Getting "Invalid page context" exceptions after upgrade to 15.1.12

[magosk]

Hi! We have just upgraded three of our web applications (let's call them A, B, and C) from IW 15.0.15 to 15.1.12, where we make use of some of the new security features. After this, we have started to get EIWSecurityException exceptions with message 'Invalid page context' in our maintenance logs. Most of them are related to two distinct and reproducible cases in application B, but we have so far also seen two cases in application A which as of yet are more difficult to analyze. 

Case 1 (in application B) do you get when you click on a button on a mobile friendly page, built with CGDevTools JQuery Mobile controls. The server side (async) button click event handler looks like this:

Code:

procedure TEmIndClientAppAlertActivationWebForm.ActivateButtonJQMButtonOptionsEventsVClick(
  Sender: TObject; AParams: TStringList);
begin
  WebApplication.GoToURL(ActivateURL);
end;

The link still seems to work functionally for the user (in this case it opens up a specific app on the smartphone). The exception log comes a few hundred milliseconds after the button click has been logged (you do not see the logging code above, it is made in a base form just before this method is called). If you look at the call stack, there is nothing from our own code there, just internal IntraWeb stuff.

Case 2 comes from a login page in B which uses only standard IntraWeb controls. When the user clicks the Login button, we generate a redirect response (302) in order to prevent the browser from storing the login credentials in its cache. This is a solution (for a finding in a penetration test) that we developed together with Alexandre a few years ago. What we do in this case is basically the following:

Code:

procedure TBaseIndClientLoginWebDialog.LoginButtonClick(Sender: TObject);
begin
  LoginProgressRegion.Visible := True;
  LoginTimer.Enabled := True;
  TransferLoginCredentialsFromEditsToServerVariables();   
  ReportInformation('Protecting sensitive POST by using a redirect');
  WebApplication.Response.Code := 302;
  WebApplication.Response.AddHeader('Location', WebApplication.Request.Referer);
end; 

Again, it still seems to work functionally for the user, but the exception is logged a few hundred milliseconds after the click event. Sometimes it is also followed by a EInvalidAppID exception with message 'Session context is not valid'. What is interesting is that web application A also has a login page with almost identical code, but there you get no error. There is one security related setting that differs between applications A and B. In A we use the following:

CheckFormId=True
CheckSameIP=False
CheckSameUA=False
CheckWindowId=True
ForceAjaxPost=False
PreventDoubleSubmission=True
RandomTempFileNames=True
ShowSecurityErrorDetails=True
SurrogateSessionId=True

together with

AllowMultipleSessionsPerUser=True (which should translate to SessionOptions.UniqueURL=True, right?)

What differs in B (where we get the exceptions) is that we for now are forced to run with SurrogateSessionId=False due to an as of yet unsolved problem with a CGDevTools control.

A note: I tried setting CheckWindowId=False (as this property was added since 15.0.15) for application B but it made no difference. 

Thankful for feedback on this. Is there something that needs to be corrected in IW code, or can we change our code somehow to avoid the problems?

Best regards

Magnus Oskarsson