简体繁体 English

浏览器（Edge、Firefox、Chrome）在 6 分钟后重定向“303 See Other”请求

[英]Browsers (Edge, Firefox, Chrome) redirecting after 6 minutes for a "303 See Other" request

原文 2023-01-06 07:41:35 8 1 javascript/ http/ browser/ lighttpd

Use Case: My web application should redirect the user to a 401 Lockedout html page if the user exceeds maximum (5) login attempts.用例：如果用户超过最大 (5) 次登录尝试，我的 web 应用程序应将用户重定向到 401 锁定 html 页面。

Issue: Once all the login attempts are exhausted, the page is redirecting after 6 minutes instead of redirecting immediately.问题：一旦所有登录尝试都用完，页面将在 6 分钟后重定向，而不是立即重定向。 This is observed in all the browsers.这在所有浏览器中都可以观察到。

How it's done: I am using jQuery to send an Ajax POST call to login.它是如何完成的：我正在使用 jQuery 发送 Ajax POST 调用以登录。

User enters wrong password and clicks login button.用户输入错误的密码并单击登录按钮。 The page shows invalid password for the first 4 attempts.该页面显示前 4 次尝试的密码无效。
On the 5th attempt, the backend code (cgi) responds back with HTTP status code "303 See Other" with URL: "/restarting/"在第 5 次尝试时，后端代码 (cgi) 以 HTTP 状态代码“303 See Other”和 URL 响应：“/restarting/”
We have built a LigHTTPd plugin called mod_access.我们构建了一个名为 mod_access 的 LigHTTPd 插件。 The plugin job is check and return back "303 See Other" code with URL: "/errors/en/401lockedout.html" page as response after the 5 failed attempts if user requests any other page (egHome page).如果用户请求任何其他页面（例如主页），插件作业是在 5 次尝试失败后检查并返回“303 See Other”代码和 URL：“/errors/en/401lockedout.html”页面作为响应。 So, when the browser calls /restarting/ URL, the mod_access plugin will see as an unauthorized request and sends 303 back.因此，当浏览器调用 /restarting/ URL 时，mod_access 插件将视为未授权请求并返回 303。

Environment and programming languages: LigHTTPd web server, HTML, jQuery, C++环境和编程语言： LigHTTPd web server, HTML, jQuery, C++

Server Log Analysis: (I am skipping the requests for the first 4 attempts as 5th attempt is of importance here)服务器日志分析：（我跳过前 4 次尝试的请求，因为第 5 次尝试在这里很重要）

5th Login request:第五次登录请求：

1980-01-06 02:50:12: (../../lighttpd-1.4.55/src/connections.c.774) fd: 9 request-len: 666 \nPOST /submitLogin/ HTTP/1.1\r\nHost: localhost\r\nConnection: keep-alive\r\nContent-Length: 123\r\nAccept: application/json, text/javascript, / ; 1980-01-06 02:50:12: (../../lighttpd-1.4.55/src/connections.c.774) fd: 9 request-len: 666 \nPOST /submitLogin/ HTTP/1.1\r\nHost : localhost\r\nConnection: keep-alive\r\nContent-Length: 123\r\nAccept: application/json, text/javascript, / ; q=0.01\r\nX-Requested-With: XMLHttpRequest\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Edg/108.0.1462.54\r\nContent-Type: application/x-www-form-urlencoded; q=0.01\r\nX-Requested-With: XMLHttpRequest\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Edg /108.0.1462.54\r\n内容类型：application/x-www-form-urlencoded； charset=UTF-8\r\nOrigin: http://localhost\r\nReferer: http://localhost/\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: en-GB,en;q=0.9\r\nCookie: SID=abc; charset=UTF-8\r\nOrigin: http://localhost\r\nReferer: http://localhost/\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: en-GB,en;q =0.9\r\nCookie: SID=abc; _TESTCOOKIESUPPORT=1; _TESTCOOKIESUPPORT=1； sess=def\r\n\r\n sess=def\r\n\r\n

The CGI application reverted back with "303 See Other" with Location /restarting/ CGI 应用程序恢复为“303 See Other”，位置为 /restarting/

1980-01-06 02:50:13: (../../lighttpd-1.4.55/src/response.c.125) Response-Header: \nHTTP/1.1 303 See Other\r\nLocation: /restarting/\r\nConnection: close\r\nX-Content-Type-Options: nosniff\r\nX-XSS-Protection: 1; 1980-01-06 02:50:13: (../../lighttpd-1.4.55/src/response.c.125) 响应标头：\nHTTP/1.1 303 参见其他\r\n位置：/restarting/\ r\n连接：关闭\r\nX-内容类型选项：nosniff\r\nX-XSS-保护：1； mode=block\r\nContent-Length: 992\r\nDate: Sun, 06 Jan 1980 02:50:13 GMT\r\nServer: XYZ\r\n\r\n 1980-01-06 02:50:13: (../../lighttpd-1.4.55/src/mod_cgi.c.1190) CGI pid 3868 died with signal 11模式=块\r\n内容长度：992\r\n日期：1980 年 1 月 6 日星期日 02:50:13 GMT\r\n服务器：XYZ\r\n\r\n 1980-01-06 02:50： 13: (../../lighttpd-1.4.55/src/mod_cgi.c.1190) CGI pid 3868 死于信号 11

The browser sent a GET request for /restarting/ page浏览器发送了一个 GET 请求 /restarting/ 页面

1980-01-06 02:50:13: (../../lighttpd-1.4.55/src/connections.c.774) fd: 9 request-len: 551 \nGET /restarting/ HTTP/1.1\r\nHost: localhost\r\nConnection: keep-alive\r\nAccept: application/json, text/javascript, / ; 1980-01-06 02:50:13: (../../lighttpd-1.4.55/src/connections.c.774) fd: 9 request-len: 551 \nGET /restarting/ HTTP/1.1\r\n主机: localhost\r\n连接: keep-alive\r\n接受: application/json, text/javascript, / ; q=0.01\r\nX-Requested-With: XMLHttpRequest\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Edg/108.0.1462.54\r\nReferer: http://localhost/\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: en-GB,en;q=0.9\r\nCookie: SID=abc; q=0.01\r\nX-Requested-With: XMLHttpRequest\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Edg /108.0.1462.54\r\nReferer: http://localhost/\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: en-GB,en;q=0.9\r\nCookie: SID=abc; _TESTCOOKIESUPPORT=1; _TESTCOOKIESUPPORT=1； sess=def\r\n\r\n sess=def\r\n\r\n

The mode_access blocked the request and sent another "303 See Other" with Location: http://localhost/errors/en/401lockedout.html mode_access 阻止了请求并发送了另一个“303 See Other”，位置为：http://localhost/errors/en/401lockedout.html

1980-01-06 02:50:13: (../../lighttpd-1.4.55/src/mod_access.c.125) lockedout reformed as /errors/en/401lockedout.html 1980-01-06 02:50:13: (../../lighttpd-1.4.55/src/mod_access.c.322) Blocked URI: /cgi/ui.cgi 1980-01-06 02:50:13: (../../lighttpd-1.4.55/src/mod_access.c.323) Redirecting to lockedout page http://localhost/errors/en/401lockedout.html 1980-01-06 02:50:13: (../../lighttpd-1.4.55/src/response.c.125) Response-Header: \nHTTP/1.1 303 See Other\r\nLocation: http://localhost/errors/en/401lockedout.html\r\nX-Content-Type-Options: nosniff\r\nX-XSS-Protection: 1; 1980-01-06 02:50:13: (../../lighttpd-1.4.55/src/mod_access.c.125) 锁定改革为 /errors/en/401lockedout.html 1980-01-06 02:50: 13: (../../lighttpd-1.4.55/src/mod_access.c.322) 被阻止的 URI: /cgi/ui.cgi 1980-01-06 02:50:13: (../../lighttpd- 1.4.55/src/mod_access.c.323) 重定向到锁定页面 http://localhost/errors/en/401lockedout.html 1980-01-06 02:50:13: (../../lighttpd-1.4.55 /src/response.c.125) Response-Header: \nHTTP/1.1 303 See Other\r\nLocation: http://localhost/errors/en/401lockedout.html\r\nX-Content-Type-Options: nosniff\r \nX-XSS-保护：1； mode=block\r\nTransfer-Encoding: chunked\r\nDate: Sun, 06 Jan 1980 02:50:13 GMT\r\nServer: XYZ\r\n\r\n模式=块\r\n传输编码：分块\r\n日期：星期日，1980 年 1 月 6 日 02:50:13 GMT\r\n服务器：XYZ\r\n\r\n

No requests are received by the server (from the browser developer tools) and the browser did not send GET request for the 401lockedout.html page.服务器未收到任何请求（来自浏览器开发人员工具），并且浏览器未向 401lockedout.html 页面发送 GET 请求。

After 6 minutes, the server received request from the browser for the lockedout page. 6 分钟后，服务器收到浏览器对锁定页面的请求。

1980-01-06 02:56:14: (../../lighttpd-1.4.55/src/connections.c.774) fd: 9 request-len: 646 \n GET /errors/en/401lockedout.html HTTP/1.1\r\nHost: localhost\r\nConnection: keep-alive\r\nAccept: application/json, text/javascript, / ; 1980-01-06 02:56:14: (../../lighttpd-1.4.55/src/connections.c.774) fd: 9 request-len: 646 \n GET /errors/en/401lockedout.html HTTP /1.1\r\nHost: localhost\r\nConnection: keep-alive\r\nAccept: application/json, text/javascript, / ; q=0.01\r\nX-Requested-With: XMLHttpRequest\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Edg/108.0.1462.54\r\nReferer: http://localhost/\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: en-GB,en;q=0.9\r\nCookie: SID=abc; q=0.01\r\nX-Requested-With: XMLHttpRequest\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Edg /108.0.1462.54\r\nReferer: http://localhost/\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: en-GB,en;q=0.9\r\nCookie: SID=abc; _TESTCOOKIESUPPORT=1; _TESTCOOKIESUPPORT=1； sess=def\r\nIf-None-Match: "1764933797"\r\nIf-Modified-Since: Fri, 16 Dec 2022 08:20:12 GMT\r\n\r\n sess=def\r\nIf-None-Match: "1764933797"\r\nIf-Modified-Since: Fri, 16 Dec 2022 08:20:12 GMT\r\n\r\n

1980-01-06 02:56:14: (../../lighttpd-1.4.55/src/response.c.125) Response-Header: \nHTTP/1.1 304 Not Modified\r\nContent-Type: text/html\r\nAccept-Ranges: bytes\r\nETag: "1764933797"\r\nLast-Modified: Fri, 16 Dec 2022 08:20:12 GMT\r\nX-Content-Type-Options: nosniff\r\nX-XSS-Protection: 1; 1980-01-06 02:56:14: (../../lighttpd-1.4.55/src/response.c.125) 响应标头：\nHTTP/1.1 304 未修改\r\n内容类型：文本/ html\r\n接受范围：字节\r\nETag：“1764933797”\r\n上次修改时间：2022 年 12 月 16 日星期五 08:20:12 GMT\r\nX-Content-Type-Options：nosniff\r\ nX-XSS-保护：1； mode=block\r\nDate: Sun, 06 Jan 1980 02:56:14 GMT\r\nServer: XYZ\r\n\r\n模式=块\r\n日期：1980 年 1 月 6 日星期日 02:56:14 GMT\r\n服务器：XYZ\r\n\r\n

Here is the snip from the browser developer tools这是浏览器开发人员工具的片段

This used to be working earlier but not working now.这以前可以工作，但现在不工作。

I tried find the root cause and fix it but not able to.我试图找到根本原因并修复它但无法解决。 Any pointers would certainly help me fix this issue.任何指示肯定会帮助我解决这个问题。

1 个解决方案

We have built a LigHTTPd plugin called mod_access.我们构建了一个名为 mod_access 的 LigHTTPd 插件。

Are you saying that you have a custom plugin with the same name as a lighttpd plugin ( mod_access )?您是说您有一个与 lighttpd 插件 ( mod_access ) 同名的自定义插件吗？

Aside: mod_ma.net and a few lines of custom lua code will likely be simpler, more portable, and possibly even faster than your custom C++.另外： mod_ma.net和几行自定义 lua 代码可能比自定义 C++ 更简单、更便携，甚至可能更快。

In the case of your custom plugin, you are very likely not properly ending the response for lighttpd internals, and so lighttpd is likely flushing the response when the default write idle timeout of 6 minutes expires and the connection is closed.对于您的自定义插件，您很可能没有正确结束 lighttpd 内部的响应，因此当默认的 6 分钟写入空闲超时到期并且连接关闭时，lighttpd 可能会刷新响应。 Transfer-Encoding: chunked\r\n in the response from lighttpd for your mod_access handler tells me that you probably did not tell lighttpd internals that the response was finished ( r->resp_body_finished = 1 ) Transfer-Encoding: chunked\r\n在 lighttpd 对您的 mod_access 处理程序的响应中告诉我您可能没有告诉 lighttpd 内部响应已完成（ r->resp_body_finished = 1 ）

(../../lighttpd-1.4.55/src/mod_cgi.c.1190) CGI pid 3868 died with signal 11

It also appears that your CGI is crashing.您的 CGI 似乎也崩溃了。 Signal 11 is SIGSEGV on Linux.信号 11 是 Linux 上的 SIGSEGV。

Aside: Please review why you have written a custom C++ plugin when you could have handled your authentication policy in the CGI.旁白：请回顾一下为什么您可以在 CGI 中处理身份验证策略时编写自定义 C++ 插件。 For proper security, you ought to handle the authentication policy in one place, anyway, as part of ensuring that the policy is enforced.为了适当的安全性，无论如何，您应该在一个地方处理身份验证策略，作为确保策略得到执行的一部分。

PS the official name of the server is and has always been "lighttpd"; PS 服务器的官方名称一直是“lighttpd”； never "LigHTTPd".从来没有“LightHTTPd”。