2

I'm currently working on a testing environment for a project. Locally everything works as it should, but when I try to log into the installed testing environment Google Chrome throws an HTTP ERROR 403 even though I haven't used the forbidden() anywhere in the code. The Login works on Firefox or IE11.

Requests reach the application through a proxy server running nginx.
I also do have a valid SSL Certificate.

I've implemented the Login with the Play! Framework Forms and Form-Helpers.

I tried to find where the POST request throws the error (on the installed instance), so I added some System.out.println() lines, but the POST request doesn't even reach the controller (println() on first line of POST never prints anything when accessed on Chrome).

I've already tried to restart nginx, delete cached data, access the application with the inkognito-tab or guest user. Nothing worked.

What do I need to change or configure differently so Chrome stops responding with forbidden even though it works on other browsers?

Routes:

GET   /login      com.informaticon.web.ticketsystem.controllers.LoginController.get(request: Request)
POST  /login      com.informaticon.web.ticketsystem.controllers.LoginController.post(request: Request)

Twirl template:

@helper.form(action = LoginController.post()) {
    <div class="login-form">
        <p class="login-title">Testsystem</p>
        @CSRF.formField
        @helper.inputText(field = form(LoginForm.FIELD_USERNAME), 'class -> "login-input", '_label -> "Username")
        <br>
        @helper.inputPassword(field = form(LoginForm.FIELD_PASSWORD), 'class -> "login-input",'label -> "Password")

        <button class="login-form-button" type="submit" name="login-button">
            Log in
        </button>
    </div>
}

Post method:

public Result post(Http.Request request) {
        Form<LoginForm> form = formFactory.form(LoginForm.class).bindFromRequest(request);
        if (form.hasErrors()) {
            return unauthorized(login.render(form));
        }
        String hashedPassword = FormHelper.hash(form.get().password);
        User user = User.byUsernameAndHashedPassword(form.get().username, hashedPassword);
        return redirect(routes.Main.overview()).addingToSession(request, TypeKeyHelper.USER_ID, user.id.toString());
    }
Martin Kohler
  • 21
  • 3
  • Sound like an issue with the "CSRF" filter. Try to switch it off to check if there is the issue. https://www.playframework.com/documentation/2.7.x/ScalaCsrf – Andriy Kuba Aug 20 '19 at 07:09
  • @AndriyKuba Just tried as you said. Chrome still throws the Error 403. Other browsers still don't. – Martin Kohler Aug 20 '19 at 07:24
  • Maybe the wrong session cookie was cached under your profile. Did you try anonymous tab? – Andriy Kuba Aug 20 '19 at 07:35
  • 1
    @AndriyKuba I tried incognito-tab (anonymous tab) and the guest-user tab. Both did throw the same error with or without the CSRF-Filter. – Martin Kohler Aug 20 '19 at 07:40
  • What about CORS filter? It also can cause this issue: https://www.playframework.com/documentation/2.7.x/CorsFilter – Andriy Kuba Aug 20 '19 at 08:30
  • Well, it can be an issue with the Nginx configuration - can you check this answer https://superuser.com/questions/1461932/403-issue-in-chrome-only? – Andriy Kuba Aug 20 '19 at 08:32
  • 1
    @AndriyKuba Thanks for your research! Both of these solutions seemed to solve the problem as a workaround, even though disabling any of those would result in a loss of security. I saw that other people had similar CORS problems since the current Chrome v76 update. I'll work with the workaround for now and come back to this question on a different day, when I found a better solution, a bug report or something else. – Martin Kohler Aug 20 '19 at 09:01
  • So now you got the reason of the issue. I am pretty sure you can solve this by the Nginx configuration. Though I can not help you there. You need to look for something like this https://stackoverflow.com/questions/45986631/how-to-enable-cors-in-nginx-proxy-server – Andriy Kuba Aug 20 '19 at 10:17

0 Answers0