NSP: Sorry Dave, I can't let you do that

[hbouma]

I have been having an issue with IE 11.1206.15063.0 update 11.0.75. When logging into Nagios Fusion 4.1.1, I get an error "NSP: Sorry Dave, I can't let you do that".

Login works fine from Chrome or FireFox.

I have tested on multiple machines, verified the date/time is correct, and cleared my cache. I have turned on compatibility mode, but the issue still exists. While attempting to narrow down the issue, I see not problems listed in the files in /usr/local/nagiosfusion/var/log, nor in my /var/log/httpd/ folders.



Nagios Fusion is running on 64bit Red Hat 7.

[cdienger]

When the login page comes up, a hidden variable called nsp is set in the source code. When credentials from the login page are submitted the nsp variable is included and checked against a php session id. The "Sorry Dave" message occurs if the session id and nsp value don't match. The most common causes for this that I've seen:

-data is incorrect on the client or XI machine
-client browser has login page cached with an old nsp value
-client logged in with https, logged out and then tried to login with http

When I get this error I like to load the page a few times and check the source to verify that the nsp value is actually updating. You may just need a hard refresh in the browser to get this to work again.

Less than ideal but can fix this quickly is just to restart the httpd service with 'service httpd restart'

[hbouma]

You are correct. The nsp_str is not getting updated.

-data is incorrect on the client or XI machine

Issue stays despite restarts of the computer, or even going to different computers/servers. I have cleaned my temporary files without success.

-client browser has login page cached with an old nsp value

A hard refresh of IE does not fix the issue (ctrl + F5), nor does closing IE (verified IE is not running via Task Manager).

-client logged in with https, logged out and then tried to login with http

Server is setup to use https, login URL is https, login has never occurred, so we cannot log in, then log out, then attempt another login with http.

I don't know if this matters, but the server is setup for TLS communication, and is setup with an alias. We do get different nsp_str values depending on if we go to https://servername/nagiosfusion or if we go to https://alias/nagiosfusion. The string is also different depending on which computer you hit the server from, but it never updates once you get your initial string.

[cdienger]

Testing this again the proper behavior is the string will stay the same but change if there is a successful login or if apache/php generates a new one for the client. Have you tried restarting the httpd service?

[hbouma]

Yes, HTTPD was restarted.

Logins will not work with any user in IE. Are there some log files I could look at that may point me to the direction of the issue?

[cdienger]

Attached is a new /usr/local/nagiosfusion/html/includes/utils/sessions.inc.php to replace the old one. It will display the two variables that need to match in order to avoid this message. I'm curious to know what the client is submitting and if it is the same value seen in the source.

[hbouma]

From IE:

Code: Select all

NSP: Sorry David, I can't let you do that
NSP: f2f9211c56fa200cf8994548361b613abadee4031483b8abe13cb219fd3382b4
user_nsp: 

From Chrome:

Code: Select all

NSP: Sorry David, I can't let you do that
NSP: f3bd4135e883c09cdeb68621681833bf39ffb35ae57da49a84968cb85f7cdc0f
user_nsp: f3bd4135e883c09cdeb68621681833bf39ffb35ae57da49a84968cb85f7cdc0f

[cdienger]

Interesting. Does the nsp value show up in the POSTd body? Example:

[hbouma]

It does not

2018-08-08 07_44_46-https___nagiosfusion_login.php - Internet Explorer.png

[cdienger]

What version of Windows is the client on? I'm having difficulty getting my machine up to IE 11.1206.15063.0 update 11.0.75 for testing and think it may be due to the OS version.