PAS always redirecting to favicon.ico after login - Forum - Mobile - Progress Community

PAS always redirecting to favicon.ico after login

 Forum

PAS always redirecting to favicon.ico after login

This question is answered

Hi,

I am using PAS on OE 11.6 (SP2) for testing a REST application (installed as ROOT webapp) and have setup security using oeableSecurity-form-oerealm. Whenever I login successfully the application is always redirecting me to favicon.ico (in root folder) and not index.html.

Auth model config is as follows:

<!-- authentication model -->
        <form-login login-page="/static/auth/login.jsp"
                    login-processing-url="/static/auth/j_spring_security_check"
                    always-use-default-target="true"
                    default-target-url="/index.html"
                    authentication-failure-url="/static/auth/loginfail.html"
                    authentication-success-handler-ref="OEAuthnSuccessHandler"
                    authentication-failure-handler-ref="OEAuthnFailureHandler"  />

        <logout logout-url="/static/auth/j_spring_security_logout"
                success-handler-ref="OELogoutSuccessHandler"
                invalidate-session="true"
                delete-cookies="JSESSIONID" />

I can then change the URL to access the index.html which allows me to continue.

Regards

Verified Answer
  • Possible explanation which I've run into.  Not specifically with PAS, but this is probably the same issue.

    This is due to a combination of things.

    1. when the browser first your website it sends the first HTTP request to get favicon.ico, not the actual page you requested

    2. an HTTP session is created and the first requested object is stored with the session.

    3. you get a redirect to login

    4. the login completes and you get redirected back to the first requested object.  In this case it is the favicon.ico.

    The fix for this is to ensure that your favicon.ico is not protected by security and is ignored for session management

    There's lots of stuff there on google about this.

    stack overflow suggests a fix to add an exception

    <http pattern="/favicon.ico" security="none" />

    https://stackoverflow.com/questions/11242609/default-spring-security-redirect-to-favicon
All Replies
  • Possible explanation which I've run into.  Not specifically with PAS, but this is probably the same issue.

    This is due to a combination of things.

    1. when the browser first your website it sends the first HTTP request to get favicon.ico, not the actual page you requested

    2. an HTTP session is created and the first requested object is stored with the session.

    3. you get a redirect to login

    4. the login completes and you get redirected back to the first requested object.  In this case it is the favicon.ico.

    The fix for this is to ensure that your favicon.ico is not protected by security and is ignored for session management

    There's lots of stuff there on google about this.

    stack overflow suggests a fix to add an exception

    <http pattern="/favicon.ico" security="none" />

    https://stackoverflow.com/questions/11242609/default-spring-security-redirect-to-favicon
  • Thanks that sorted it (ensuring favicon.ico is not a secured resource). On another point, on authentication failure the url in authentication-failure-url is not being used. I get a PASS 401 error page:

    An error occurred while executing your request!

    401 - Unauthorized: authentication failed due to bad credentials - POST /static/auth/j_spring_security_check

    Regards

  • Related to this -  https://robinlinus.github.io/socialmedia-leak/ . Details how the favicon can be used to detect whether you’re logged in or not (on social media to be sure).