Can we apply some protection against different attacks

[andyhill]

Version 1542

TUniGUISession(AResponseInfo.Session).URLPAth; ACCESS VIOLATION ???

Please advise

[irigsoft]

7 hours ago, andyhill said:

Version 1542

TUniGUISession(AResponseInfo.Session).URLPAth; ACCESS VIOLATION ???

Please advise

The problem is that there is no AResponseInfo.Session.
You can try to use AResponseInfo.Referer,

but I do something else:

if UseSslFlag = True then begin
      AResponseInfo.ResponseNo:= 308;
      AResponseInfo.ResponseText:= 'Permanently Redirected';
      AResponseInfo.Location := 'mysecurelocation.com';
      AResponseInfo.Redirect('mysecurelocation.com');
end;

 

If You want URL to be a dinamic, try with AResponseInfo.Referer,
I made https URL in My settingFile just like that:

if UseSslFlag = True then begin
      AResponseInfo.ResponseNo:= 308;
      AResponseInfo.ResponseText:= 'Permanently Redirected';
      AResponseInfo.Location := MySettings.Values['RedicetdURLAtStartUp'];
      AResponseInfo.Redirect(MySettings.Values['RedicetdURLAtStartUp']);
end;

 

The last time I tried it:

1. I don't have SSL and I've never booted into my computer

2. I start a new session and redirect to https on my site

3. The session never starts

I hope this means that "Strict Transport Security" works.

 

I try it with Custom meta and it works too.

1. <meta http-equiv="refresh" content="2;url=http://example.com" />

OR

2. <script language="JavaScript">
function redirectHttpToHttps() {
    var loc = window.location.href+'';
    if (loc.indexOf('http://')==0){
      window.location.href = loc.replace('http://','https://');
    }
}
redirectHttpToHttps();
</script>

[andyhill]

Thank you, however I want to ReDirect ONLY if not https, if I understand you correctly you are redirecting every time ?

[irigsoft]

2 minutes ago, andyhill said:

Thank you, however I want to ReDirect ONLY if not https, if I understand you correctly you are redirecting every time ?

Yes,

I tried to use referer and sometimes it has value, but most of the time it doesn't.

I think the best solution is to use a custom meta with example 2 - javascript

[irigsoft]

This redirection enable you to redirect to another server

I'm testing it now.

[andyhill]

irigsoft. how did the testing go ?

[irigsoft]

2 hours ago, andyhill said:

irigsoft. how did the testing go ?

Hi, redirection work good from my site to another with this:

AResponseInfo.ResponseNo:= 308;
AResponseInfo.ResponseText:= 'Permanently Redirected';
AResponseInfo.Location := MySettings.Values['RedicetdURLAtStartUp'];
AResponseInfo.Redirect(MySettings.Values['RedicetdURLAtStartUp']);

 

I can't test from http to https (i don't have it).

SSL. Enabled := True,  leads to an error:

"Could not load root certificate. error: system library:fopen:No such process"

[andyhill]

OK, This is what I have found so far, where would it be best to ReDirect ?

procedure TUniMainModule.UniGUIMainModuleHandleRequest(ASession: TObject; var Handled: Boolean);
var
  s, newURL_SSL: String;
  REQ: TIdHTTPRequestInfo; // uIdCustomHTTPServer
begin
  if UseSslFlag = True then begin
    REQ:= UniSession.ARequest;
    s:= REQ.URI;            // GET='/',					POST='/HandleEvent'
    s:= REQ.Document;       // GET='/',					POST='/HandleEvent'
    s:= REQ.RawHTTPCommand; // GET='GET /HTTP/1.1',		POST='POST /HandleEvent HTTP/1.1'
    s:= REQ.Version;        // GET='HTTP/1.1',			POST='HTTP/1.1'
    s:= REQ.RemoteIP;       // GET='x.x.x.x',			POST='x.x.x.x'
    s:= REQ.From;           // GET='',					POST=''
    s:= REQ.Referer;        // GET='',					POST='http://x.x.x.x/' 
    if s <> '' then begin
      s:= LowerCase(s);
      if LeftStr(s, 5) = 'http:' then begin
        newURL_SSL:= StringReplace(s, 'http://', 'https://', [rfIgnoreCase]);
        WHAT IS THE BEST WAY TO REDIRECT USING newURL_SSL FROM HERE
      end; // LeftStr(s, 5) = 'http:'
    end; // s <> ''
  end; // UseSslFlag
end;

 

[irigsoft]

2 hours ago, andyhill said:

OK, This is what I have found so far, where would it be best to ReDirect ?

procedure TUniMainModule.UniGUIMainModuleHandleRequest(ASession: TObject; var Handled: Boolean);
var
  s, newURL_SSL: String;
  REQ: TIdHTTPRequestInfo; // uIdCustomHTTPServer
begin
  if UseSslFlag = True then begin
    REQ:= UniSession.ARequest;
    s:= REQ.URI;            // GET='/',					POST='/HandleEvent'
    s:= REQ.Document;       // GET='/',					POST='/HandleEvent'
    s:= REQ.RawHTTPCommand; // GET='GET /HTTP/1.1',		POST='POST /HandleEvent HTTP/1.1'
    s:= REQ.Version;        // GET='HTTP/1.1',			POST='HTTP/1.1'
    s:= REQ.RemoteIP;       // GET='x.x.x.x',			POST='x.x.x.x'
    s:= REQ.From;           // GET='',					POST=''
    s:= REQ.Referer;        // GET='',					POST='http://x.x.x.x/' 
    if s <> '' then begin
      s:= LowerCase(s);
      if LeftStr(s, 5) = 'http:' then begin
        newURL_SSL:= StringReplace(s, 'http://', 'https://', [rfIgnoreCase]);
        WHAT IS THE BEST WAY TO REDIRECT USING newURL_SSL FROM HERE
      end; // LeftStr(s, 5) = 'http:'
    end; // s <> ''
  end; // UseSslFlag
end;

 

I think You must add only this:

//close old session after redirect

TUniGUISession(ASession).UniApplication.UniSession.TerminateAfterSecs(5);

//redirect

TUniGUISession(ASession).UniApplication.UniSession.UrlRedirect (newURL_SSL);

 

 

[andyhill]

Thank You irigsoft for your assistance, this is now my Production Code (obviously the UniServerModule Parameters need to be set):-

procedure TUniMainModule.UniGUIMainModuleHandleRequest(ASession: TObject; var Handled: Boolean);
var
  Referer, Ssl_Url: String;
  REQ: TIdHTTPRequestInfo; 
begin
  if UniServerModule.UseSslFlag = True then begin
    REQ:= UniSession.ARequest;
    Referer:= LowerCase(REQ.Referer); // GET='', POST='http://x.x.x.x/...' or POST='http://DomainName/...'
    if Referer <> '' then begin
      if LeftStr(Referer, 5) = 'http:' then begin
        if ( (UniServerModule.AllRefererSslFlag = True)      // ReDirect ALL http
        or   (Pos(UniServerModule.DomainName, Referer) > 0)  // ReDirect Only DomainName http
        or   (Pos(UniServerModule.BindToIpStr, Referer) > 0) // ReDirect Only Bound IP http
           ) then begin
          Inc(UniServerModule.ReDirectCounter);              // Analytics
          Ssl_Url:= StringReplace(Referer, 'http://', 'https://', [rfIgnoreCase]);
          // Close old session after redirect
          TUniGUISession(ASession).UniApplication.UniSession.TerminateAfterSecs(2);
          // Redirect
          TUniGUISession(ASession).UniApplication.UniSession.UrlRedirect(Ssl_Url);
        end;
      end; // 'http:'
    end; // Referer
  end;
end;

Sherzod, Farshad please comment on my implementation - also do I need to set the Handled Flag ?

[irigsoft]

2 hours ago, andyhill said:

Thank You irigsoft for your assistance, this is now my Production Code (obviously the UniServerModule Parameters need to be set):-

procedure TUniMainModule.UniGUIMainModuleHandleRequest(ASession: TObject; var Handled: Boolean);
var
  Referer, Ssl_Url: String;
  REQ: TIdHTTPRequestInfo; 
begin
  if UniServerModule.UseSslFlag = True then begin
    REQ:= UniSession.ARequest;
    Referer:= LowerCase(REQ.Referer); // GET='', POST='http://x.x.x.x/...' or POST='http://DomainName/...'
    if Referer <> '' then begin
      if LeftStr(Referer, 5) = 'http:' then begin
        if ( (UniServerModule.AllRefererSslFlag = True)      // ReDirect ALL http
        or   (Pos(UniServerModule.DomainName, Referer) > 0)  // ReDirect Only DomainName http
        or   (Pos(UniServerModule.BindToIpStr, Referer) > 0) // ReDirect Only Bound IP http
           ) then begin
          Inc(UniServerModule.ReDirectCounter);              // Analytics
          Ssl_Url:= StringReplace(Referer, 'http://', 'https://', [rfIgnoreCase]);
          // Close old session after redirect
          TUniGUISession(ASession).UniApplication.UniSession.TerminateAfterSecs(2);
          // Redirect
          TUniGUISession(ASession).UniApplication.UniSession.UrlRedirect(Ssl_Url);
        end;
      end; // 'http:'
    end; // Referer
  end;
end;

Sherzod, Farshad please comment on my implementation - also do I need to set the Handled Flag ?

Please, set more time on TerminateAfterSec, if redirection take more time, session will close before loading redirected url.

I set 20 sec !

[andyhill]

Using 20 seconds, code changes the UrlPath to https as expected, but the framework hangs on the https ReStart (loading...) requiring a Browser RefResh in both Chrome and Edge to re-fetch ?

Should we have set Handled:= True before ReDirect ???

[irigsoft]

20 minutes ago, andyhill said:

Using 20 seconds, code changes the UrlPath to https as expected, but the framework hangs on the https ReStart (loading...) requiring a Browser RefResh in both Chrome and Edge to re-fetch ?

Should we have set Handled:= True before ReDirect ???

thanks,

In my case i will use then 5 sec to terminate session 

and Handled:= True; after redirect.

But Handled:= True; or False didn't find any different

I have other code in UniGUIMainModuleHandleRequest and after Handled := true, code is executed too

[andyhill]

Any thoughts about the hang (loading icon ...) ?

[irigsoft]

9 minutes ago, andyhill said:

Any thoughts about the hang (loading icon ...) ?

I dont have it.

I use redirection to  other server and no hang.

1. Start url 127.0.0.1 without https

2. redirect to 192.168.1.1 without https

redirection work with TerminateInSec (5). More seconds really block loading.

Try to redirect to google.com, and it's work too

 

I had some issues when replacestring (Refferer, 'http', 'https') because replace make string from 'http://mylocation.com' to 'http://mylocation.com/https://mylocation.com' and this took me to the loading ....

but with your code work fine.

[irigsoft]

did you make some custom meta, and that make troubles now?

did you delete redirection commands from htaccess ?

I make my test in Standalone application, and you ?

try to redirect to something else like google.com and if work then search problem in other redirection rules.

[andyhill]

Redirect UrlPath is fine (padlock appears).

Stand Alone Server

issues ...

[irigsoft]

3 minutes ago, andyhill said:

Redirect UrlPath is fine (padlock appears).

Stand Alone Server

issues ...

Did You try without terminate session, only redirect ?

 

I got lost in proposals

[irigsoft]

I make this and for me it's work, but I can't redirect to https (don't have it) . Redirect to other else is OK

I think is good to add this in your code:  If (RedirectURL <> RedirectAtStartUp) then begin, may be will help.
You use lowercase () but this can make sometrouble did you try with  my way?

uniServerModule

var

RedirectURL: String;

 

//redirect to SettingsList.Values ['RedirectAtStartUp']
if (RedirectAtStartUp <> '') then begin
    REQ:= UniSession.ARequest;
    s:= REQ.URI; 
    s:= REQ.Document;
    s:= REQ.RawHTTPCommand;
    s:= REQ.Version;
    s:= REQ.RemoteIP;
    s:= REQ.From;
    s:= REQ.Referer;
    if (s <> '') then begin
      If (RedirectURL <> RedirectAtStartUp) then begin
        //REQ.ResponseNo:=308;
        //REQ.ResponseText:=' Permanently redirected';
        RedirectURL := RedirectAtStartUp; //s;

        //redirect to https
        //newURL_SSL:= StringReplace(RedirectURL, 'http://', 'https://', [rfIgnoreCase]);
       RedirectURL := StringReplace (RedirectURL,'http://','https://',[rfIgnoreCase]);
       TUniGUISession(ASession).UniApplication.UniSession.TerminateAfterSecs(20);
        TUniGUISession(ASession).UniApplication.UniSession.UrlRedirect (RedirectURL);
        Handled := True;
      end;
    end; // s <> ''
end;

[irigsoft]

procedure TUniServerModule.UniGUIServerModuleHTTPCommand
begin

  AResponseInfo.CustomHeaders.AddValue('Strict-Transport-Security', 'max-age=31536000; includeSubDomains; preload');

end;

[andyhill]

We already have Strict-Transport... It only works if the Url is accessed via https, then the browser will remember it. My testing shows it does nothing with a http Url.

Also, It is as if a UniGUIMainModuleHandleRequest http session cannot redirect to a https session properly with TUniGUISession(ASession).UniApplication.UniSession.UrlRedirect (RedirectURL) ?

[irigsoft]

4 hours ago, andyhill said:

We already have Strict-Transport... It only works if the Url is accessed via https, then the browser will remember it. My testing shows it does nothing with a http Url.

Also, It is as if a UniGUIMainModuleHandleRequest http session cannot redirect to a https session properly with TUniGUISession(ASession).UniApplication.UniSession.UrlRedirect (RedirectURL) ?

I am get Your results, when i try to redirect to me.

from http://127.0.0.1:8055/form=name1 to http://127.0.0.1:8055/form=name125

[irigsoft]

I try in new Project to redirect from http://127.0.0.1:8077/?Form=PosN  to http://127.0.0.1:8077/?Form=AddN

1. Your code 

2. Try redirect via javascript in Custom meta from here: 

3. Try to reconect with Custom meta: <meta http-equiv="refresh" content="2; url=http://127.0.0.1:8077/?Form=AddN" />

 

If I redirect to other URL it's OK, but if try to redirect to same location 

always error is the same. 

Like on picture

[irigsoft]

@andyhill,

And so, I think i succeeded to redirect:

1. Strange, but it works, add to MainModule.Servermessages.TerminateTemplate

'<meta http-equiv="refresh" content="0; URL='http://www.google.com'"/>'

from here:

2. Make Your code by this way:

from 'http://127.0.0.1:8077/?Form=POS_N' to 'http://127.0.0.1:8077/?Form=AddN'

unit MainModule;
 

procedure TUniMainModule.UniGUIMainModuleHandleRequest(ASession: TObject;
  var Handled: Boolean);
var
  s                 : String;
  //REQ               : TIdHTTPRequestInfo; // uIdCustomHTTPServer
  RedirectURL       : String;
begin
    RedirectURL := 'http://127.0.0.1:8077/?Form=AddN';
   //only if get some request

    if (UniSession.ARequest.URI = '/HandleEvent')

   //and not redirected 

   AND (RedirectURL <> UniSession.ARequest.Referer)

   then begin
        Handled := True;
        s := UniSession.ARequest.Referer;
         //if this is not used, redirects forever!!!!

          UniSession.AResponse.ResponseNo := 308;
          UniSession.AResponse.ResponseText := 'redirected';
        UniSession.UrlRedirect(RedirectURL);
    end;
end;

3. Run project

4. Delete from MainModule.Servermessages.TerminateTemplate meta tag

5. Run project

 

And no more errors, load first url and after some seconds redirect to second url, that is.

I think the changes in MainModule.ServerMessages.TerminateTemplate make some change!

[andyhill]

Here is my latest implementation:-

procedure TUniMainModule.UniGUIMainModuleHandleRequest(ASession: TObject; var Handled: Boolean);
var
  Referer, RedirectURL, FormattedDateTime: String;
begin
  // FORCE https Hack
  if UniServerModule.UseSslFlag = True then begin
    if UniSession.ARequest.URI = '/HandleEvent' then begin
      Referer:= LowerCase(UniSession.ARequest.Referer);
      if LeftStr(Referer, 5) = 'http:' then begin
        if ( (UniServerModule.AllRefererSslFlag = True)      // ReDirect ALL http
        or   (Pos(UniServerModule.DomainName, Referer) > 0)  // ReDirect DomainName http
        //or   (Pos(UniServerModule.BindToIpStr, Referer) > 0) // ReDirect Bound IP http (Testing)
           ) then begin
          Handled:= True;
          // Analytics
          Inc(UniServerModule.ReDirectCounter);
          // Audit
          DateTimeToString(formattedDateTime, 'dd/mm/yyyy hh:nn:ss.z', Now());
          UniServerModule.Logger.AddLog('ANDY-M', UniSession.RemoteIP +
                                        ' - ' + FormattedDateTime +
                                        ' - ' + UniSession.SessionId +
                                        ' - ReDirect "'+Referer+'" ' +
                                        '('+IntToStr(UniServerModule.ReDirectCounter)+')');
          // http --> https
          RedirectURL:= StringReplace(Referer, 'http://', 'https://', [rfIgnoreCase]);
          // Prevent ReCycling
          UniSession.AResponse.ResponseNo:=   308;
          UniSession.AResponse.ResponseText:= 'Redirected';
          // Add Delete Current Thread Here
          // ReDirect
          UniSession.UrlRedirect(RedirectURL);
        end; // Process
      end; // 'http:'
    end; // '/HandleEvent'
  end; // UseSslFlag
end;

Happy for feed back.