Ajax form using POST?

29 views
Skip to first unread message

Donald McLean

unread,
Sep 14, 2017, 2:28:36 AM9/14/17
to liftweb
Hello everyone,

Apparently, I haven't been paying attention. I have a small Lift Ajax
form for user login, but I didn't realize that the users credentials
were being sent as a GET, where they are added to the URL and not
encrypted (even using HTTPS).

What would I need to do to change the form so that it is submitting
the user credentials via a PUT?

Thanks,

Donald

Antonio Salazar Cardozo

unread,
Sep 14, 2017, 12:22:10 PM9/14/17
to Lift
where they are added to the URL and not  encrypted (even using HTTPS)

This should not be the case. HTTPS encrypts the connection before any data is exchanged,
so if the request is going out over HTTPS the path and querystring should be encrypted just
like everything else. Only the domain should be looked up before the connection is secured.

Lift Ajax form

 Does this mean it's done using `SHtml.makeFormsAjax`, or something else? If you're
using Lift's built-in AJAX stuff, it's always a POST, and the data is always included as
POST data, not as GET data.
Thanks,
Antonio

Donald McLean

unread,
Sep 14, 2017, 2:12:46 PM9/14/17
to liftweb
Hi Antonio,

What I was seeing is that in a specific, very peculiar, but
reproducible case, the FULL URL for the get, including the user name
and password, were being displayed in the URL bar at the top of the
browser window. One of our IT people told me that the URL for the get
would be sent unencrypted, even over HTTPS so obviously, if he was
incorrect, then I'm much less worried.

I have the block with the form surrounded by:

<form class="lift:form.ajax">

Thanks,

Donald

Donald McLean

unread,
Sep 15, 2017, 7:35:57 AM9/15/17
to liftweb
I was working on something else and verified that, except in that one
weird case, the login data is definitely being sent via a POST.
--
Family photographs are a critical legacy for
ourselves and our descendants. Protect that
legacy with a digital backup and recovery plan.

Antonio Salazar Cardozo

unread,
Sep 15, 2017, 2:35:50 PM9/15/17
to Lift
Any details you can give about the weird case? That does sound rather
odd, and it's probably not Lift doing it, but worth looking into if there's
something we've done strangely.
Thanks,
Antonio

Donald McLean

unread,
Sep 15, 2017, 4:07:21 PM9/15/17
to liftweb
Yes.

It occurs only when the user leaves a browser open to the app and then
the Tomcat server is restarted (usually to install an updated WAR
file). When the server comes back and the page reloaded, the first
time a user tries to log in, the credentials are displayed in the URL
bar. Then for the next 30 minutes or so, any attempt to login gets
"server cannot be contacted" after a long delay.

This only started happening when IT updated us to virtual servers
running RHEL7 and Tomcat 8.5.11.

So you see what I mean when I say "peculiar" :-)

Thanks,

Donald

On Fri, Sep 15, 2017 at 2:35 PM, Antonio Salazar Cardozo
> --
> --
> Lift, the simply functional web framework: http://liftweb.net
> Code: http://github.com/lift
> Discussion: http://groups.google.com/group/liftweb
> Stuck? Help us help you:
> https://www.assembla.com/wiki/show/liftweb/Posting_example_code
>
> ---
> You received this message because you are subscribed to the Google Groups
> "Lift" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to liftweb+u...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

Diego Medina

unread,
Sep 15, 2017, 6:43:39 PM9/15/17
to Lift
my wild guess is that this is related to the user session that lift keeps track of, being lost, so the normal ajax form post gets an invalid F... func name and the form ends up being posted as a GET, resulting in user/pass on the url

do you have a test env where you can restart tomcat and try a few things?

1. leave the browser tab open
2. restart tomcat
3. refresh the user page (assuming it is you)
4. I'm hoping the form will work ok here


then

1. leave the browser tab open
2. restart tomcat
3. do not refresh the page
4. submit the form (do users get log out after not using the app for x minutes?)
4. here the F... lift  function isn't live in the server, so the form isn't a POST any more

hope it helps

Diego



> For more options, visit https://groups.google.com/d/optout.



--
Family photographs are a critical legacy for
ourselves and our descendants. Protect that
legacy with a digital backup and recovery plan.

--
--
Lift, the simply functional web framework: http://liftweb.net
Code: http://github.com/lift
Discussion: http://groups.google.com/group/liftweb
Stuck? Help us help you: https://www.assembla.com/wiki/show/liftweb/Posting_example_code

---
You received this message because you are subscribed to the Google Groups "Lift" group.
To unsubscribe from this group and stop receiving emails from it, send an email to liftweb+unsubscribe@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Donald McLean

unread,
Sep 18, 2017, 3:03:10 PM9/18/17
to liftweb
Hi Diego,

In the first scenario (refresh after restarting Tomcat):

1. First time, the login is posted as a Get
2. After that, for the next half hour, get the error "Server could not
be contacted"

In the second scenario (do not refresh after starting Tomcat):

1. First time, get error "Server could not be contacted", page
immediately reloads on its own
2. Second time, login posts as Get
3. After that, get "Sever could not be contacted"
>> > email to liftweb+u...@googlegroups.com.
>> > For more options, visit https://groups.google.com/d/optout.
>>
>>
>>
>> --
>> Family photographs are a critical legacy for
>> ourselves and our descendants. Protect that
>> legacy with a digital backup and recovery plan.
>>
>> --
>> --
>> Lift, the simply functional web framework: http://liftweb.net
>> Code: http://github.com/lift
>> Discussion: http://groups.google.com/group/liftweb
>> Stuck? Help us help you:
>> https://www.assembla.com/wiki/show/liftweb/Posting_example_code
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "Lift" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to liftweb+u...@googlegroups.com.
>> For more options, visit https://groups.google.com/d/optout.
>
>
>
>
> --
> Diego Medina
> Go Consultant
> di...@fmpwizard.com
> https://blog.fmpwizard.com/
>
> --
> --
> Lift, the simply functional web framework: http://liftweb.net
> Code: http://github.com/lift
> Discussion: http://groups.google.com/group/liftweb
> Stuck? Help us help you:
> https://www.assembla.com/wiki/show/liftweb/Posting_example_code
>
> ---
> You received this message because you are subscribed to the Google Groups
> "Lift" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to liftweb+u...@googlegroups.com.

Diego Medina

unread,
Sep 18, 2017, 4:01:38 PM9/18/17
to Lift
wow, this is not what I expected at all.

So, this isn't related to tomcat restarting, this is the code that always does a GET? Can you try to reproduce this on a small sample project posted on github?


>> > For more options, visit https://groups.google.com/d/optout.
>>
>>
>>
>> --
>> Family photographs are a critical legacy for
>> ourselves and our descendants. Protect that
>> legacy with a digital backup and recovery plan.
>>
>> --
>> --
>> Lift, the simply functional web framework: http://liftweb.net
>> Code: http://github.com/lift
>> Discussion: http://groups.google.com/group/liftweb
>> Stuck? Help us help you:
>> https://www.assembla.com/wiki/show/liftweb/Posting_example_code
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "Lift" group.
>> To unsubscribe from this group and stop receiving emails from it, send an

>> For more options, visit https://groups.google.com/d/optout.
>
>
>
>
> --
> Diego Medina
> Go Consultant
> di...@fmpwizard.com
> https://blog.fmpwizard.com/
>
> --
> --
> Lift, the simply functional web framework: http://liftweb.net
> Code: http://github.com/lift
> Discussion: http://groups.google.com/group/liftweb
> Stuck? Help us help you:
> https://www.assembla.com/wiki/show/liftweb/Posting_example_code
>
> ---
> You received this message because you are subscribed to the Google Groups
> "Lift" group.
> To unsubscribe from this group and stop receiving emails from it, send an

> For more options, visit https://groups.google.com/d/optout.



--
Family photographs are a critical legacy for
ourselves and our descendants. Protect that
legacy with a digital backup and recovery plan.

--
--
Lift, the simply functional web framework: http://liftweb.net
Code: http://github.com/lift
Discussion: http://groups.google.com/group/liftweb
Stuck? Help us help you: https://www.assembla.com/wiki/show/liftweb/Posting_example_code

---
You received this message because you are subscribed to the Google Groups "Lift" group.
To unsubscribe from this group and stop receiving emails from it, send an email to liftweb+unsubscribe@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages