HandleURL receiving session URLs

Following a request to generate a custom 404 message I added HandleURL to my web project

Function HandleURL(Request As WebRequest) As Boolean If Request.Path <> "" then Request.Print "<html><body>Custom URLs are not allowed</body></html>" Request.Status = 200 // An HTTP Response code of 200 means everything is OK Return True End If End Function

But for some reason, after a while I get a request to which gets caputured I get a Webrequest where the path is

/B156D2E6338304E2AAD151DC5680F50E/comm/74555.Action

After this call I get a Javascript error (showing the custom html) in the web browser and have to refresh the web page.

Why am I getting session calls here?

Without have any custom HandleURL event handler, everything seems to work.

Lee

I think the return status should still be 404 as things are definitely not OK since the browser asked for a page that is not there

The problem with returning a 404 message is that apparently some web browsers show their own error messages.

We had a security request to handle things like:

https://127.0.0.1:8080/a"</p><javascript>alert("1")</javascript><img src="http://www.seznma.cz"><p>a

In their world of ‘everyone is out to get me’’ they were complaining that we were not sanitising the URL’s before returning the 404. Apparently there is a possibility that the javascript is actually executed.

So, I just added a default message for all extra URLs, but for some reason I was getting session requests arriving there.

Lee

[quote=249177:@Lee Badham]Following a request to generate a custom 404 message I added HandleURL to my web project

Function HandleURL(Request As WebRequest) As Boolean If Request.Path <> "" then Request.Print "<html><body>Custom URLs are not allowed</body></html>" Request.Status = 200 // An HTTP Response code of 200 means everything is OK Return True End If End Function

But for some reason, after a while I get a request to which gets caputured I get a Webrequest where the path is

/B156D2E6338304E2AAD151DC5680F50E/comm/74555.Action

After this call I get a Javascript error (showing the custom html) in the web browser and have to refresh the web page.

Why am I getting session calls here?

Without have any custom HandleURL event handler, everything seems to work.

Lee[/quote]
This could happen if the browser that is making the request has a dead session. For instance, if the browser was offline for a period of time, your web app determined that it was no longer there and therefore ended the session. HandleURL doesn’t skip all runs of 32 characters, only the ones that are currently sessions.

It does not matter what the browser does. The server should correctly return a 404 status. That is what the protocol states and that is the best way to handle security.

As them to explain why you’d need to sanitise anything since you are using the sledgehammer approach by total ignoring the entire url in the request and returning a standard page html page no matter what is fired at your server??? Would love to hear their explanation of how the example will end up being run anywhere in your case.

In which case I would return a 401 and/or a link to log back in.

I’ve removed the handler. We’re getting lots of calls with /comm in them and trying to decide whether to handle it or not doesn’t seem reliable.

Logging calls to HandleURL seems to show that some times there are calls to HandleURL even before the first /

25/02/2016 : 09:59:40 : 661791.27 - HandleURL request B49BD323465FD0B634E5726C089747FD/comm/event/CmzdQxju.Action 25/02/2016 : 09:59:40 : 661791.37 - HandleURL request B49BD323465FD0B634E5726C089747FD/comm/event/QOgEp83f.Action 25/02/2016 : 09:59:40 : 661791.47 - HandleURL request

You can see from the log the third request is the one from /

This does not happen all the time though.

[quote=249440:@Lee Badham]I’ve removed the handler. We’re getting lots of calls with /comm in them and trying to decide whether to handle it or not doesn’t seem reliable.

Logging calls to HandleURL seems to show that some times there are calls to HandleURL even before the first /

25/02/2016 : 09:59:40 : 661791.27 - HandleURL request B49BD323465FD0B634E5726C089747FD/comm/event/CmzdQxju.Action 25/02/2016 : 09:59:40 : 661791.37 - HandleURL request B49BD323465FD0B634E5726C089747FD/comm/event/QOgEp83f.Action 25/02/2016 : 09:59:40 : 661791.47 - HandleURL request

You can see from the log the third request is the one from /

This does not happen all the time though.[/quote]
Those must be from other browsers. You can’t have a session request before the initial / request unless the user presses refresh or leaves the app and comes back.