Search code examples
javascripthttpbrowserlighttpd

Browsers (Edge, Firefox, Chrome) redirecting after 6 minutes for a "303 See Other" request


Use Case: My web application should redirect the user to a 401 Lockedout html page if the user exceeds maximum (5) login attempts.

Issue: Once all the login attempts are exhausted, the page is redirecting after 6 minutes instead of redirecting immediately. This is observed in all the browsers.

How it's done: I am using jQuery to send an Ajax POST call to login.

  1. User enters wrong password and clicks login button. The page shows invalid password for the first 4 attempts.
  2. On the 5th attempt, the backend code (cgi) responds back with HTTP status code "303 See Other" with URL: "/restarting/"
  3. We have built a LigHTTPd plugin called mod_access. The plugin job is check and return back "303 See Other" code with URL: "/errors/en/401lockedout.html" page as response after the 5 failed attempts if user requests any other page (e.g.Home page). So, when the browser calls /restarting/ URL, the mod_access plugin will see as an unauthorized request and sends 303 back.

Environment and programming languages: LigHTTPd web server, HTML, jQuery, C++

Server Log Analysis: (I am skipping the requests for the first 4 attempts as 5th attempt is of importance here)

5th Login request:

1980-01-06 02:50:12: (../../lighttpd-1.4.55/src/connections.c.774) fd: 9 request-len: 666 \nPOST /submitLogin/ HTTP/1.1\r\nHost: localhost\r\nConnection: keep-alive\r\nContent-Length: 123\r\nAccept: application/json, text/javascript, /; q=0.01\r\nX-Requested-With: XMLHttpRequest\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Edg/108.0.1462.54\r\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\r\nOrigin: http://localhost\r\nReferer: http://localhost/\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: en-GB,en;q=0.9\r\nCookie: SID=abc; _TESTCOOKIESUPPORT=1; sess=def\r\n\r\n

The CGI application reverted back with "303 See Other" with Location /restarting/

1980-01-06 02:50:13: (../../lighttpd-1.4.55/src/response.c.125) Response-Header: \nHTTP/1.1 303 See Other\r\nLocation: /restarting/\r\nConnection: close\r\nX-Content-Type-Options: nosniff\r\nX-XSS-Protection: 1; mode=block\r\nContent-Length: 992\r\nDate: Sun, 06 Jan 1980 02:50:13 GMT\r\nServer: XYZ\r\n\r\n 1980-01-06 02:50:13: (../../lighttpd-1.4.55/src/mod_cgi.c.1190) CGI pid 3868 died with signal 11

The browser sent a GET request for /restarting/ page

1980-01-06 02:50:13: (../../lighttpd-1.4.55/src/connections.c.774) fd: 9 request-len: 551 \nGET /restarting/ HTTP/1.1\r\nHost: localhost\r\nConnection: keep-alive\r\nAccept: application/json, text/javascript, /; q=0.01\r\nX-Requested-With: XMLHttpRequest\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Edg/108.0.1462.54\r\nReferer: http://localhost/\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: en-GB,en;q=0.9\r\nCookie: SID=abc; _TESTCOOKIESUPPORT=1; sess=def\r\n\r\n

The mode_access blocked the request and sent another "303 See Other" with Location: http://localhost/errors/en/401lockedout.html

1980-01-06 02:50:13: (../../lighttpd-1.4.55/src/mod_access.c.125) lockedout reformed as /errors/en/401lockedout.html 1980-01-06 02:50:13: (../../lighttpd-1.4.55/src/mod_access.c.322) Blocked URI: /cgi/ui.cgi 1980-01-06 02:50:13: (../../lighttpd-1.4.55/src/mod_access.c.323) Redirecting to lockedout page http://localhost/errors/en/401lockedout.html 1980-01-06 02:50:13: (../../lighttpd-1.4.55/src/response.c.125) Response-Header: \nHTTP/1.1 303 See Other\r\nLocation: http://localhost/errors/en/401lockedout.html\r\nX-Content-Type-Options: nosniff\r\nX-XSS-Protection: 1; mode=block\r\nTransfer-Encoding: chunked\r\nDate: Sun, 06 Jan 1980 02:50:13 GMT\r\nServer: XYZ\r\n\r\n

No requests are received by the server (from the browser developer tools) and the browser did not send GET request for the 401lockedout.html page.

After 6 minutes, the server received request from the browser for the lockedout page.

1980-01-06 02:56:14: (../../lighttpd-1.4.55/src/connections.c.774) fd: 9 request-len: 646 \nGET /errors/en/401lockedout.html HTTP/1.1\r\nHost: localhost\r\nConnection: keep-alive\r\nAccept: application/json, text/javascript, /; q=0.01\r\nX-Requested-With: XMLHttpRequest\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Edg/108.0.1462.54\r\nReferer: http://localhost/\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: en-GB,en;q=0.9\r\nCookie: SID=abc; _TESTCOOKIESUPPORT=1; sess=def\r\nIf-None-Match: "1764933797"\r\nIf-Modified-Since: Fri, 16 Dec 2022 08:20:12 GMT\r\n\r\n

1980-01-06 02:56:14: (../../lighttpd-1.4.55/src/response.c.125) Response-Header: \nHTTP/1.1 304 Not Modified\r\nContent-Type: text/html\r\nAccept-Ranges: bytes\r\nETag: "1764933797"\r\nLast-Modified: Fri, 16 Dec 2022 08:20:12 GMT\r\nX-Content-Type-Options: nosniff\r\nX-XSS-Protection: 1; mode=block\r\nDate: Sun, 06 Jan 1980 02:56:14 GMT\r\nServer: XYZ\r\n\r\n

Here is the snip from the browser developer tools Browser network calls

This used to be working earlier but not working now.

I tried find the root cause and fix it but not able to. Any pointers would certainly help me fix this issue.


Solution

  • We have built a LigHTTPd plugin called mod_access.

    Are you saying that you have a custom plugin with the same name as a lighttpd plugin (mod_access)?

    Aside: mod_magnet and a few lines of custom lua code will likely be simpler, more portable, and possibly even faster than your custom C++.

    In the case of your custom plugin, you are very likely not properly ending the response for lighttpd internals, and so lighttpd is likely flushing the response when the default write idle timeout of 6 minutes expires and the connection is closed. Transfer-Encoding: chunked\r\n in the response from lighttpd for your mod_access handler tells me that you probably did not tell lighttpd internals that the response was finished (r->resp_body_finished = 1)

    (../../lighttpd-1.4.55/src/mod_cgi.c.1190) CGI pid 3868 died with signal 11

    It also appears that your CGI is crashing. Signal 11 is SIGSEGV on Linux.

    Aside: Please review why you have written a custom C++ plugin when you could have handled your authentication policy in the CGI. For proper security, you ought to handle the authentication policy in one place, anyway, as part of ensuring that the policy is enforced.

    P.S. the official name of the server is and has always been "lighttpd"; never "LigHTTPd".