Reserving tickets does not work

[jfbethlehem]

I tried to run Alfio on a system of mine, but after creating an event and trying to reserve a ticket, I get the following messages in the log and Alfio does not seem to respond on the UI-side:

Select amount of tickets:
22:01:34.840 [qtp2142893855-25] WARN org.springframework.web.servlet.PageNotFound - No mapping for POST /session-expired

Click 'Continue':
22:01:35.619 [qtp2142893855-21] WARN org.springframework.web.servlet.PageNotFound - No mapping for POST /session-expired

I installed Alfio and ran it manually (java -jar alfio.war) with alfio accessible through an Apache2 reverse proxy (admin section works just fine). Dev disabled and the required headers to make it work (x-forwarded-proto and x-forwarded-ssl and x-forwarded-for and x-real-ip) have been configured to pass through. Enabling dev-mode does not help and gives the same errors.

What am I doing wrong?

[cbellone]

Hi,

by looking at the corresponding issue #1176 , it looks like that for some reasons the client (or the browser) is not picking up the session when you try to submit the ticket reservation request.

1. Can you please verify that your browser allows cookies? In the dev console (Firefox: storage tab -> cookies) you should see at least the following entries (same names, different values):

2. Can you start your server with the following configuration in the application.properties:
   spring.profiles.active=jdbc-session
   this would ensure that the user session is persisted on the database and survives server restarts

[jfbethlehem]

Hi cbellone,

Thank you for your reply. I have set the spring.profiles.active to jdbc-session, makes no difference if the active profile is empty or set to jdbc-session or dev. Checking the browser (Edfe, FF, Chrome), all show that cookies are enabled and cookies can be set.

[jfbethlehem]

This is my application.properties:

#Tue Apr 05 08:32:43 CEST 2022

alfio.build-ts=2022-04-05T06\:32\:43.956085Z[UTC]
alfio.frontend.version=5d00e4e274
alfio.version=2.0-M4-2204
datasource.dialect=PGSQL
datasource.driver=org.postgresql.Driver
datasource.password=mypassword
datasource.url=jdbc:postgresql://localhost:5432/alfio
datasource.username=alfio
datasource.validationQuery=SELECT 1
server.compression.enabled=true
server.forward-headers-strategy=native
server.address=127.0.0.1
server.port=8081
server.servlet.session.cookie.http-only=true
server.servlet.session.timeout=24h
server.shutdown=graceful
spring.application.name=alfio
spring.profiles.active=jdbc-session

[jfbethlehem]

And my Apache config:

<IfModule mod_ssl.c>
<VirtualHost *:443>
    DocumentRoot "/var/www/myalfio/"
    ServerName myalfio
    ServerAlias myalfio
    <Directory "/var/www/myalfio">
        Options SymLinksIfOwnerMatch
        Require all granted
        Allowoverride all
    </Directory>
    RewriteEngine on

    ProxyPreserveHost On
    ProxyPass / http://127.0.0.1:8081/
    ProxyPassReverse / http://127.0.0.1:8081/
    RemoteIPHeader X-Forwarded-For
    RemoteIPHeader X-Real-IP
    RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
    RequestHeader set "X-Forwarded-SSL" expr=%{HTTPS}

    Include /etc/letsencrypt/options-ssl-apache.conf
    SSLCertificateFile /etc/letsencrypt/live/myalfio/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/myalfio/privkey.pem
</VirtualHost>
</IfModule>

[cbellone]

I am wondering if the Apache proxy is stripping the cookies from the response...

can you please post the output of the following command?

curl -vs https://myalfio/api/v2/public/i18n/languages > /dev/null

It is important that you run the command from a client outside the server's network, forcing the call to go over the internet.
There might be other reverse proxies (transparent or otherwise) between your browser and the server that could modify the response (i.e. CloudFlare)

[jfbethlehem]

there are no other reverse proxies between my host and myself, as far as I know. I executed the command on my server using the external hostname, forcing it to go through apache.

Here are the results:

*   Trying 999.999.999.999:443...
* Connected to myalfio (999.999.999.999) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [25 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [4357 bytes data]
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [264 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [52 bytes data]
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [52 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: CN=myalfio
*  start date: Jan 10 11:42:08 2023 GMT
*  expire date: Apr 10 11:42:07 2023 GMT
*  subjectAltName: host "myalfio" matched cert's "myalfio"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
} [5 bytes data]
> GET /api/v2/public/i18n/languages HTTP/1.1
> Host: myalfio
> User-Agent: curl/7.74.0
> Accept: */*
>
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [57 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [57 bytes data]
* old SSL session ID is stale, removing
{ [5 bytes data]
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Tue, 10 Jan 2023 18:11:16 GMT
< Server: Apache
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
< Content-Type: application/json;charset=utf-8
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
< Vary: Accept-Encoding,User-Agent
< X-Frame-Options: sameorigin
< Set-Cookie: XSRF-TOKEN=df441543-aac4-4ad3-af4a-90bc7c40e9cd; Path=/;HttpOnly;Secure;SameSite=strict
< Set-Cookie: SESSION=4aec5460-a67f-44fc-8436-b5b0437a5671; Path=/; Secure; HttpOnly;HttpOnly;Secure;SameSite=strict
< X-Permitted-Cross-Domain-Policies: none
< Referrer-Policy: same-origin
< Transfer-Encoding: chunked
<
{ [600 bytes data]
* Connection #0 to host myalfio left intact

[cbellone]

I believe that your Apache proxy is doing more than it should. This is how the cookies should look like:

< Set-Cookie: XSRF-TOKEN=7b84e723-809f-4cc5-b2e0-4e83354b9ea7; Path=/
< Set-Cookie: SESSION=38b1f436-46dd-4dbb-9e76-bfea52a35875; Path=/; Secure; HttpOnly

here are cookies from your response:

< Set-Cookie: XSRF-TOKEN=df441543-aac4-4ad3-af4a-90bc7c40e9cd; Path=/;HttpOnly;Secure;SameSite=strict
< Set-Cookie: SESSION=4aec5460-a67f-44fc-8436-b5b0437a5671; Path=/; Secure; HttpOnly;HttpOnly;Secure;SameSite=strict

it looks like it's adding ;HttpOnly;Secure;SameSite=strict at the end of each cookie (see SESSION with HttpOnly defined twice)
XSRF-TOKEN cannot be HttpOnly. It must be accessible by the javascript code in the browser in order to be passed to the backend, that's why the application is not working.

[jfbethlehem]

Thank you, it works :)