We have added mod-security(2.9) plugin for input data filtering with malicious input with apache webserver and it was working fine. But then we are facing issue in the below scenario.
During the application login, server will generate access token and also a refresh token (set the same as cookie) while sending back to the browser. When the access token expires, UI will send the refresh token to generate the new access token to the server. Application will use the refresh token as a authentication mechanism.
Request 1 - Application Login - server will generate access token and refresh token(set-cookie) and sent to browser
Request 2 - access token expired - server will send "401 unauthorised" back to ui when the request sent from ui
Request 3 - ui will send another request with refresh token as cookie(sent in request 1) and modsecurity blocks with 403 forbidden
Browser will retry the above as if failed for 2 more times as per application rules.
Request 4 - browser send request same as #2 as a retry mechanism. server will return with "401 un-authorised" again
Request 5 - Browser send another request same as #3. This time request is not blocked by mod-security and the request reaches the server and it generates the new token
Request-3 is being blocked by mod-security saying "403 Forbidden". I dont see any error in logs. Also i dont see any difference between Request-3 and Request-5 in terms of cookie and other parameters.
The same scenario is working fine in Firefox. If we completely turn off the mod-security, we are not able to replicate this scenario and it is working fine.
Kindly help.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
We have added mod-security(2.9) plugin for input data filtering with malicious input with apache webserver and it was working fine. But then we are facing issue in the below scenario.
During the application login, server will generate access token and also a refresh token (set the same as cookie) while sending back to the browser. When the access token expires, UI will send the refresh token to generate the new access token to the server. Application will use the refresh token as a authentication mechanism.
Request 1 - Application Login - server will generate access token and refresh token(set-cookie) and sent to browser
Request 2 - access token expired - server will send "401 unauthorised" back to ui when the request sent from ui
Request 3 - ui will send another request with refresh token as cookie(sent in request 1) and modsecurity blocks with 403 forbidden
Browser will retry the above as if failed for 2 more times as per application rules.
Request 4 - browser send request same as #2 as a retry mechanism. server will return with "401 un-authorised" again
Request 5 - Browser send another request same as #3. This time request is not blocked by mod-security and the request reaches the server and it generates the new token
Request-3 is being blocked by mod-security saying "403 Forbidden". I dont see any error in logs. Also i dont see any difference between Request-3 and Request-5 in terms of cookie and other parameters.
The same scenario is working fine in Firefox. If we completely turn off the mod-security, we are not able to replicate this scenario and it is working fine.
Kindly help.
This forum isn't supported anymore, please use github or IRC for support.