asp.net - SSRS: Why do SKA-cookies build up until "HTTP 400 Bad Request - Request Too Long" occurs? -

-

i have switched sql-server reporting services 2012 (ssrs 2012) forms authentication can use on internet.

i not find forms-authentication sample ssrs 2012 anywhere, had take ssrs 2008r2 one, , adapt 2012, single-sign-on (sso).

at point seemed working expected; managed sso working across domains.

but have problem:

i testing reports (more 200) google chrome, because had insert little javascript alters td border-size html displays right in non-ie5-quirksmode. after 50th report, got:

"http 400 bad request - request long"

after that, not view other report, not did work previously.

the problem seems caused many cookies, , indeed, when deleted few "*_ska" (session keep alive?) cookies, began working again.

ssrs sucks

my problem don't know causes "cookie overflow". don't know, if bug in chrome, bug in vanilla ssrs or bug caused new forms authentication.

all in new forms-authentication has cookies this:

using system; using system.collections.generic; using system.text;   namespace formsauthentication_rs2012 {       internal class formsauthenticationworkaround     {          public static void redirectfromloginpage(string struser, bool createpersistentcookie)         {             //string url = system.web.security.formsauthentication.getredirecturl(struser, true);             string url = getredirecturlwithoutfailingoncolon(struser, createpersistentcookie);             sql.log("user: '" + struser + "' returnurl", url);              if (system.web.httpcontext.current != null && system.web.httpcontext.current.response != null)                 system.web.httpcontext.current.response.redirect(url);         }           // https://github.com/mono/mono/blob/master/mcs/class/system.web/system.web.security/formsauthentication.cs         // @msft: wtf u guys smoking ?         public static string getredirecturlwithoutfailingoncolon(string username, bool createpersistentcookie)         {             if (username == null)                 return null;              system.web.security.formsauthentication.setauthcookie(username, true, "/");              string returnurl = null;              if (system.web.httpcontext.current != null && system.web.httpcontext.current.request != null)                 returnurl = system.web.httpcontext.current.request.querystring["returnurl"];              if (returnurl != null)                 return returnurl;              returnurl = system.web.security.formsauthentication.defaulturl;             return returnurl;         }       }   }

and code creates "sqlauthcookie" 1 sees @ bottom. there 1 "sqlauthcookie" don't think can possibly forms-authentication bug.

the problem seem ska cookies, afaik have nothing forms-authentication , vanilla ssrs.

the other thing see reason change in forms-authentication-cookie timeout 720 minutes entered in forms-authentication section in web.config file.

  <authentication mode="forms">     <forms loginurl="logon.aspx" name="sqlauthcookie" timeout="720" path="/">     </forms>   </authentication>

does know can prevent getting flooded session keep-alive cookies (except deleting cookies manually)?

it's no problem me per se, apart being highly annoying, it's going problem because users won't understanding of that...

issue listed fixed in sql server 2012 sp1 cu7. (see comments microsoft in connect issue)
still present in sql-server 2014.

the later section applies, if can't install sql server 2012 sp1 cu7:

ok, got answer myself.

the keep-alive cookie issued every time 1 opens report.
now, becomes problem when 1 opens (or refreshs, or changes page), say, more 110 - 120 reports, without closing browser.

so safeguard deleting excess cookies, , set safe boundary @ appx. 1/2 of assumed maximum of 120 cookies.

the cookies httponly, , expire when 1 closes browser (session cookies).
non-secure httponly cookies, why failed in attempt delete them via javascript.
becomes necessary delete them on server side. since can't modify reportserver, have use inline-scripting.

<body style="margin: 0px; overflow: auto">   <script type="text/c#" runat="server"> protected string clearsessionkeepalivecookiestopreventhttp400headertoolong() {     if(request == null || request.cookies == null)         return "";      if(request.cookies.count < 60)         return "";      // system.web.httpcontext.current.response.write("<h1>"+request.cookies.count.tostring()+"</h1>");     for(int = 0; < request.cookies.count; ++i)     {         if(stringcomparer.ordinalignorecase.equals(request.cookies[i].name, system.web.security.formsauthentication.formscookiename))             continue;          if(!request.cookies[i].name.endswith("_ska", system.stringcomparison.ordinalignorecase))             continue;          if(i > 60)             break;          //system.web.httpcontext.current.response.write("<h1>"+request.cookies[i].name+"</h1>");          system.web.httpcookie c = new system.web.httpcookie( request.cookies[i].name );         //c.expires = system.datetime.now.adddays( -1 );         c.expires = new system.datetime(1970, 1 ,1);         c.path = request.applicationpath + "/pages";         c.secure = false;         c.httponly = true;          // http://stackoverflow.com/questions/5517273/httpcookiecollection-add-vs-httpcookiecollection-set-does-the-request-cookies         //response.cookies[request.cookies[i].name] = c;         //response.cookies.add(c);         response.cookies.set(c);     }      return ""; }   </script>  <%=clearsessionkeepalivecookiestopreventhttp400headertoolong()%>      <form style="width:100%;height:100%" runat="server" id="reportviewerform">

Comments

Post a Comment

Popular posts from this blog

design - Custom Styling Qt Quick Controls -

-
Image
i have custom design qt quick controls. example, change background colour of tool bar, since hate default design. how can that? in qt quick controls, there limited styling available via qt quick control styles items, buttonstyle , checkboxstyle , etc. at moment, other styles require delving qt sources , messing internal details. here complete example of how 1 might modify toolbar's style. main.qml import qtquick 2.1 import qtquick.layouts 1.0 import qtquick.controls 1.0 applicationwindow { toolbar: toolbar { id: toolbar component.oncompleted: toolbar.data[0].item.children = [newrectangle]; property item _newrectangle: rectangle { // rectangle within toolbarstyle's panel // gleaned from: // http://qt.gitorious.org/qt/qtquickcontrols/source/ // c304d741a27b5822a35d1fb83f8f5e65719907ce:src/styles/base/toolbarstyle.qml id: newrectangle anchors.fill: parent...
Read more

Unable to remove the www from url on https using .htaccess -

-
i want remove www site url. ie. https://www.domainname.com.au https://domainname.com.au . i have tried various .htacces code nothing work me. here present code remove www http not work https. rewriteengine on rewritebase / rewritecond %{http_host} ^www\.(.*)$ [nc] rewriterule ^/(.*)$ http://%1/$1 [r=301,l] rewritecond %{https} off rewriterule ^(.*)$ https://domainname.com.au/$1 [r=301,l] rewriterule ^code-of-conducts/(.*)/$ code-of-conducts.php?type=$1 rewriterule ^parents/post-a-job/(.*)/edit/$ parents/post-a-job.php?action=edit&id=$1 rewriterule ^parents/post-a-job/(.*)/$ parents/post-a-job.php?job_type=$1 rewriterule ^parents/open-jobs/(.*)/delete/$ parents/open-jobs.php?action=delete&id=$1 rewriterule ^parent-profile/(.*)/$ parent-profile.php?id=$1 rewriterule ^parents/job-details/(.*)$ parents/job-details.php?applied_id=$1 rewriterule ^sitterprofile/(.*)/$ sitterprofile.php?id=$1 rewriterule ^sitter/job-board/state/(.*)/page/(.*)/$ sitter/job-board.ph...
Read more