mypassword&referer=http%3A%2F%2Fwww.daniweb.com%2Fmembers%2Flost_password

RESPONSE HEADERS:

Key Value
Response    HTTP/1.1 500 Internal Server Error
Date    Thu, 12 Dec 2013 01:18:54 GMT
Server  Apache/2.2
X-Powered-By    PHP/5.3.10
Connection  close
Content-Type    text/html; charset=UTF-8
Content-Length  983

Response body is the "oops" page...

That is followed by a series of 304s.

LinkedIn Login gets a similar result as FB.

If there is a specific header/body that I missed please let me know.

Right now, my work around is to use chrome. Not terrible. But, as I said, a heads up. If You have access to the host and can check the logs, if I am sending something funky on my end and you see it I would love to know. Otherwise, Ill keep trying different configs in IE and see if it is a browser setting :-/

Thanks :)

0

You're arriving at the lost password page because Facebook, etc. is not able to authenticate you or allowing you to give proper OAuth authorization for some reason.

However, it's definitely an issue that you're getting a 500 error on our end. I'll look into it.

0

What's weird about it, though, is that the "Like" button works just fine, and the JS api keeps track just fine... LinkedIn also bombs out just as hard as FB for me on oAuth. I can only assume it's some kind of XSS prevention that I just dont see :-/ Either that, or maybe I need to remove the app from FB and try again fresh?

0

Same response.

Key Value
Content-Type    text/html; charset=UTF-8
Date    Sat, 14 Dec 2013 09:13:23 GMT
X-Powered-By    PHP/5.3.10
Response    HTTP/1.1 500 Internal Server Error
Connection  close
Server  Apache/2.2
Content-Length  984

Ill try a few different settings tomorrow (XSS/Cookie setting/etc) and see if it will make a difference.

Im curious to know what is causing the Server Error... if I knew what was the problem (even if it's just the field that Im sending, or whatever it is that's being rejected) I can start to figure out where it's going wrong :-/

0

So it seems that during my upgrade from Win7 to 8.1, my timezone got set to Pacific. This, of course, would probably destroy any time based encryption (or ssl / handshake / cookie seting) simply because it would be out of sync.

Further, when I changed it to my local time zone, it happily gave me a +x hrs thinking I was simply changing time zones.

The solution:

Change to proper time zone, resync with time.windows.com, clear cache and login again.

I appologize for the error on my end. It was an oversight due to... well... ignorance I guess.

Thanks for looking into it :)

Ryan

0

The 500 error was due to corrupt cookies, I was aware of that much. What I tried on my end (which unfortunately didn't work) was to attempt to clear the session data (which SHOULD have cleared the cookie) whenever a login fails.

Did you clear the browser CACHE or forcibly clear your cookies?? I'm still trying to figure out why it isn't degrading nicely when cookies are corrupt instead of giving a 500 error.

0

Prior to figuring out the clock was out of sync, I was just using the clear cache of the browser.

Post, I cleared and deleted everything.

Im guessing what happened is your session was getting very out of date ranges, and with whatever hashing you are using, or possibly an expected result from a DB call, you were getting a null or zero where one was not expected.

If you would like, I can try to futz up the system clock again and try to replicate the issue. However, without logging on your end I doubt it will be any good to you.

However you would like me to help, I am always open to solving an interesting problem :)

0

If you would like, I can try to futz up the system clock again and try to replicate the issue. However, without logging on your end I doubt it will be any good to you.

That would be fabulous!! I have logging set up now. Is it possible the cookie exceeded the 4KB max size?

0

Tried fudging the clock settings again. I got a 302 this time. So.. either what you did worked, or I cannot replicate it any longer since I "fixed" the problem on the OS, and it is now more aware of itself...

I don't know if you had a buffer overflow... it depends on what you are doing with the data... it looks like you are making a hash of a few things, but what data you are tracking using the session is not for me to know (or, quite frankly, care about).

Sorry for raising a red-herring of sorts... at least now if anyone else has trouble you can see from your logs what caused it. Im guessing as more people start upgrading you may get a few more.

Thanks for looking into it :)

0

I'll be on the lookout for more 500 errors. Hopefully my logging works now and I'll be able to catch them. After the 302, did it successfully log you in or redirect you to the lost password page?

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.