r3wp [groups: 83 posts: 189283]
  • Home
  • Script library
  • AltME Archive
  • Mailing list
  • Articles Index
  • Site search
 

World: r3wp

[!Cheyenne] Discussions about the Cheyenne Web Server

Will
19-Aug-2009
[5492]
just to understand, you generate a file and u upload to googledocs, 
then requests it from google server?
Graham
19-Aug-2009
[5493x5]
frustrating .. can't get a trace
Yes, that's correct.
but chrome is not executing the rsp script ... as far as I can see.
I think I'll just stick with putting a time stamp on each request 
to foil the cache
Or just stick with FF / IE.
Will
19-Aug-2009
[5498x2]
then this has nothing to do with cheyenne, add something like
join %? checksum form now/precise ad the end of requested url
if it is the rsp script that doesnt get executed , please paste headers 
from rsp response
Graham
19-Aug-2009
[5500x2]
?t= url-encode form now/time/precise
which rsp response?
Will
19-Aug-2009
[5502]
you said "but chrome is not executing the rsp script ... as far as 
I can see."
Graham
19-Aug-2009
[5503]
yes, I put a ?? in the script and it doesn't log.
Will
19-Aug-2009
[5504]
so that is the rsp you request that generate the file and upload 
it to google
Graham
19-Aug-2009
[5505]
yes
Will
19-Aug-2009
[5506]
I'd like to see the response headers of that request , not those 
from requesting the uploaded file
Graham
19-Aug-2009
[5507x2]
thi sis the link http://gchiu.no-ip.biz:8000/md/creategoogledoc.rsp?gdoc=simple-letter.rtf&patientid=2832&encounter=none
but the page does not get executed
Will
19-Aug-2009
[5509]
I can't go past http://gchiu.no-ip.biz:8000/md/login.rsp  8)
Graham
19-Aug-2009
[5510x2]
When I click on that link ... it supposed to execute a script when 
then sets the response/redirect
so there is no response from cheyenne .. only from google
Will
19-Aug-2009
[5512]
with a redirect and wireshark, u should see both response headers, 
your browser is requesting two resources, one form Cheyenne, one 
from the redirected url
Graham
19-Aug-2009
[5513]
You'd think so .. but the pcap dump is only showing the googledocs 
response
Will
19-Aug-2009
[5514x3]
if u private msg me a login/pas I can give it a look
impossible, that is not how it works, cheyenne responds with a redirect, 
that is an answer and has a header, the the browser request the redirected 
url from google server
I need to see headers of the redirect response sent from Cheyenne, 
the problem may be there, if that response hasn't proper Expire, 
etc.. headers it may get cached by Chrome, and thus the behaviour 
u see
Graham
19-Aug-2009
[5517]
this is the request


GET /md/creategoogledoc.rsp?gdoc=simple-letter.rtf&patientid=2832&encounter=none 
HTTP/1.1
Host: gchiu.no-ip.biz:8000

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.2) 
Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://gchiu.no-ip.biz:8000/md/Listgoogledocs.rsp
Cookie: RSPSID=QZPTPCZIWWMMYBKWHWRQETGM
Will
19-Aug-2009
[5518]
I need the response not the request 8)
Graham
19-Aug-2009
[5519]
Yes .. I know ... that was the end of the "follow tpc stream"
Will
19-Aug-2009
[5520x3]
umm.. now that sessions are bound to ip I can't hijack your session 
to check that out ;-)
got to go, either paste here response headers from cheyenne or private 
msg me a temp user/login. in the meantime just add a timestamp parameter 
to the response/redirect url
timestamp also for the rsp url
Graham
19-Aug-2009
[5523x2]
http://www.compkarori.co.nz:8000
userid/pass Guest/Guest
You won't be able to create a googledoc though as it requires that 
your google credentials are stored!
Robert
19-Aug-2009
[5525x2]
My reported problem: Doc, I'm not using VALIDATE nor do I check the 
parameters. Do I have to? I thought Cheyenne does this implicit.
I expect the problem with the parameter to force the seen side-effects. 
So before going into deeper analysis I want to fix the parameter 
problem. Any guide how to handle parameters correctly?
Dockimbel
19-Aug-2009
[5527]
Robert, how can Cheyenne know that "quantity" must be an integer! 
value if you don't tell it? Cheyenne can't validate that implicitly, 
you have to either use VALIDATE (see API doc) or make your own checking 
routines. By default, all your GET or POST  parameters are treated 
as string! value. If you need to check for their presence or need 
to convert them to another datatype, you have to validate the format 
so that it doesn't error out (or worth, let an hostile request pass).
Graham
19-Aug-2009
[5528x2]
I've created a dummy google account so that people can try this out
pm me if you want to try ...
Will
19-Aug-2009
[5530x9]
ok here is the answer from Cheyenne:
HTTP/1.1 301 Moved Permanently
Server: Cheyenne/0.9.20
Date: Thu, 20 Aug 2009 09:43:23 GMT
Connection: close

Location: http://docs.google.com/Doc?docid=0AcdrOHdpKfrWZGZwd3Z4MmJfMnNxcDJkNmZu&hl=en
Set-Cookie: RSPSID=OTWARJZIFLZYABVJOACFFTZY; path=/md; HttpOnly
answer from the redirection:
HTTP/1.1 302 Moved Temporarily
Content-Type: text/html; charset=UTF-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Date: Wed, 19 Aug 2009 21:43:58 GMT

Set-Cookie: WRITELY_UID=001dfpwvx2b|928b9de9e7bf56448b665282fc69988b; 
Path=/; HttpOnly

Set-Cookie: GDS_PREF=hl=en;Expires=Sat, 17-Aug-2019 21:43:58 GMT;HttpOnly

Set-Cookie: SID=DQAAAHcAAAB0kldc4zZSC_0FoiL6efkWE11k9SQkAIn-N3WfAzIOVe1cM-remnLUtV3Z4M-BFRf5eknz7hr_U3YzW94nECo0-aDnpxrLGiBglWGN4VkfLr5Hh7t2XNyRCA3VWd005SfCmZ9D8-1MUltjRI8X56VLde5Wy8HD92gh-8YkJBJxQA;Domain=.google.com;Path=/;Expires=Sat, 
17-Aug-2019 21:43:58 GMT

Location: https://www.google.com/accounts/ServiceLogin?service=writely&passive=true&nui=1&continue=http%3A%2F%2Fdocs.google.com%2FDoc%3Fdocid%3D0AcdrOHdpKfrWZGZwd3Z4MmJfMnNxcDJkNmZu%26amp%3Bhl%3Den&followup=http%3A%2F%2Fdocs.google.com%2FDoc%3Fdocid%3D0AcdrOHdpKfrWZGZwd3Z4MmJfMnNxcDJkNmZu%26amp%3Bhl%3Den&ltmpl=homepage&rm=false
Content-Encoding: gzip
X-Content-Type-Options: nosniff
Content-Length: 325
Server: GFE/2.0
more redirection:
HTTP/1.1 302 Moved Temporarily

Set-Cookie: WRITELY_SID=DQAAAHoAAADh80lBIw7e5Hg06TLEBgCY33XQGJ1aUH5OrCF_ir1xLwffKNaCqNdUL6qYfvgjNppDBI4lTNBSTjJWMG_Ze0_qJnveBCAtihBDFwBlOb-H7RlkfgJwM7pBbyKV7bm4M3mqUivD1emtpxgl32vG8CEP1poQ2479HQXrlobsp7Egzw;Domain=docs.google.com;Path=/;Expires=Thu, 
03-Sep-2009 21:43:59 GMT

Location: http://docs.google.com/Doc?docid=0AcdrOHdpKfrWZGZwd3Z4MmJfMnNxcDJkNmZu&amp%3Bhl=en&pli=1
Content-Type: text/html; charset=UTF-8
Content-Encoding: gzip
Date: Wed, 19 Aug 2009 21:43:59 GMT
Expires: Wed, 19 Aug 2009 21:43:59 GMT
Cache-Control: private, max-age=0
X-Content-Type-Options: nosniff
Content-Length: 232
Server: GFE/2.0
and the the target page:
HTTP/1.1 200 OK

Set-Cookie: WRITELY_SID=DQAAAHoAAADh80lBIw7e5Hg06TLEBgCY33XQGJ1aUH5OrCF_ir1xLwffKNaCqNdUL6qYfvgjNppDBI4lTNBSTjJWMG_Ze0_qJnveBCAtihBDFwBlOb-H7RlkfgJwM7pBbyKV7bm4M3mqUivD1emtpxgl32vG8CEP1poQ2479HQXrlobsp7Egzw;Domain=docs.google.com;Path=/;Expires=Thu, 
03-Sep-2009 21:43:59 GMT

Set-Cookie: GDS_PREF=hl=en;Expires=Sat, 17-Aug-2019 21:43:59 GMT;HttpOnly

Set-Cookie: user=; Expires=Tue, 18-Aug-2009 21:43:59 GMT; Path=/; 
HttpOnly

Set-Cookie: login=; Expires=Tue, 18-Aug-2009 21:43:59 GMT; Path=/; 
HttpOnly
Content-Type: text/html; charset=UTF-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Date: Wed, 19 Aug 2009 21:43:59 GMT
Content-Encoding: gzip
Transfer-Encoding: chunked
X-Content-Type-Options: nosniff
Server: GFE/2.0
Conclusion, as you can see above google response for redirection 
include no caching, expires, etc,, headers, Cheyenne don't. I suppose 
that is why you don't see the second hit on your Cheyenne instance, 
Chrome is caching the Cheyenne redirection.
in the rsp that send the the 301 redirect, add this lines:

response/set-header 'Cache-Control "private, max-age=0"
response/set-header 'Expires "-1"

if that is not enough, try with this:


response/set-header 'Cache-Control "no-cache, no-store, max-age=0, 
must-revalidate"
response/set-header 'Pragma "no-cache"
response/set-header 'Expires "-1"
now try that and tell us if you see hitting your server at every 
requests
Nenad, should a redirect send no caching headers by default?
Maybe yes for a 301 and no for a 302? Personally I like it as it 
is, I can always add them when needed.
Graham
19-Aug-2009
[5539x3]
That first redirection is an authentication request from google so 
it looks like you might not have been logged in to gmail at the time. 
 I used your second suggestion and that seems to work fixing the 
caching issue.  Good work!
No wonder I wasn't seeing the response from my script ...
Anyone see why this doesn't work 

grab-cookie: func [  login-url [url!] username password
    /target web-app-url [url!]
    /local page auth cookie err
][
    if error? set/any 'err try [
        page: open login-url
        cookie: page/locals/headers/set-cookie
        close page
        auth: rejoin [ "login=" username "&pass=" password ]

        page: read/custom login-url compose/deep [ POST (auth) [ cookie: 
        (cookie)]]
        either target [

            page: read/custom web-app-url compose/deep [ GET "" [ cookie: (cookie)]]
            return page
        ][ return cookie  ]
    ][
        mold disarm err
    ]
]   


I can see it sending the cookie after authentication to get a page 
in a web-app, but I get redirected to the login age