We’ve developed some resources to help you work effectively from home during COVID-19 Click to learn more

Web panels login issue

Hi,

We have noticed the following issue with the SuperOffice Online login page: when multiple web panels are redirecting to the 'https://sod.superoffice.com/login?app_id=...&uctx=...' address simultaneously (which happens when opening SO Online and these web panels are visible on the same SO screen), SuperOffice Online 'forgets' the currently logged in user and shows the credentials controls instead of detecting the currently logged in user and automatically redirecting to the app's callback URL.

If there is only one web panel visible, the login page works correctly.

The problem can be reproduced without any SuperOffice Online applications - just by having two simultaneously visible web panels that use 'https://sod.superoffice.com/login' as their URL.

It seems that something breaks when the login page is accessed simultaneously from multiple iframes - even opening a new tab with 'http://sod.superoffice.com/login' after that will prompt for entering credentials instead of automatically logging in.

RE: Web panels login issue

Sounds like a bug report... submit email that points to this post to bug@superoffice.com so that you get credit for it and can track it.

Best Regards

Av: Tony Yates 2. mai 2017

RE: Web panels login issue

Hi, a fix for this issue have been published in SOD now. We would really like to know how the fix works for you.

Av: Margrethe Romnes 1. jun 2017

RE: Web panels login issue

Coming back to this after some time. 

If you are using the _not production ready_ SuperOffice.DevNet.Online.Login library, this does not out of the box prevent multiple windows from trying to login at the same time, and therefore deletes a cookie, creates a cookie, deletes a cookie, creates a cookie, etc for all windows shown. One will login, others will display a login screen...

I would NOT classify this as a web client bug. Any HTML application with multiple iframes will experience this same behavior. 

Arild (CRM Insight AS) has been able to successfully guard against this type of behavior (in the authorize attribute) by implementing a locking mechanism during the login phase - of the first web panel, and then when successfully logged in, allows the other calls to proceed and will see the client is already is authenticated and show their screens as expected.

He was going to share the code for this so we could incorporate it into the repo, but haven't received it yet. 

I recommend you proceed to implement a similar routine for your application.

Alternatively you could pop up a new window and conduct the authentication there, then close and refresh encapsulated iframe (or use SoCrossMessaging to refresh the whole window) when completed. 

Best regards.

Av: Tony Yates 23. jan 2020

RE: Web panels login issue

Hi Tony,

Thanks for the info. We'll definitely have to implement a workaround because the mutiple web panels scenario looks like a typical one for SuperOffice.

But how it was possible to avoid this error for 2 years and now it's back again?

Av: Dmitry Kuskov 23. jan 2020

RE: Web panels login issue

I'm not convinced it's ever gone away.

Av: Tony Yates 23. jan 2020

RE: Web panels login issue

Could you elaborate more on why SuperOffice "deletes a cookie, creates a cookie, deletes a cookie, creates a cookie, etc for all windows shown" when it's open inside multiple iframes without logging out? Wouldn't it be a proper behavior just to let the already logged in user in?

Av: Dmitry Kuskov 23. jan 2020

RE: Web panels login issue

I think there was a misunderstanding. SuperOffice does not do this... 

Under the right conditions, this may occuring in the SuperOffice.DevNet.Online.Login library. See this link.

Av: Tony Yates 23. jan 2020

RE: Web panels login issue

I'm note sure how the library you mentioned relates to the subject. In my example there are no apps, redirects, etc. involved at all, it's pure SuperOffice with two web panel pointing to the same SuperOffice and they fail to open.

Av: Dmitry Kuskov 23. jan 2020

RE: Web panels login issue

Dmitry, Tony is refering to the issue that if you have more then one external webpanel loading at the same time in SuperOffice, to the same application, and the applicaiton is using the code provided by SuperOffice without any extra checks/safeguards, a login-race will occur between the webpanels and could cause authentication errors.

The issue you mention has to do with the recent changes around SameSite cookies, see this bug and this thread.

Because the SuperOffice session cookie in the latest release isn't marked with a SameSite attribute, Chrome will starting treating it as SameSite=Lax meaning the session cookie from the top window (SuperOffice) will not be send to iframes/webpanels (Also SuperOffice in your case), which causes you to not be authenticated in the iframed/webpaneled SuperOffice screen.

Av: David Hollegien 23. jan 2020

RE: Web panels login issue

HI Dmitry,

OK, according to the emails between Siteshop and SuperOffice today, we now you are using Azure Active Directory as your Identity Provider and this leads to whole other problem that is not related to the issues discussed here. 

In that case you are not allowed to login towards AAD and Google via an iframe, and expected to open a new browser tab or window and do the login there, then return to the client to see the authenticated session. 

We'll try to post an example soon.

Av: Tony Yates 23. jan 2020

RE: Web panels login issue

Hi David,

I don't think it's related to the cookies issue because SuperOffice WORKS when being opened in a single web panel, but fails (not always!) when there are multiple web panels trying to open it. So it looks more like a race condition.

Av: Dmitry Kuskov 23. jan 2020

RE: Web panels login issue

Hi Tony,

Our SOD is not connected to an Identity Provider - I login by typing in my password. I guess, if it was an issue, even single iframe wouldn't work.

Av: Dmitry Kuskov 23. jan 2020

RE: Web panels login issue

Do note, the samesite none workaround is only on one webcluster in stage and for production. It is NOT in SOD.

Could you make a video and show network traffic, send it to the ticket 

Av: Margrethe Romnes 23. jan 2020

RE: Web panels login issue

No idea how to attach a video to the ticket :-) Sent it by email.

Av: Dmitry Kuskov 23. jan 2020

RE: Web panels login issue

Sending the email with sos id in subject to appdev@SuperOffice.com 😊

Av: Margrethe Romnes 23. jan 2020