Persistent 'your login expired' errors

Peter Leleulya

Posted on 04/03/2020 08:34:48

Hi guys,

You probably all know the butt ugly 400 bad request 'login token invalid' error with the 'session expiration' prompt when you try to login ...
Normaly I redo my login, which is anoying on it's own, but hey ... then it works ...

But since this week I have issues that the error repeats itself upto a point when I have to wait a few minites due to too many login attempts.
It doesn't seem to matter which browser I take, if it has cookies cleared, if it is private mode, it keeps giving this error over and over on login.

And then ..... all of a sudden it works again, no idea why - i didn't change a thing.
But I've been trying for 10 mins+ ...

Does anyone have also had this experience and does anyone know what to do about it?
Because this is unworkable ...

Replies

Morten Bengtson

Posted on 04/03/2020 08:53:25

Hi Peter,

Which version of Dynamicweb is this?

There was some issues with the CSRF checks at some point, but I haven't seen these errors for a long time.

/Morten

Morten Bengtson

Posted on 04/03/2020 09:03:09

The error should only occur if your session ends between loading the login screen and submitting the credentials.

Is this a local installation used for development? Maybe it restarts often and the sessions are killed?

Try reloading the login page right before you log in.

/Morten

Nicolai Pedersen

Posted on 04/03/2020 09:20:37

Hi Peter (and morten)

The reason you see the error is beause your login attempt fails a security check that prevents a number of methods to try to brute force the backend login. So doing this CSRF check is a security measurement. The error will occur if you do a rebuild, iisreset, pool recycle or wait too long to login after you have accessed the login screen.

@Morten - you do not see that screen anymore on rebuild since I have disabled the check on our development branches :-).

Maybe it will be possible to do something with this check so you will not see this too often when doing local builds. I have noted it down as a 'pain in the ass'.

BR Nicolai

Peter Leleulya

Posted on 04/03/2020 10:46:08

Can you skip that check on systems running development license? Or is that a security risk?

Nicolai Pedersen

Posted on 04/03/2020 10:57:14

Hi Peter

You guys have just been in the 'claws' of a security company so you know how they are... But I have an idea on how to limit this annoyance.

BR Nicolai

Peter Leleulya

Posted on 04/03/2020 12:42:31

9.8.0, sorry for the late response.

Nicolai Pedersen

Posted on 04/03/2020 13:36:31

Hi Peter

Morten and I have discussed a small change that should help in your development environment so you do not get this warning that often. So if you do a rebuild or something, you should not see the warning. TFS#76762 out with next 9.8

BR Nicolai

Peter Leleulya

Posted on 04/03/2020 13:41:42

Superb

Nicolai Pedersen

Posted on 04/03/2020 14:01:56

Not sure it will solve what you have described above - that indicates that you login from a 'cached' login screen. Behind a proxy or something...? Did you get this in your local development environment?

Peter Leleulya

Posted on 04/03/2020 14:21:29

No it was an online environment.
But I'll be happy to get rid of these screens @ dev ...

I'll first ask internally if this environment have other caching settings than others ... I'm not aware of any ...

Kristian Kirkholt

Posted on 06/03/2020 08:47:07

Hi Peter

The TFS#76762 feature to prevent too many warnings on backend login

has been implemented in Dynamicweb 9.8.2 version

You are able to find this build in the download section:

http://doc.dynamicweb.com/releases-and-downloads/releases

Please contact Dynamicweb Support if you need any additional help regarding this.

Kind Regards
Dynamicweb Support
Kristian Kirkholt

You must be logged in to post in the forum

Developer forum

Persistent 'your login expired' errors

Replies