Community
Select to view content in your preferred language

BUG: In 3.0 No Cookie Present in Proxy Requests

620
2
07-02-2012 04:27 AM
DerivenC
by
Deactivated User
‎07-02-2012 04:27 AM
Took me a few to figure this out.  Any requests sent through ArcGIS for JavaScript 3.0 using a proxy url does not include the cookie.  This is pretty severe since a secure cookie determines whether the request is authenticated against a server.  When my server receives it, it kicks it out because the request was not authenticated.

In version 2.8 and prior versions, the cookie is sent correctly.  Switch to 3.0, no cookie.  Therefore any site using forms authentication (with or without SSL) and a proxy will see this bug.

The workaround is simply to stick with 2.8 until it can be fixed.

I have screenshots if needed.
0 Kudos
2 Replies
DerivenC
by
Deactivated User
‎07-02-2012 06:52 AM
This may be isolated to my circumstance but I doubt it.  I used to override esri._getProxyUrl such that I could replace the url with a variation to my domain name (e.g. www1.mydomain.com, www2.mydomain.com, etc.)  Once I disabled this override (by commenting it out), I was good-to-go .. but now only using www.mydomain.com for the proxy.

Therefore I tried to change the url using the new(?) esri.setRequestPreCallback option.  If I do nothing in the callback, it works fine (but again only using the www.mydomain.com).  If I update the url to use my subdomain variants, the request goes out but without any cookie information.  I'm guessing this has something to do with the new CORS functionality.  In 2.8, using subdomains was never a problem.

I'll keep looking into this problem.
0 Kudos
DerivenC
by
Deactivated User
‎07-03-2012 03:31 AM
So I tried opening my map using Opera 11 which doesn't support CORS according to caniuse.com and I still get the error.  So CORS is not the issue.

It could be dojo 1.7.  Because this is happening at the xHR level.  The deal is my secure cookie is for a 2nd-level domain (.mydomain.com) and should be included in any requests for that domain.  In fact, if I copy/paste the failing url into the address bar, it works fine.  But in ArcGIS for JS, I get a 500 error -- which my web site throws if the request isn't authenticated.

Using multiple domains is a common practice to increase performance, as even indicated by ESRI.  As long as the secure cookie is 2nd-level, it should be passed along with all subdomain requests. (source)  So I'm not doing anything out of the ordinary.  Our entire site wouldn't work otherwise.  It has worked for over two years with multiple subdomains, from Silverlight to JS implementations.  Now the proxy won't work unless I restrict it to one domain, which is annoying.

As a suggestion, can we give esri.config.defaults.io.proxyUrl an array of strings?  Then ArcGIS for JS can randomly pick a proxy URL and handle it accordingly.
0 Kudos