Firefox loading SSL pages twice. Causing lots of issues for us.

[mi...@mgrogan.com]

It's only in Firefox when SSL is turned on. IE, Chrome, and Edge don't have this issue. We are on Windows 2016 and IIS10 and using Coldfusion 2016.

Firefox will basically double load the page. We started noticing this because there are a few pages where we save something to the database and it would start throwing unique constraint errors on the second attempt. Or we have a button to send an email reminder to someone and it would get sent twice. As a test, I put in a mail script on a basic load of a regular page, and that gets sent twice. If I temporarily turn off SSL and just load up http://.... it will work as intended.

I'm attaching a HTTP log from firefox as I get the error. I'm going from page A to page B (which should do an insert) and then redirect back to page A automatically. In the IIS logs page B shows up twice with a 302 and then a 500 status code. If I turn off SSL I see a 302 in the logs only and then it redirects back to page A.

https://pastebin.com/Yb4mNiKg

I've read also to check my meta tags and image tags to make sure there is no missing src values as this might mess up Firefox. I think that's all looking pretty good. This is happening on multiple pages with different html templates, not just one that might help me pinpoint it.

As another test, I made the simplest page possible. This is everything on the page below. A single link. And on page b all it does is email me. Even this sends a double email when SSL is turned on!

<a href="pageb.cfm">Page B</a>

I'm struggling to figure out why this is happening. Anyone experience this? Or know better ways of debugging?

[Big Al]

On 08/15/2017 01:01 PM, mi...@mgrogan.com wrote:
> It's only in Firefox when SSL is turned on. IE, Chrome, and Edge don't have this issue. We are on Windows 2016 and IIS10 and using Coldfusion 2016.
>
> Firefox will basically double load the page. We started noticing this because there are a few pages where we save something to the database and it would start throwing unique constraint errors on the second attempt. Or we have a button to send an email reminder to someone and it would get sent twice. As a test, I put in a mail script on a basic load of a regular page, and that gets sent twice. If I temporarily turn off SSL and just load up http://.... it will work as intended.
>
> I'm attaching a HTTP log from firefox as I get the error. I'm going from page A to page B (which should do an insert) and then redirect back to page A automatically. In the IIS logs page B shows up twice with a 302 and then a 500 status code. If I turn off SSL I see a 302 in the logs only and then it redirects back to page A.
>
> https://pastebin.com/Yb4mNiKg
>

What is this link supposed to do. I get a page that first nags me to
join, and I get a list of stuff but no links, no images no nothing.
Is there a purpose here that not reallllly intuitive?

[mi...@mgrogan.com]

> What is this link supposed to do. I get a page that first nags me to
> join, and I get a list of stuff but no links, no images no nothing.
> Is there a purpose here that not reallllly intuitive?

It's just pastebin. I needed a place to upload the Firefox log in case anyone understood it. Maybe this link will work better: https://pastebin.com/raw/Yb4mNiKg.

[Eli the Bearded]

In mozilla.support.firefox, <mi...@mgrogan.com> wrote:
> It's only in Firefox when SSL is turned on. IE, Chrome, and Edge
> don't have this issue. We are on Windows 2016 and IIS10 and using
> Coldfusion 2016.
>
> Firefox will basically double load the page. We started noticing this
> because there are a few pages where we save something to the database
> and it would start throwing unique constraint errors on the second
> attempt. Or we have a button to send an email reminder to someone and
> it would get sent twice. As a test, I put in a mail script on a basic
> load of a regular page, and that gets sent twice. If I temporarily
> turn off SSL and just load up http://.... it will work as intended.

Have you ruled out that the page is being loaded once as http and once
as https? If for example, your source document is explicitly saying to
use http, and then Firefox for some reason wants to prefer https?

I ask after seen this in your pastebin output:

2017-07-24 14:13:25.785000 UTC - [Main Thread]: V/nsHttp HttpBaseChannel::SetRequestHeader [this=15828000 header="Upgrade-Insecure-Requests" value="1" merge=0]

I've never seen Firefox double load HTTPS pages, so I'm wondering if
there is some sort of plugin or other oddness with your setup. If I were
you, I'd examine the behavior using the Live HTTP Headers plugin on a
new (no other plugins, and no custom config) Firefox profile. I'd also
try to duplicate this with a debug-tooled web server. Not sure how to do
that with Coldfusion, though.

Elijah
------
lots and lots of things break with doubled page hits

[Andy Burns]

Eli the Bearded wrote:

> 2017-07-24 14:13:25.785000 UTC - [Main Thread]: V/nsHttp HttpBaseChannel::SetRequestHeader [this=15828000 header="Upgrade-Insecure-Requests" value="1" merge=0]

Sounds like the server has set HSTS, which tells the browser to remember
never to visit the url by http (until a specified timestamp) but
redirect to https:

[Andy Burns]

Andy Burns wrote:

> Sounds like the server has set HSTS

Actually, it looks like it hasn't ...

<https://www.ssllabs.com/ssltest/analyze.html?d=dev.research.buffalo.edu>

[mi...@mgrogan.com]

> Have you ruled out that the page is being loaded once as http and once
> as https? If for example, your source document is explicitly saying to
> use http, and then Firefox for some reason wants to prefer https?
>
> I ask after seen this in your pastebin output:
>
> 2017-07-24 14:13:25.785000 UTC - [Main Thread]: V/nsHttp HttpBaseChannel::SetRequestHeader [this=15828000 header="Upgrade-Insecure-Requests" value="1" merge=0]
>
> I've never seen Firefox double load HTTPS pages, so I'm wondering if
> there is some sort of plugin or other oddness with your setup. If I were
> you, I'd examine the behavior using the Live HTTP Headers plugin on a
> new (no other plugins, and no custom config) Firefox profile. I'd also
> try to duplicate this with a debug-tooled web server. Not sure how to do
> that with Coldfusion, though.
>
> Elijah
> ------
> lots and lots of things break with doubled page hits

I should have also mentioned I'm trying this in Safe Mode in firefox. Doesn't seem to change anything. And this double page loading is happening to lots of users, not just me.

It definitely has crossed my mind about the loading insecure page first. As I watch the network tab and look at the header information in the firefox developer tools I don't notice pages being loaded twice. Or an insecure version. I loaded up live http headers and so far don't notice too much either. I'll keep playing with it though.

I've also looked in the IIS log files and it definitely appears that pages are being loaded twice. I see the same page being loaded, at the same time, both secure 443 port and both have a 200 status.

On one of our Coldfusion sites I have code that forces SSL. It checks to see if they aren't using https, and then redirects to a secure version. It was my first thought that this was the issue. But I've commented that out and it doesn't affect anything.

[mi...@mgrogan.com]

I'm noticing as well now on a certain page that just reloading the page in the browser will trigger 2 emails to be sent. I setup a simple send mail function just to track page loads. I am dumping the CGI variables in the email to see if anything changes. The only thing that changes is http_connection. It goes from keep-alive to close. Not sure if that really means much or not. But both emails show that SSL was turned on.

HTTP_CONNECTION: keep-alive
HTTP_CONNECTION: close

When I look in the Firefox developer tools I still only see one get request for this page.

[TCW]

No nag here, goes straight to the pasted log.

[mi...@mgrogan.com]

On Tuesday, August 15, 2017 at 1:31:03 PM UTC-4, mi...@mgrogan.com wrote:

I think I finally figured out the issue at least. This is for an application under an admin subfolder off the root. We have a URL Rewriting Rule in a web.config file. If I turn off this rule Firefox starts working better. If I turn it back on it starts double loading pages again. I'm not sure what is causing that to happen still though.


<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="ColdFusion on Wheels URL Rewriting" enabled="true">
<match url="^(.*)$" ignoreCase="true" />
<conditions logicalGrouping="MatchAll">
<add input="{SCRIPT_NAME}" negate="true" pattern="^/admin/(flex2gateway|jrunscripts|cfide|cfformgateway|railo-context|files|images|javascripts|miscellaneous|stylesheets|robots.txt|sitemap.xml|rewrite.cfm)($|/.*$)" />
</conditions>
<action type="Rewrite" url="/admin/rewrite.cfm/{R:1}" />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>

[mi...@mgrogan.com]

On Tuesday, August 15, 2017 at 1:31:03 PM UTC-4, mi...@mgrogan.com wrote:

Found a few more interesting things. I think the issue is related to http/2. We recently moved to Windows 2016 server, which is the first version of IIS to support http2.

When I look at the logs in firefox and chome I notice that Firefox tries to load pages over http2, and chrome is still loading over http/1.1.

If I go into Firefox and turn off http2 by setting network.http.spdy.enabled.http2 to false all the issues go away. I've seen some issues with http2 and firefox in the past (https://www.fxsitecompat.com/en-CA/docs/2017/ntlm-authentication-fails-in-certain-cases/), but this doesn't seem to be exactly the same. Probably close though. Not sure if it's on the Windows (IIS) end or Firefox's implementation. Or some combination of the two.

I also noticed that if I installed version 35 and below of Firefox our site would work fine. Starting at Firefox 36 the issue starts occurring. Looking at the release notes for 36 (https://www.mozilla.org/en-US/firefox/36.0/releasenotes/) it looks like http/2 support starts.

Any idea on how to resolve http/2 type issues?

[dana....@gmail.com]

FYI, I had this same issue running Windows 2016, IIS 10.0.14393.0, and ColdFusion 2016. Firefox was duplicating the requests for us as well. In addition, Safari wouldn't load our site and the Windows Phone had issues as well.

I verified that your observation that HTTP/2 was causing the issue did in fact resolve the issue for us. I adjusted our IIS configuration as follows to disable HTTP/2.

1) start -> regedit
2) Navigate to the folder/path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters
3) Under the Parameters folder, right-click the white-space, add 2 new DWORD (32-bit) values: EnableHttp2Tls and EnableHttp2Cleartext
4) Ensure both new values have been set to 0 (disabled) by right-clicking the value and clicking modify...
5) Restart the OS

(Credit to https://stackoverflow.com/questions/44660634/how-to-disable-http-2-on-iis-of-windows-server-2016)

This seems to have corrected our set of issues.

Maybe there is a better way to configure IIS to solve this issue?

Dana