Posts: 52
Threads: 18
Joined: May 2019
Reputation:
0
Location: usa
12-19-2023, 02:41 PM
(This post was last modified: 12-19-2023, 03:29 PM by PDSBILL.)
We have several ISAPI IW apps (15.2) that we link by each calling the others using TerminateAndRedirect.
This has worked great. Now we find Bad actors try to scrape our application and we have added an encrypted time string parameter will now pass when each app calls the other apps.
we decode and check the time string in the server controller's IWServerControllerBaseNewSession event.
If not checkTS(asession) then
begin
Asession.terminate;
exit;
end;
ASession.Data := TIWUserSession.Create(nil, ASession);
The result of this change is we find iwcache folders are not being cleaned up.
We are also seeing Reply is already set errors.
If we use IWServerControllerBaseBeforeNewSession, how do we send back an dynamic HTLM response as the function does not provide a response object only a request object
Posts: 2,299
Threads: 202
Joined: Mar 2018
Reputation:
87
Location: Auckland, New Zealand
@MJS
Your code is correct but maybe you want to try using a valid HTML including the <!DOCTYPE > document type declaration tag. The IWApplication code looks for this '<!DOCTYPE' string to find out if the provided code is a full HTML content or just a string that needs to be concatenated with other HTML entities...
Posts: 2,299
Threads: 202
Joined: Mar 2018
Reputation:
87
Location: Auckland, New Zealand
12-20-2023, 02:05 AM
(This post was last modified: 12-20-2023, 02:14 AM by Alexandre Machado.)
A final note:
I tested this scenario using IWServerControllerBaseNewSession event, like you did, and everything also "works" correctly, meaning that the session is destroyed and the session cache dir is deleted as expected. I find it weird that you got a different result.
Anyway, the most optimized way to deal with this is my suggestion above.
Posts: 52
Threads: 18
Joined: May 2019
Reputation:
0
Location: usa
Count this be a cause of "Reply type already set."
(where SecHtml=my html captcha code)
In my CheckTS function
Trace('Set Response');
webapp.Response.WriteString(secHtml);
// close session and terminate
Trace('Terminate');
WebApp.Terminate;
Is the problem that I use the webapp.Response.WriteString() then after I do a WebApp.Terminate; which is sending another response?
When I test locally on our IIS server, I do not get the error, but on the customers machine I see this error happening.
Posts: 52
Threads: 18
Joined: May 2019
Reputation:
0
Location: usa
The Checkts performs multiple checks. If the calling browser sends no parameters then I build the custom html that presents a landing page with Captcha code. If the calling browser passes in a encoded time string parameter then I decode and verify that the decoded time is no more that 5 seconds past current time (I use the to naviate between multiple IW ISAPI app.) then the CheckTS returns true and the session is allowed if not then I want to return a 403 error which is what webapplication.terminate does.
I was hoping to use the BeforeNewSession to do this, so that sessions are not created by bots trying to screen scape or other bad actors hitting our url
I have fixed the "Reply type already set" errors, by not calling terminate after i already sent the custom html.
I am getting a few errors on my password field OnAsyncChange on my login page. It does not show up as an error to the user but is written out to the exception log file. I am still investigating this, but if you have any advice on issues using OnAsyncChange, I would be grateful.
Again, that your for your help.