Comments (7)
seansfkelley
commented on August 23, 2024
This is very strange. The extension specifically does not use cookies, but instead holds onto a unique session ID granted by DSM to hand back with requests. I'm not sure by what mechanism it would be leaking across into your normal browsing state, if that's what it's doing.
I followed your three steps above, including removing the extension entirely to start with a blank slate, and I wasn't able to see the behavior on Firefox 56.0.2. What browser version and DSM version are you on? Are you able to get it to happen reliably with the steps outlined above with no other intervening actions?
from nas-download-manager.
elisimpson
commented on August 23, 2024
I'm playing around with it some more to see if I can get you info to help
diagnose. One thing I found right away: if I'm logged in to DSM as "user1"
and go to the extension options screen and set the user/pass for "user2"
and hit the "test connection" button I'm immediately logged out from
user1's DSM session (goes back to the log in screen). That implies
something in the extension is overriding the browser's normal session.
As far as versions go:
FF: 56.0.2
DSM: 6.1 with latest patch
Synology Download Manger ext: 0.2.1
…On Sat, Nov 4, 2017 at 5:11 AM, Sean Kelley ***@***.***> wrote:
This is very strange. The extension specifically does not use cookies, but
instead holds onto a unique session ID granted by DSM to hand back with
requests. I'm not sure by what mechanism it would be leaking across into
your normal browsing state, if that's what it's doing.
I followed your three steps above, including removing the extension
entirely to start with a blank slate, and I wasn't able to see the behavior
on Firefox 56.0.2. What browser version and DSM version are you on? Are you
able to get it to happen reliably with the steps outlined above with no
other intervening actions?
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#32 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ANNCHnB80HrrdJokf2chIc6GuMhPKbf_ks5sy3NqgaJpZM4QMv6U>
.
from nas-download-manager.
seansfkelley
commented on August 23, 2024
Alright, I got a repro working, but unsure how minimal it is. Steps:
- Disable all my addons and remove Synology Download Manager.
- Restart Firefox to ensure a clean slate w/r/t the addons.
- In Firefox's preferences, always allow third-party cookies (no idea if this would make a difference, but it's caused weird problems around sessions for me in the past).
- Log into DSM using the external URL I have setup through Synology (i.e.,
example.synology.me) with some user A, being sure to "Stay signed in". - Close the tab I'm logged into DSM with.
- Install the Synology Download Manager addon.
- Set up the addon with some user B (who has fewer permissions than user A, fwiw).
- Hit "Test Connection".
- Open DSM again in a new tab.
Now I'm logged out. Weird.
from nas-download-manager.
seansfkelley
commented on August 23, 2024
The above repro still works (i.e. breaks) with the latest version on master too. If I drop the part of the login test where it logs outs after itself, it just ends up hijacking the session, but leaving it logged in.
This is also happening with SynoLoader and SynoNext (other Firefox extensions). Synology Download Extender and SynoExt just didn't work on my install.
Upon further research, the key actually appears to be "allow third-party cookies". My suspicions are borne out! DSM sends back cookies even if we don't ask for them, and Firefox will apparently happily set the cookie for that domain even though the request is originating from an extension. That... seems like a bug?
The Synology is also at fault, since according to the docs it shouldn't be setting cookies if we ask for an sid instead:
Returned format of session ID. Following are the two possible options and the default value is
cookie.
cookie: The login session ID will be set to cookie.
sid: The login sid will only be returned as response json data and the cookie will not be set.
@elisimpson could you try setting Firefox's "accept third-party cookies" setting to "never" and seeing if you still have the issue?
from nas-download-manager.
seansfkelley
commented on August 23, 2024
Should be fixed on master using undocumented APIs (spooky!). Look for the release in the coming days.
from nas-download-manager.
elisimpson
commented on August 23, 2024
Tried the update today and it seems to have fixed the issue... Thanks!
…On Tue, Nov 7, 2017 at 10:13 AM, Sean Kelley ***@***.***> wrote:
Should be fixed on master using undocumented APIs (spooky!). Look for the
release in the coming days.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#32 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ANNCHqQBnv7818fDpGYeDkGfty-zAAkuks5sz66-gaJpZM4QMv6U>
.
from nas-download-manager.
seansfkelley
commented on August 23, 2024
Of course!
For my own future reference: this is a known issue that using a higher version of the auth APIs don't have. Those newer versions are not documented, and after asking Synology support where I could find the docs for what changed between API versions and what's current, I got the response (paraphrasing) "i dunno lol" which isn't entirely helpful...
from nas-download-manager.
Related Issues (20)
- getURL is deprecated
- Cannot connect using Firefox.
- URL link, right click advanced context menu, save to folder option HOT 1
- miscellaneous maintenance list
- Not support 2 factor authentication. HOT 1
- ability to create a new folder in NAS directory prior to initiating download HOT 1
- add link to login error message directing users to the FAQ if certs are the likely culprit
- Die angeforderte API existiert nicht.
- It can't login to NAS anymore HOT 2
- Support http authentication
- Loggin issue on DSM 7 HOT 2
- "URL(s) to download" auto-focus
- Announcement: Maintenance Mode 🔧
- cannoct login using quickconnect, only local IP address HOT 1
- Connection failed for an unknown reason DSM7 HOT 2
- Decryption of DLC files
- IPv6 HOT 3
- DevTools console failed to load source map: Could not load content for chrome-extension://iaijio... System error: net::ERR_BLOCKED_BY_CLIENT HOT 2
- error when restarting browser HOT 3
- Magnet association with NAS Download Manager HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from nas-download-manager.