U4-7854 - 7.3.4 Cookies added by load-balancer cause blank page within back office

Created by Robin Minto 28 Jan 2016, 15:58:34 Updated by Sebastiaan Janssen 22 Jun 2017, 07:58:47

Duplicates: U4-9873

Visiting the back office default page in a newly deployed Umbraco resulted in a empty Content pane where I would expect a number of tabs and data.

Chrome dev tools showed a number of XHR requests (e.g. /umbraco/backoffice/UmbracoApi/UpdateCheck/GetCheck) failing with HTTP 417 Missing token null.

Deleting a cookie created by our load-balancer (we're not actually load-balancing the Umbraco back-office) caused the back office to begin working correctly, tabs and data appearing correctly.

The load-balancer creates a cookie named in the form PREFIX. Some experimentation shows that creating a cookie named { causes the issue. We've resolved our issue but this caused us some pain and resolving the cookie handling in Umbraco may help others

Thanks.

Comments

Sebastiaan Janssen 28 Jan 2016, 17:11:55

According to this article you should limit the characters used in cookie identifiers to alphanumeric plus:

!#$%&'*+-.^_`|~

http://stackoverflow.com/a/1969339/5018

Technically {} could be allowed but it's not advisable. I don't think this is something we can fix in umbraco, therefore I'm closing this issue and would advise reconfiguring your load balancer.


Robin Minto 29 Jan 2016, 11:19:25

As I say, we've worked around the issue but others may not be so lucky (we can't reconfigure the cookie names in the load-balancer).

The summary in that StackOverflow answer is good: "In the real world we are still using the original-and-worst Netscape cookie_spec, so code that consumes cookies should be prepared to encounter pretty much anything, but for code that produces cookies it is advisable to stick with the subset in RFC 6265"


Priority: Normal

Type: Bug

State: Duplicate

Assignee:

Difficulty: Normal

Category:

Backwards Compatible: True

Fix Submitted:

Affected versions:

Due in version:

Sprint:

Story Points:

Cycle: