Hello, I tried to trace down the problem.
If you sign an url on different scheme (http -> https) everything works when opened manually in browser. But when opening it async, for example using $.ajax, current.session is empty. This causes URL.Verify to return False because there is no session.auth record stored. CORS requests assign new session ID every time. Why? Because cookies are not sent. The jQuery 'fix' is described here: http://stackoverflow.com/questions/8863571/cors-request-why-are-the-cookies-not-sent Solution includes adding xhrFields: {withCredentials: true}. Should this be treated as a bug in JS-part of components load? Marin On Sat, Dec 21, 2013 at 3:44 PM, weheh <richard_gor...@verizon.net> wrote: > I am dead in the water trying to make an https ajax call from an http > session. CORS is enabled on server but the web2py_component https URL with > user_signature=True now triggers an erroneous non-logged-in response to > auth.is_logged_in() when, in fact, the user is logged in. > > First, thanks to Marin Pranjić's help, I am able to articulate the above > statement. A little while ago I couldn't have done so. > > The trouble with auth.is_logged_in() is mirrored by an error raised by > @auth.requires_signature(). In response to an experiment designed by Marin, > I documented the following: > >> If I put the @auth.requires_signature() decorator back into the >> controller and reexecute, I get the Firebug error message: >> XMLHttpRequest cannot load https://www.blah >> blah<https://www.yakitome.com/store/checkout.load?pid=1&_signature=e5308784ae38c2f5f1a67552b4143bf7b9adeca1>. >> The request was redirected to >> 'https://www.mydomain.com/user/login.load?_next=/blah >> blah<https://www.yakitome.com/user/login.load?_next=/store/checkout.load%3Fpid%3D1>', >> which is disallowed for cross-origin requests that require preflight. >> >> > Marin replied, > >> As I expected, auth.requires_signature looks broken. Give me some time, I >> am very busy, but I'll try to give you solution. >> Maybe URL.verify instead of decorator. > > > Now, I have that auth.is_logged_in() in a critical spot and > @auth.requires_signature() decorators on many functions that are now > negatively impacted by this issue. So my sense of urgency is higher than my > normal constant sense of urgency. I've been stuck on this for many days so > I think I'm ready to ask for as much help as possible. Please. > > Thank you Marin and the web2py community for all the excellent support. > Any suggestions about how to proceed, including from Marin, are appreciated. > > -- > Resources: > - http://web2py.com > - http://web2py.com/book (Documentation) > - http://github.com/web2py/web2py (Source code) > - https://code.google.com/p/web2py/issues/list (Report Issues) > --- > You received this message because you are subscribed to the Google Groups > "web2py-users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to web2py+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/groups/opt_out. > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
