Agent getting Authentication Required

calley

Only happens in Chrome on one PC. But I cant for the life of me figure out why.
Says "Authentication Required" weather I enter any login info or none at all.
Clearing cookies etc... did nothing. But Incognito mode works

calley

This seems to be part of the issue... but I haven't found a solution that fits my circumstances.

Status: 422 Unprocessable Entity

calley

log shows this every time I try:
Invalid CSRF Token CSRFToken
Invalid CSRF token [redacted] on http://helpdesk/scp/login.php

KevinTheJedi

calley

Status 422 shouldn't be an issue but sometimes it can be in very specific circumstances. Please check this pull:

https://github.com/osTicket/osTicket/pull/6542

If you make those changes and it still doesn't work it sounds like you need to clear your cache AND cookies and retest.

Cheers.

calley

KevinTheJedi
I haven't made those changes quite yet...

See my other comments on cookies... pretty sure this is related though.

I'll make the changes and test once I get a chance...

Though, is this fixed in the latest release?

calley

I think I figured it out... finally noticed this in the inspector:

This attempt to set a cookie via a set-cookie header was blocked because it was sent over an unsecure connection and would have overwritten a cookie with the Secure attribute

Out site is http://helpdesk/ and we were supposed to add SSL to it but had trouble when we launched so we figured it wasn't a big deal since it was only accessible internally.

I finally got the certificate working recently so we can use https://helpdesk/ but just haven't rolled it out since we have so many incomplete tickets.

Apparently, when I logon to https://helpdesk/ it saves the cookie, but then if I try http://helpdesk/ it fails the logon because I didn't keep the cookies it assigned me.

If I log out of the HTTPS site, the HTTP site works fine.

another contributing factor: some of the email templates use http://helpdesk/ but some have https://helpdesk/ which I'm guessing is why it came up randomly and not when I got the certificate installed

calley

Correction:
To fix logon to http://helpdesk/ I have to close any https://helpdesk/ tabs and remove any "helpdesk" cookies...
Then I can logon to http://helpdesk/ again.

If I even look at https://helpdesk/ login screen http://helpdesk/ will kick me out after the next request.

KevinTheJedi

calley

There is nothing to fix. You were using the HTTPS protocol when the session and cookie was initially generated. If we detect HTTPS we set the secure parameter to true in the cookie params. When this flag is enabled the cookie is only sent over secure connections.

Reference

https://www.php.net/manual/en/function.session-set-cookie-params.php

So to "fix" this you simply need to clear the cookies as you’ve mentioned.

TLDR;
Secure cookies are not sent to HTTP.

Cheers.

calley

I'm guessing the workaround for this is to set the force https option.

Or use https://helpdesk.dom.local for the secure site while I'm testing. Actually this is probably the better answer anyway.

I would have assumed that Chrome would keep cookies for http and https separate even when the domain was the same. Seems like this behavior is a side-effect of a workaround to prevent some kind of cross-site or domain impersonation attacks... I'm just the rare case that gets to experience it because I'm testing with both urls.

Probably just going to roll-out the new url soon and redirect old links to https.