uaa icon indicating copy to clipboard operation
uaa copied to clipboard

Published 20 hours ago verified publisher icon cloudfoundry

Microsoft Edge and forgotten password failure

Open LeePorte opened this issue 5 years ago • 7 comments

What version of UAA are you running?

4.35

How are you deploying the UAA?

I am deploying the UAA

  • using cf-deployment

What did you do?

Triggered the forgotten password flow by using the link on UAA. This was then opened by Microsoft Edge (system default browser). This loads the password reset page as expected.

What did you expect to see? What goal are you trying to achieve with the UAA?

I expected to see that the password which met the complexity requirements was accepted.

What did you see instead?

The following error message

There is a problem “Invalid login attempt, the request does not meet our security standards and may indicate that the action was not originated by you. Please try again.”

Additional info

We have no issues with Chrome, Firefox, Safari. Just with Edge. Unfortunately some of our users are on Enterprise managed Windows estates and are unable to change browsers. Once the password has been reset normal functionality continues with Edge.

LeePorte avatar Aug 02 '19 11:08 LeePorte

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/167668383

The labels on this github issue will be updated when the story is started.

cf-gitbot avatar Aug 02 '19 11:08 cf-gitbot

We have had a further report from a user trying to log in

When trying to login using corporate device from Edge I'm getting the message below. I'm unable to login to the PaaS.

There is a problem 
Invalid login attempt, the request does not meet our security standards and may indicate that the action was not originated by you. Please try again.

OS - Windows 10 Enterprise 1809 
Browser - Edge 44.17763.1.0

LeePorte avatar Sep 20 '19 07:09 LeePorte

Hi,

can you check in the console? Usually this is related to expired session cookie. Do you see anything in the console?

Regards,

Martijn

From: Lee Porte [email protected] Sent: Friday, September 20, 2019 09:13 To: cloudfoundry/uaa [email protected] Cc: Subscribed [email protected] Subject: Re: [cloudfoundry/uaa] Microsoft Edge and forgotten password failure (#1065)

We have had a further report from a user trying to log in

When trying to login using corporate device from Edge I'm getting the message below. I'm unable to login to the PaaS.

There is a problem Invalid login attempt, the request does not meet our security standards and may indicate that the action was not originated by you. Please try again.

OS - Windows 10 Enterprise 1809 Browser - Edge 44.17763.1.0

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHubhttps://github.com/cloudfoundry/uaa/issues/1065?email_source=notifications&email_token=ABVZVKUS2BYWMT5EV2UTAWLQKRZZPA5CNFSM4II4ZJ32YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD7FZ5MY#issuecomment-533438131, or mute the threadhttps://github.com/notifications/unsubscribe-auth/ABVZVKR6NA63F55PAAOJCSTQKRZZPANCNFSM4II4ZJ3Q.

mwdb avatar Sep 20 '19 08:09 mwdb

Hi Martijn,

I assume you mean the browser console, is this correct?

Thanks

Lee

LeePorte avatar Sep 20 '19 09:09 LeePorte

Hi Martijn,

There is nothing related to a session cookie in the console, only a minor CSS error.

Thanks

Lee

LeePorte avatar Sep 23 '19 14:09 LeePorte

o/

We did some investigation to establish what the problem is and how can we fix that for our valued users and I'd like to give a bit of an update on that issue.

The actual issue here is, that UAA is always returning 302 with Location: /login instead of for instance 404.

It was a little bit of red herring, as in our case it is only visible on Microsoft Edge and Internet Explorer.

Here's what's happening:

  • The user visits a page served by UAA (say /login, or /accept/invitation - anything that returns a form)
  • The page contains an SVG, with an image fallback
  • Most browsers are happy with the SVG and don't request the image, but IE / Edge quirkily request both
  • The path to the image is wrong, but because the user is not logged in it returns a 302 to /login instead of a 404
  • The browser follows the 302 redirect, now looking for the image at /login
  • Because the response for /login is a form, it has a Set-Cookie header that overwrites the csrf token for the form the user is actually looking at.
  • When the user submits the form, the token in the HTML doesn't match the token in their cookie, so their request is denied.

More details: https://github.com/alphagov/paas-uaa-customized-boshrelease/pull/14

paroxp avatar Nov 08 '19 13:11 paroxp

@paroxp can you please provide a PR to this repo

strehle avatar Jan 20 '22 08:01 strehle