Strange behavior only via Internet Explore

Losen, Stephen C (scl) scl at virginia.edu
Tue Apr 23 06:33:43 EDT 2019


Hi Noriyuki,

This is just a guess since you say that IE has problems while other browsers do not. IE has a security feature not found in other browsers that causes some web apps to fail for IE but no other browsers.

If IE makes a https (SSL) request and receives a cookie in the response, then IE unconditionally considers that cookie “secure”. Therefore IE will NOT include this cookie in any subsequent http (non-SSL) requests.

Other browsers only consider a cookie secure if the web server tags it secure. If a non-IE browser receives a cookie from a https request that is not tagged secure, then the browser will present it to http requests. IE will NOT do this. I know of no IE browser setting to change this.

Look for a mix of https and http requests to the SP or to the IDP. If this is indeed your problem, then you can force all requests to be https or else declare that IE is not supported.

Steve Losen
ITS – Enterprise Infrastructure
University of Virginia
scl at virginia.edu<mailto:scl at virginia.edu>    434-924-0640

From: users <users-bounces at shibboleth.net> On Behalf Of Noriyuki TAKEI
Sent: Monday, April 22, 2019 10:37 PM
To: Shib Users <users at shibboleth.net>
Subject: Strange behavior only via Internet Explore

Hi,all

I found the strange behavior only when accessing a SP via Internet Explore.

When I go to an specific SP via Internet Explorer, I got the following error message in idp-warn.log.

--- start ---
2019-04-23 11:22:44,260 - XXX.XXX.XXX.XXX - ERROR [org.opensaml.profile.action.impl.DecodeMessage:73] - Profile Action DecodeMessage: Unable to decode incoming request
org.opensaml.messaging.decoder.MessageDecodingException: This message decoder only supports the HTTP GET method
        at  org.opensaml.saml.saml2.binding.decoding.impl.HTTPRedirectDeflateDecoder.doDecode(HTTPRedirectDeflateDecoder.java:90)
--- end ---

The following message got displayed in the browser.

--- start ---
Web Login Service - Stale Request

You may be seeing this page because you used the Back button while browsing a secure web site or application. Alternatively, you may have mistakenly bookmarked the web login form instead of the actual web site you wanted to bookmark or used a link created by somebody else who made the same mistake.

Left unchecked, this can cause errors on some browsers or result in you returning to the web site you tried to leave, so this page is presented instead.
--- end ---

However,when I go to the same sp again via the same tabs of the same browser, it worked properly.

When terminating all the browser and accessing the same SP via Internet Explore,the above-mentioned error occurred again.

I guess the above-mentioned error proceeds in the following sequence from idp-warn.log, HTTP Header and  apache access logs.

(1) At first, the browser access to an SP.
(2) The SP redirects the browser to [IDP's FQDN]/idp/profile/SAML2/Redirect/SSO via Get method with SAML Request attached to query parameter.(However, it seems that the browser gets this response from cache according to IE's log )
(3) The SP redirects the browser again to [IDP's FQDN]/idp/profile/SAML2/Redirect/SSO via Post method with SAML Request attached to query parameter.
(4) the above-mentioned error occurs.

In addition, one SP works properly, but the other SP does not.I don't understand the difference between two SPs.

Do you have any ideas to solve this problem?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20190423/54c07b07/attachment.html>


More information about the users mailing list