SAC Web Application configured to access Incorta Application.
A handful of users report getting logged out whenever they try to access Incorta application through SAC.
SAC forensic logs show no error.
SAC Web Application.
CSRF check on Incorta dropping request.
disabled CSRF check on Incorta back end.
Key to troubleshooting was getting access to a HAR file when issue happened, and checking back end Application logs.
When the user experienced the error, we could see the following in the HAR file:
1. All works fine until we POST data to https://incorta.broadcom.luminatesec.com/incorta/!bi/service/schema/validateFormula and get a 403 back. A 403 is an access denied message from the back end Web server, and could be the cause of the logout
Note: The HAR file does not include the payload (516 bytes) which may give details on why the 403 response was sent back.
The POST includes session/cookie information that was sent in the previous request (GET) and payload is pretty basic booking information – however, it does NOT include the bearer token that the previous requests to the same domain included. Without any token, we may not be authorised to access the page. The thought was that the 403 sent back from the server is because of the lack of a bearer token from the client. The back end App logs will confirm this.
The POST request also includes CORS headers (Origin) but this is pretty standard with modern applications. What is interesting is that the previous requests to the same Web site do not have the Origin header, and these succeeded. This should not be the cause of the 403 in general though. The only possibility is that we are not rewriting the CORS header and the Application returns an error, but again, without working logs it is hard to confirm this.
2. About 400ms later, the client POSTs data to the logout endpoint, which we suspect is simply as a result of the failing request to validateFormula endpoint.
Providing this info to the Incorta team, we confirmed that the source of the 403 was a failed CSRF check (due to POSTed HTML form), which caused the authorization error. The Incorta team then modified their App settings (server.xml) to disable this check and all worked fine.