CAFBank and Server Side User Agent Sniffing
Thursday, April 26, 2012 9:02:32 PM
- understand the context of our work
- take actions when they are users of these Web sites
Let's talk about OTW-2621. The bug was created on September 9, 2006 (more than 5 years ago). The bug report was very clear. At this time Opera 9 was released. Opera Users of this bank were unable to use the Bank Web site. In this case, sometimes a more advanced user will report the issue to Opera. It's normal. Users have no idea if the site is broken or if Opera has a bug. In Cinemascope…
What is happening for users
I start a clean version of Opera Next (beta 12) no cookies, no cache, nothing and I enter the address of the Web site. Type enter.
OK two things have happened. The address bar has changed. Opera has been redirected to a new address, and there is a request asking for certificate confirmation. Let's accept the certificate request. The browser is redirected to a Browser Unsupported page.
OK. Let's try something else. ctrl+click or right+click on the page and choose "Edit Site Preferences" then select the Network Tab and finally identifying Opera as Firefox. It means the user agent will send this User Agent String instead of the normal one.
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7.3; fr; rv:2.0) Gecko/20100101 Firefox/4.0 Opera 12.00
We try to access the Web site and drumroll…
Opera is redirected this time to the right page. Note at this moment that in the Web site stats, Opera will be identified as Firefox. Maybe we could change the motto of Opera to "We increase the market share of Firefox"
Our friend - User Agent Sniffing
So as usual in these circumstances, I go to the command line to see what is happening.
→ curl -sI -A "Opera/9.80 (Macintosh; Intel Mac OS X 10.7.3; U; fr) Presto/2.10.229 Version/11.62" http://www.cafbank.org.uk/ HTTP/1.1 302 Redirect Content-Length: 156 Content-Type: text/html Location: https://secure.cafbank.org/online X-Powered-By: ASP.NET Date: Thu, 26 Apr 2012 20:55:19 GMT
An initial redirection, then a second one.
→ curl -sI -A "Opera/9.80 (Macintosh; Intel Mac OS X 10.7.3; U; fr) Presto/2.10.229 Version/11.62" https://secure.cafbank.org/online HTTP/1.1 301 Moved Permanently Content-Length: 157 Content-Type: text/html Location: https://secure.cafbank.org/online/ X-Powered-By: ASP.NET Date: Thu, 26 Apr 2012 20:57:56 GMT
And finally the last one.
→ curl -sI -A "Opera/9.80 (Macintosh; Intel Mac OS X 10.7.3; U; fr) Presto/2.10.229 Version/11.62" https://secure.cafbank.org/online/ HTTP/1.1 302 Object moved Cache-Control: private Content-Length: 163 Content-Type: text/html Location: https://www.cafbank.org.uk/unsupported.htm X-Powered-By: ASP.NET Set-Cookie: ASPSESSIONIDCSTCAABS=GLINBDNAGGOAPPLAHFHABCFL; path=/ Date: Thu, 26 Apr 2012 20:58:45 GMT
OK Nothing much we can do. The site is working when identify as Firefox. There is no implementation bug on Opera side. The redirection is happening on the server side. Let's contact CAFBank.
The first issue usually contacting Web sites is that it is almost impossible to reach the right persons. Options are terse. The bigger the company is, the harder it is. Some companies have zillions of Web sites, working with local Web agencies. When there is a contact form, the person receiving the message doesn't often have the right knowledge to be able to communicate the information.
But we try. It goes usually something like this.
Madam, Sir, I'm working for Opera Software's Developer Relations team. We have received multiple reports from your customers that www.cafbank.org.uk website does not work properly in our browser product in some circumstances. Could you put me in contact with the appropriate person in the Communications/Marketing team and/or Technical team in charge of your Web site. Issue When accessing https://www.cafbank.org.uk/ with Opera browsers, users are being redirected to https://www.cafbank.org.uk/unsupported.htm They also can't access to their accounts. https://secure.cafbank.org/online/ASPScripts/Logon.asp Solution It seems that the Web site is doing server-side sniffing for https://secure.cafbank.org/online/ASPScripts/Logon.asp HTTP/1.1 302 Object moved Cache-Control: private Content-Length: 163 Content-Type: text/html Location: https://www.cafbank.org.uk/unsupported.htm X-Powered-By: ASP.NET Set-Cookie: ASPSESSIONIDQAASSRBS=HFKPDKOAHHKNDBHEFPOHOOBL; path=/ Date: Wed, 11 May 2011 14:32:31 GMT We would like to find a solution for fixing these. Could you tell us what were your difficulties into creating this site which led to this user agent sniffing? It would be very kind of you, if you could tell us when you have fixed this issue. If you have any additional issues with Opera browser, we would like to work together on solving them. Best regards
I tried to contact them on May 11, 2011 from customer services telling me that they would contact their IT services. And then asked for status
- July 11, 2011. No answer.
- October 28, 2011. No answer.
- March 29, 2012. No answer.
Finally today: April 26, 2012! Hurrah! I received an answer. Imagine how happy I was… before reading this email.
Dear Mr Dubost Thank you for your email, my apologies for our delay in replying. CAF Bank customers are able to contact us in a variety of methods and not just through CAF Bank online. We do not have any plans at present to extend the browsers which are supported for CAF Bank online however we have noted your comments for when we next review our online facility. Thank you, Regards, **** *****
What is next?
In fact, I should have done something a lot earlier when we didn't receive replies to the request for the status. I should have asked that CAFbank was added to the sitepatch list. So that each time an Opera user tries to access this bank web site, he/she will be identified as Firefox and have a peaceful experience on the Web site.
What does it achieve?
- Opera looses market share
- Opera Users can use the Web site
- Project Managers continue to ignore Opera because it is not in their stats
I want to make something very clear here. I'm not complaining, I'm just expressing a sad reality. I can share stories like this very often. Maybe I should. I don't know.