Chrome is eating my session varibles (or how a Favicon saved the day)

Have had an interesting problem with the latest version of Google Chrome and a classic ASP site that I am responsible for.

The site uses session variables to control the authentication of logged in users. These are compared against a backend database to ensure that the logged in user is still authenticated while they move around the site.

I had a report from one of our external customers bemoaning the fact that we were not allowing Chrome to navigate the site, they could log in correctly and arrive on the landing page but as soon as they tried to move to any of the other authenticated pages they would be logged out.

I tried to replicate the problem on the internal test site but could not. Looking at it the differences between the two they were that the external site was secured (SSL Certificate) and being published through ISA 2006.

I created a new site (by copying the live site in IIS) and created a rule for access through the ISA server (purchasing certificate from Digicert - best certificate provider around).

AND IT WORKED. Wahoo, so the problem must be in the ISA Rule/IIS/Certificate (as these are the only things that are different).

I then spent the next day comparing the two sites (Live and Dev). Unfortunately I could find no differences at all. The rules in ISA are identical; the IIS settings are exactly the same. I rekeyed the SSL certificate so it was created from the same IIS configuration but I could not get the original site to work.

I started to look at the live site in more detail, the return code from the logout is a querystring that showed that the error was that the username or password was incorrect. I didn’t have a reason to put the site into maintenance and block customers out of the system as it was “only” Chrome users who were affected, therefore the debugging had to be done live. To do so I added a couple of lines to the ASP to show the variables:

if Request.ServerVariables("REMOTE_ADDR") = "MYEXTERNALIP" then
response.Write("." & Request.ServerVariables("REMOTE_ADDR") & "
" & session("Username") & "
" & session.SessionID)
end if

This showed that all was correct and the logouts were only happening after the next click within the site. I then had to put some error trapping into the head of the page so on the next click I could see what variables we had:

if objRS.eof = true then
objRs.Close
Set objRs = nothing
objConn.Close
Set objConn = nothing
if Request.ServerVariables("REMOTE_ADDR") = " MYEXTERNALIP " then
response.Redirect("/debugpage.asp")
else
response.Redirect("/index.asp?Error=2")
end if
end if

My debugpage.asp had the following in it:
response.Write("." & Request.ServerVariables("REMOTE_ADDR") & "
" & session("Username") & "
" & session.SessionID)


Strangely the output on this had:
IPAddress
blankline
SessionID

So something was eating the session("Username") variable…..

Looking through the code there didn’t seem to be anything that would be removing the variable, I stepped through the code line by line on paper and could not see anything that would be removing the variable, the only sessions.abandon was in the logout, index landing page and the global.asa PLUS the other session variables were not getting cleared either (and this was getting away from the fact it was ONLY happening on Chrome).

I next fired up a test laptop and downloaded a copy of fiddler2. I put it onto a test laptop as I needed to decrypt and inspect HTTPS sessions, to do this in Fiddler2 you have to add a certificate to the local store and its recommended that you only ever install the HTTPS monitoring on a test machine.

Once I started to look at the output I saw the following:


This showed that there was a 302 response when trying to get to favicon.ico (line 91)……. Hummm, I don’t have a favicon so why was it redirecting?

AND HANG ON, what’s that on line 93? Why is the Secure URL turning up when I’m browsing the Dev site…… Suddenly a light bulb went off in my head. Scroll back to how I created the Dev site (hint ….. the IIS settings are exactly the same……).

The Dev site was a copy of the secure files, that includes the Web.config. Web.config contains the error page redirections:


So what was happening then?
  1. Customer enters Dev site
  2. Chrome (for some reason) demands favicon file
  3. IIS can’t find favicon so issues a 302 redirect to a 404 page
  4. Cusomised ASP page which includes the following code: session("Username ") = ""
  5. As customer is on Dev site the session variable is NOT cleared (it’s the wrong domain) But if the user is on the Secure site then the code will execute correctly and clear the variable.

So, what the hell does this all mean?
For some reason the latest version of Chrome insists on trying to download favicon.ico, as this doesn’t exist a 404 is generated on the server and *if* you have some code to trap 404’s then it will execute.

The lesson:
When copying websites carefully look at your web.config and put a favicon.ico on the root of your websites so that Chrome doesn’t put a whole load of 404’s into your weblogs (or worse stops the customers from using your site).

Global Address List not up to date

First Check Outlook Web Access as this will always be up to date. If the staff members are missing from OWA then this is a different problem.



If the staff members are in OWA try a manual download

Outlook > Tools > Send/Receive > Download Address Book

Uncheck Download changes since last Send/Receive > OK



If this fails then repair the Outlook Profile:

Outlook > Account Settings > repair > Next

If the wizard reports that Outlook need to be restarted then restart Outlook and retry the manual download above



If the manual download fails start Services.msc (elevated/run as end user is logged in)

Check that:



* Automatic Updates

* Background Intelligent transfer Service



are both set to Automatic and are started.

If not, make those changes.



Return to Outlook and try the manual download again.

Dynamic Distribution Group – Opposites are good too!

Have hit an interesting error in Exchange 2007.

We have a Dynamic Distribution Group (DDG)that sends to all staff (Lets call is “Email All Staff”).

Originally the script was as follows:

Set-DynamicDistributionGroup "Email All Staff" -RecipientFilter{ Company -eq "Our Company Name" } –RecipientContainer "AD.Root.Node"

Which took everyone who had an email address and sent the email to them

When users leave our employment we change their account password and hide them from our address list before deleting them, the rational being that we can then share the mailbox to someone to dredge through for anything important and they can monitor any external email for the 1st month after they leave.

The problem is that any email that gets sent to the “Email All Staff” DDG gets evaluated and sent to the hidden users too.

Ahhh I though, if I have the script do the following:

Set-DynamicDistributionGroup "Email All Staff" -RecipientFilter{ -not(HiddenFromAddressListsEnabled -eq $false) -and(Company -eq "Our Company Name" )} –RecipientContainer "AD.Root.Node"

then it will only send to mailboxes that have not got the hidden attribute set.

I was thus happy that I’d solved a little problem and would help our end users by them not getting additional email that was not relevant.



A support call drops into my queue say that an email to “Email All Staff” has not been delivered to any recipients.

Humm, lets investigate

Looking at the properties of the DDG (Exchange Management Console > Recipient Configuration > Distribution Group > Open “Email All Staff” > Filter Tab > Preview)



You can see all the mailboxes who don’t have the “Hide from Exchange address lists” checked are shown.

So all seems fine with the DDG so lets investigate the email.

I fire up the Exchange Message Tracking tool (Exchange Management Console > Toolbox > Message Tracking) and drill down to the message.



Looking at the screen shot above you can see that the email expanded and delivered to only three recipients – “Richard, Ann and Simon”

Looking at the properties of these mailboxes you can see that they are all Hidden from the address book – The exact opposite of what the script and the Exchange Management Console says……



After 3 hours on the phone Microsoft want use to upgrade to the latest Service Pack and retest. I’ll update when I have more information……

Free iPhone game from RBS

Ahhh RBS, Royal Bank of Scotland. How us tax payers loved bailing you out so it's nice to see you repaying some of this love by giving away free iPhone games.



Yea, I know. Free iPhone games.

Emma for some reason wanted to download Wheres Wally from the iPhone. She still wanted it after seeing that it would cost a whole 59 pence. What can I say. She likes hunting for the little guy (!)

So she pays her money and takes her choice.

Around a month later her credit card statement turns up from RBS. The only purchase that month was against her iTunes account and underneath it a credit line of 59 pence with the title "small balance write off". So thanks tax pagers of England. You have paid for Em's purchase. Next month we are going to see if they will do the same for a 99 pence game.......

Turning £1 into £100

Have had notification from Blue Square that they have released a Web App for the iPhone. I'm not a big gambler in any way but thought that I would try an experiment.

So, is it possible to turn £1 into £100 by making bets based on nothing but the odds. As any who knows me will say that I know nothing about football so obviously that's where my first bet will be.





Why do I have £1 in my account and also for that matter a BlueSq account if I'm not a gambler then?
Well, when I saw Barrack Obama on the campaign to be selected I put some money on him becoming the next president of the USA hence the account. And the £1 is from a bet on Norwich to win against Leeds. I withdrew the rest of the winnings with the quid remaining for this experiment.

DPM 2007 Publish via RDP

Have been on the Managing Microsoft System Center Data Protection Manager 2007 course at QA in London for the last week.

One of the annoyances is that in DPM 2007 and 2010 you cannot install the GUI onto your own workstation and as such you'll have to always connect to the server to run the software (unless you are a Powershell Guru).

David Allen has published how to conenct using RDP and remote app but his is shwoing how to do it via 2008 TS, if you are on 2003 try the following:

  • On your DPM server right click My Computer > Properties > Remote.
  • Click Enable Remote Desktop and select the users you want to have access.
  • On the client computer Start > Run > mstsc > OK
  • Click the Programs tab
  • Tick Start the following program on connection
  • Program path and file name is:
c:\Windows\System32\mmc.exe "c:\program files\microsoft dpm\dpm\bin\microsoft system center data protection manager 2007.msc"

(note the speech marks around the second part).
  • Change the local resources that you want (screen size/colour depth etc)
  • Then save the resulting RDP file into your start menu.

And as Gorden Ramsey would say:
DONE

ISA change from Edge Firewall to 3 Leg

So this is one of the things that I've had to work on over the last few days.

The easiest way is to follow the infomation from Bret Fisher's Blog - fishbrains

Some gotchas though are:

  • VPN Configuration gets blown away, make a note (print screen is your friend) and reapply after.
  • The bitmap image of the network will be wrong. To fix this in the XML before importing search for msFPCNetworkTemplate and amend the next GUID from "{e826736f-262a-47af-8871-980561676073}" to "{9be6f18a-57ad-4cea-b924-2cfedfef3799}"

    The full list of template GUIDS are:
    EDGE "{e826736f-262a-47af-8871-980561676073}"
    THREE LEG "{9be6f18a-57ad-4cea-b924-2cfedfef3799}"
    FRONT FIREWALL "{2EF25ED2-C029-4a5b-B274-590B9953F2F5}"
    BACK FIREWALL"{1C02D67F-7CF6-429c-9B46-B7805FCCED41}"
    SINGLE NIC "{2C02D67F-7CF6-429c-9B46-B7805FCCED42}"