Use Case: My web application should redirect the user to a 401 Lockedout html page if the user exceeds maximum (5) login attempts.
Issue: Once all the login attempts are exhausted, the page is redirecting after 6 minutes instead of redirecting immediately. This is observed in all the browsers.
How it's done: I am using jQuery to send an Ajax POST call to login.
Environment and programming languages: LigHTTPd web server, HTML, jQuery, C++
Server Log Analysis: (I am skipping the requests for the first 4 attempts as 5th attempt is of importance here)
5th Login request:
1980-01-06 02:50:12: (../../lighttpd-1.4.55/src/connections.c.774) fd: 9 request-len: 666 \nPOST /submitLogin/ HTTP/1.1\r\nHost: localhost\r\nConnection: keep-alive\r\nContent-Length: 123\r\nAccept: application/json, text/javascript, /; q=0.01\r\nX-Requested-With: XMLHttpRequest\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Edg/108.0.1462.54\r\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\r\nOrigin: http://localhost\r\nReferer: http://localhost/\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: en-GB,en;q=0.9\r\nCookie: SID=abc; _TESTCOOKIESUPPORT=1; sess=def\r\n\r\n
The CGI application reverted back with "303 See Other" with Location /restarting/
1980-01-06 02:50:13: (../../lighttpd-1.4.55/src/response.c.125) Response-Header: \nHTTP/1.1 303 See Other\r\nLocation: /restarting/\r\nConnection: close\r\nX-Content-Type-Options: nosniff\r\nX-XSS-Protection: 1; mode=block\r\nContent-Length: 992\r\nDate: Sun, 06 Jan 1980 02:50:13 GMT\r\nServer: XYZ\r\n\r\n 1980-01-06 02:50:13: (../../lighttpd-1.4.55/src/mod_cgi.c.1190) CGI pid 3868 died with signal 11
The browser sent a GET request for /restarting/ page
1980-01-06 02:50:13: (../../lighttpd-1.4.55/src/connections.c.774) fd: 9 request-len: 551 \nGET /restarting/ HTTP/1.1\r\nHost: localhost\r\nConnection: keep-alive\r\nAccept: application/json, text/javascript, /; q=0.01\r\nX-Requested-With: XMLHttpRequest\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Edg/108.0.1462.54\r\nReferer: http://localhost/\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: en-GB,en;q=0.9\r\nCookie: SID=abc; _TESTCOOKIESUPPORT=1; sess=def\r\n\r\n
The mode_access blocked the request and sent another "303 See Other" with Location: http://localhost/errors/en/401lockedout.html
1980-01-06 02:50:13: (../../lighttpd-1.4.55/src/mod_access.c.125) lockedout reformed as /errors/en/401lockedout.html 1980-01-06 02:50:13: (../../lighttpd-1.4.55/src/mod_access.c.322) Blocked URI: /cgi/ui.cgi 1980-01-06 02:50:13: (../../lighttpd-1.4.55/src/mod_access.c.323) Redirecting to lockedout page http://localhost/errors/en/401lockedout.html 1980-01-06 02:50:13: (../../lighttpd-1.4.55/src/response.c.125) Response-Header: \nHTTP/1.1 303 See Other\r\nLocation: http://localhost/errors/en/401lockedout.html\r\nX-Content-Type-Options: nosniff\r\nX-XSS-Protection: 1; mode=block\r\nTransfer-Encoding: chunked\r\nDate: Sun, 06 Jan 1980 02:50:13 GMT\r\nServer: XYZ\r\n\r\n
No requests are received by the server (from the browser developer tools) and the browser did not send GET request for the 401lockedout.html page.
After 6 minutes, the server received request from the browser for the lockedout page.
1980-01-06 02:56:14: (../../lighttpd-1.4.55/src/connections.c.774) fd: 9 request-len: 646 \nGET /errors/en/401lockedout.html HTTP/1.1\r\nHost: localhost\r\nConnection: keep-alive\r\nAccept: application/json, text/javascript, /; q=0.01\r\nX-Requested-With: XMLHttpRequest\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Edg/108.0.1462.54\r\nReferer: http://localhost/\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: en-GB,en;q=0.9\r\nCookie: SID=abc; _TESTCOOKIESUPPORT=1; sess=def\r\nIf-None-Match: "1764933797"\r\nIf-Modified-Since: Fri, 16 Dec 2022 08:20:12 GMT\r\n\r\n
1980-01-06 02:56:14: (../../lighttpd-1.4.55/src/response.c.125) Response-Header: \nHTTP/1.1 304 Not Modified\r\nContent-Type: text/html\r\nAccept-Ranges: bytes\r\nETag: "1764933797"\r\nLast-Modified: Fri, 16 Dec 2022 08:20:12 GMT\r\nX-Content-Type-Options: nosniff\r\nX-XSS-Protection: 1; mode=block\r\nDate: Sun, 06 Jan 1980 02:56:14 GMT\r\nServer: XYZ\r\n\r\n
Here is the snip from the browser developer tools
This used to be working earlier but not working now.
I tried find the root cause and fix it but not able to. Any pointers would certainly help me fix this issue.
We have built a LigHTTPd plugin called mod_access.
Are you saying that you have a custom plugin with the same name as a lighttpd plugin (mod_access)?
Aside: mod_magnet and a few lines of custom lua code will likely be simpler, more portable, and possibly even faster than your custom C++.
In the case of your custom plugin, you are very likely not properly ending the response for lighttpd internals, and so lighttpd is likely flushing the response when the default write idle timeout of 6 minutes expires and the connection is closed. Transfer-Encoding: chunked\r\n
in the response from lighttpd for your mod_access handler tells me that you probably did not tell lighttpd internals that the response was finished (r->resp_body_finished = 1
)
(../../lighttpd-1.4.55/src/mod_cgi.c.1190) CGI pid 3868 died with signal 11
It also appears that your CGI is crashing. Signal 11 is SIGSEGV on Linux.
Aside: Please review why you have written a custom C++ plugin when you could have handled your authentication policy in the CGI. For proper security, you ought to handle the authentication policy in one place, anyway, as part of ensuring that the policy is enforced.
P.S. the official name of the server is and has always been "lighttpd"; never "LigHTTPd".