BIG problem in 2.3.8.1 in extensionless page mode

This is the place to report bugs and get support. When posting in this forum, please always provide as much detail as possible.

Please do not report problems with a custom build or custom code in this forum. If you are producing your own build from the source code and have problems or questions, ask in the developer forum, do not report it as a bug.

This is the place to report bugs and get support

When posting in this forum, please try to provide as many relevant details as possible. Particularly the following:

  • What operating system were you running when the bug appeared?
  • What database platform is your site using?
  • What version of mojoPortal are you running?
  • What version of .NET do you use?
  • What steps are necessary to reproduce the issue? Compare expected results vs actual results.
Please do not report problems with a custom build or custom code in this forum. If you are producing your own build from the source code and have problems or questions, ask in the developer forum.
This thread is closed to new posts. You must sign in to post in the forums.
2/29/2012 10:20:55 AM
Crispin
Gravatar
Total Posts 537
View Posts
feet planted firmly on the ground

BIG problem in 2.3.8.1 in extensionless page mode

Hi Joe

We have found what we think may be a show-stopping bug in 2.3.8.1 that we have replicated on two sites.

If the site is in extensionless page name mode, and you create a new page, the new pages do not respect your login - they think you are not authenticated.

Nothing appears in the error log.

To make this even worse, if you have set up such a page as being visible only to authenticated users, visiting it goes into an infinite redirect loop, because the page redirects you to the sign in page, which in turn redirects you back to the returnURL because it knows you are already authenticated.

We've had to switch to .aspx page names, but would be grateful for a fix for this. I don't think it can be anything we've done, because we have replicated on two separate sites. However these are running on the same physical server.

mojoPortal Version                                2.3.8.1                MSSQL           

Operating System                Microsoft Windows NT 6.0.6002 Service Pack 2

ASP.NET Info                v4.0.30319 Running in Full Trust

 

2/29/2012 10:34:44 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: BIG problem in 2.3.8.1 in extensionless page mode

It is not a bug and there is no error happening so no error is logged.

There was an intended change in the way we use SSL as of verison 2.3.7.6, discussed in the article Use SSL.

If you have it configured as we recommend so that no cookies are passed unless using SSL, then what happens is if you are redirected or click a link that takes you out of ssl the cookies are not passed and therefore you do not appear to be logged in. But no code in mojoPortal should be redirecting you out of ssl after creating a page. If there are steps to produce that I would investigate it as a bug. But if you are creating links with the http rather than relative urls or https and clicking those links then it will appear as if you are not logged in on those insecure requests. Clicking the sign in linlk takes you back to a secure page thus the cookies are passed again and you then apprear to be already logged in.

The changes in mojoPortal are designed to keep a user in SSL for the remainder of his browsing session after signing in, but if you have links in content that are not relative and just use http then you may find yourself not in SSL and not appearing to be logged in. You could remove the web.config setting and then cookies will be passed even when you are not in SSL so there will be no case where you don't appear to be logged in but if you do that there is some risk of cookie hijacking on public wifi networks.

Another option is to check the box to Require SSL on all pages in site settings. Then even if you do click a link that has http it should redirect to https.

Hope that helps,

Joe

2/29/2012 10:39:22 AM
Crispin
Gravatar
Total Posts 537
View Posts
feet planted firmly on the ground

Re: BIG problem in 2.3.8.1 in extensionless page mode

Hi Joe - I may be misunderstanding, but there is no SSL involved in either site. Also the problem only occurs when page naming is extensionless - the same sites behave normally when pages are names *.aspx

2/29/2012 10:42:33 AM
Jamie E
Gravatar
Total Posts 1203
View Posts
Proud member of the mojoPortal team

Help support mojoPortal!
Add-on modules

Re: BIG problem in 2.3.8.1 in extensionless page mode

Hi Crispin, I just tested your scenario on the mojoPortal demo site, which is configured for extentionless URLs, and it's working as expected, so you may have a misconfiguration somewhere in your settings that's causing this.

2/29/2012 10:48:37 AM
Crispin
Gravatar
Total Posts 537
View Posts
feet planted firmly on the ground

Re: BIG problem in 2.3.8.1 in extensionless page mode

OK I see this could be a config issue, and pointers re what to look for would be gratefully received! - but if it is, the bad config maybe be coming down with the upgrade, because the two sites with the problem have both got shiny new web.configs from the download (full trust version).

Also I see the demo site is using SSL - my sites are not.   Maybe they should be - I'll follow that up in due course, but I'd still like to know what is wrong here.

2/29/2012 10:50:46 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: BIG problem in 2.3.8.1 in extensionless page mode

Extensionless urls are only going to work with an IIS 7.x Integrated App pool, it won't work correctly in Classic or in IIS 6.

It "should" work with only preCondition="" on

<modules>

<add name="mojoUrlRewriter" type="mojoPortal.Web.UrlRewriter, mojoPortal.Web" preCondition=""/>

<add name="AuthHandlerHttpModule" type="mojoPortal.Web.AuthHandlerHttpModule, mojoPortal.Web" preCondition=""/>

but if it doesn't work correctly for you then you may need to change from

<modules>

to

<modules runAllManagedModulesForAllRequests="true">

Hope that helps,

Joe

2/29/2012 10:52:12 AM
Crispin
Gravatar
Total Posts 537
View Posts
feet planted firmly on the ground

Re: BIG problem in 2.3.8.1 in extensionless page mode

I have that setup correctly Joe - the sites were working fine with extensionless URLs until the 2.3.8.1 upgrade.

2/29/2012 11:01:42 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: BIG problem in 2.3.8.1 in extensionless page mode

The only thing that changed in that regard is in version 2.3.7.6 we had by default:

<modules runAllManagedModulesForAllRequests="true">

in 2.3.8.1 we changed it to just

<modules>

because it was found that preCondition="" was sufficient to make extensionless urls work.

neither of these changes is related to authentication. The only change related ot that has to do with SSL.

I'm sorry you are having this problem but I don't believe it was caused by the upgrade. It is not a reproducable problem on my end and no one else has reported it which makes me believe it is something with your IIS configuration.

Best,

Joe

2/29/2012 11:52:08 AM
Crispin
Gravatar
Total Posts 537
View Posts
feet planted firmly on the ground

Re: BIG problem in 2.3.8.1 in extensionless page mode

Thanks Joe, I can confirm that the issue is fixed by reverting web.config to include

<modules runAllManagedModulesForAllRequests="true">

So I fear this is likely to catch out other users.  I don't think there is anything unusual about our IIS, but if there's anything you'd like me to check, I will.

2/29/2012 2:14:30 PM
Crispin
Gravatar
Total Posts 537
View Posts
feet planted firmly on the ground

Re: BIG problem in 2.3.8.1 in extensionless page mode

I'd be very interested to hear whether you can (or not) reproduce this problem in a site with no SSL, extensionless page names, and <modules> in web.config?  When I get time, I'll test this on an Arvixe-hosted site.

2/29/2012 2:27:19 PM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: BIG problem in 2.3.8.1 in extensionless page mode

I cannot produce it on my local machine nor on my server but if some environments need that then we know what to tell people if they have any trouble and the documentation for extensionless urls mentions it and comments in Web.config say it "might" be needed for extensionless urls.

Best,

Joe

You must sign in to post in the forums. This thread is closed to new posts.