Developer forum

Forum » Dynamicweb 9.0 Upgrade issues » Persistent 'your login expired' errors

Persistent 'your login expired' errors

Peter Leleulya
Peter Leleulya
Reply

Hi guys,

You probably all know the butt ugly 400 bad request 'login token invalid' error with the 'session expiration' prompt when you try to login ...
Normaly I redo my login, which is anoying on it's own, but hey ... then it works ...

But since this week I have issues that the error repeats itself upto a point when I have to wait a few minites due to too many login attempts.
It doesn't seem to matter which browser I take, if it has cookies cleared, if it is private mode, it keeps giving this error over and over on login.

And then ..... all of a sudden it works again, no idea why - i didn't change a thing.
But I've been trying for 10 mins+ ...

Does anyone have also had this experience and does anyone know what to do about it?
Because this is unworkable ...

SessionExpiration.PNG

Replies

 
Morten Bengtson Dynamicweb Employee
Morten Bengtson
Reply

Hi Peter,

Which version of Dynamicweb is this?

There was some issues with the CSRF checks at some point, but I haven't seen these errors for a long time.

/Morten

 
Morten Bengtson Dynamicweb Employee
Morten Bengtson
Reply

The error should only occur if your session ends between loading the login screen and submitting the credentials.

Is this a local installation used for development? Maybe it restarts often and the sessions are killed?

Try reloading the login page right before you log in.

/Morten

 
Nicolai Pedersen Dynamicweb Employee
Nicolai Pedersen
Reply

Hi Peter (and morten)

The reason you see the error is beause your login attempt fails a security check that prevents a number of methods to try to brute force the backend login. So doing this CSRF check is a security measurement. The error will occur if you do a rebuild, iisreset, pool recycle or wait too long to login after you have accessed the login screen.

@Morten - you do not see that screen anymore on rebuild since I have disabled the check on our development branches :-).

Maybe it will be possible to do something with this check so you will not see this too often when doing local builds. I have noted it down as a 'pain in the ass'.

BR Nicolai

 
Peter Leleulya
Peter Leleulya
Reply

Can you skip that check on systems running development license? Or is that a security risk?

 
Nicolai Pedersen Dynamicweb Employee
Nicolai Pedersen
Reply

Hi Peter

You guys have just been in the 'claws' of a security company so you know how they are... But I have an idea on how to limit this annoyance.

BR Nicolai

 
Peter Leleulya
Peter Leleulya
Reply

9.8.0, sorry for the late response.

 
Nicolai Pedersen Dynamicweb Employee
Nicolai Pedersen
Reply

Hi Peter

Morten and I have discussed a small change that should help in your development environment so you do not get this warning that often. So if you do a rebuild or something, you should not see the warning. TFS#76762 out with next 9.8

BR Nicolai

 
Peter Leleulya
Peter Leleulya
Reply

Superb

 
Nicolai Pedersen Dynamicweb Employee
Nicolai Pedersen
Reply

Not sure it will solve what you have described above - that indicates that you login from a 'cached' login screen. Behind a proxy or something...? Did you get this in your local development environment?

 
Peter Leleulya
Peter Leleulya
Reply

No it was an online environment.
But I'll be happy to get rid of these screens @ dev ...

I'll first ask internally if this environment have other caching settings than others ... I'm not aware of any ...

 
Kristian Kirkholt Dynamicweb Employee
Kristian Kirkholt
Reply

Hi Peter

The TFS#76762 feature to prevent too many warnings on backend login

has been implemented in Dynamicweb 9.8.2 version

You are able to find this build in the download section:

http://doc.dynamicweb.com/releases-and-downloads/releases

Please contact Dynamicweb Support if you need any additional help regarding this.

Kind Regards
Dynamicweb Support
Kristian Kirkholt

 

You must be logged in to post in the forum