Intranet WTF



  • My company recently upgraded its internal training site. In some ways this is good. It no longer requires you to go find a spare computer that hasn't had the JRE updated in 4 years. In other ways, I'm not so impressed.

    Earlier today, I checked what upcoming training I'm registered for, then went about my business. A while later, Chrome stopped working. What?

    I looked around and found that tab had popped up a dialog telling me my session was going to time out. A modal dialog that prevents doing anything in any browser window.

    Yeah, whatever. I'm done there. Just make the dialog go away so I can get on with what I was doing.

    Wrong decision. Clicking "Cancel" ends the session. And logs me off the intranet server. In every browser tab that was logged in. And somehow breaks Chrome so that hovering over a link no longer shows the target URL. In any tab.



  • And how is that a problem with your intranet site and not chrome?
    Isn't chrome supposed to be even less full-browser-crash-y than other browsers?
    Or is this dialog from whatever the open source equivalent of active x is? (Java?)



  • @created_just_to_disl said:

    And how is that a problem with your intranet site and not chrome?

    Breaking Chrome is plausibly a Chrome problem. But completely logging me out of the intranet because one web app is idle is undeniably a stupid misfeature of that web app.


  • ♿ (Parody)

    I'm not entirely sure what you mean by "logged into the intranet," but assuming it's the same login mechanism on all tabs, logging out of one should probably log you out of all of them on any browser (i.e., all tabs of that browser). Process separation doesn't seem to mean session / cookie separation. That I've ever seen.

    Not that I really understand how it all works, mind you. Just reporting based on previous observations.



  • We have one server (or cluster of servers with a single public name, or whatever) that is theoretically your starting point for anything on the intranet. It requires logging with employee ID and password. Call it intra.example.com. (We also have other servers for bug tracking, document control, internal wiki, etc., each with their own separate logins (same credentials) and individual policies as to how long a session lasts, whether the browser is allowed to remember login credentials, etc., which is a bit of a WTF in itself, but it's not relevant to this discussion.)

    Normally, there is no limit to the session on intra; I only have to log in when I restart my browser — actually, maybe not even then; I think restoring the browser session preserves that login.

    The corporate training app provides history of your training, registration for future training and presentation of online training, as well as a catalog of training available. At the end of a session, rather than merely invalidating a session cookie, or whatever, associated with that specific app, it invalidates your login for all of intra, interfering with whatever other work you may have been using intra for.

    I thought it was hosted on intra, but I just looked again and it's hosted on some external, 3rd-party provider's server. That's an even bigger WTF than I thought. How the hell can it even do that? It's on a completely different server that's not even part of our intranet.

    The training app has a few other WTFs, too. The catalog of available training is infiniscroll, with hundreds of classes available. Want to look at details of a particular class? Middle click; nothing happens. Right click, open in new tab; blank. The links point to "javascript: void(0);" There is some data-bind="click: ..." attribute that is beyond my understanding of JS and DOM to decipher. The only way to get to the detail is to left-click navigate away from the catalog page. Done reading the details and want to go back to the class list? Go back to the top of the infiniscroll list. Did I mention we have hundreds of classes available?

    It's supposed to present online training. It will, apparently, allow me to review training I've already taken, but everything else that would remotely useful has, so far, resulted in "This training item is currently unavailable to you."


  • ♿ (Parody)

    @HardwareGeek said:

    I thought it was hosted on intra, but I just looked again and it's hosted on some external, 3rd-party provider's server. That's an even bigger WTF than I thought. How the hell can it even do that? It's on a completely different server that's not even part of our intranet.

    Sounds like single sign on, just using a third party service instead of one hosted by your company.

    @HardwareGeek said:

    The training app has a few other WTFs, too.

    LMSs (learning management systems) are always TRWTF.



  • @boomzilla said:

    Sounds like single sign on, just using a third party service instead of one hosted by your company.

    I still say it's a WTF that one app — any app, but especially one on a 3rd-party server — logs me out completely instead of just invalidating its own session.

    @boomzilla said:

    LMSs (learning management systems) are always TRWTF.

    Well, at least it's better than the old one (except for the online material not being available; that's a pretty big WTF). You think Back causes issues here; on the old LMS it caused a Java NullReferenceException. You use it by mistake, out of habit? Oops, start the training over.


  • ♿ (Parody)

    @HardwareGeek said:

    I still say it's a WTF that one app — any app, but especially one on a 3rd-party server — logs me out completely instead of just invalidating its own session.

    That's fair. The app should have its own session separate from the SSO.



  • @HardwareGeek said:

    I looked around and found that tab had popped up a dialog telling me my session was going to time out. A modal dialog that prevents doing anything in any browser window.

    Hmm, it could have been the "showModalDialog" function... the same one that Chrome disabled recently and Firefox plans to do soon because it breaks the browser. Maybe your Chrome wasn't 100% up to date, or maybe the sysadmin reenabled it through enterprise policy.



  • No no no, wait, there's something fishy here since an application cannot invalidate another's session. Take for example, GituHub and this forum. If you login with Twitter to both of them, if you logout from TheDailiyWTF there's no way it will also log you out of GitHub unless... hehehe... this is such a WTF: both applications are sharing the same OAuth credentials which beats the whole security of OAuth.


  • ♿ (Parody)

    @Eldelshell said:

    No no no, wait, there's something fishy here since an application cannot invalidate another's session.

    I assume that the app relies on the SSO and its session. So if something can invalidate the SSO, it effectively invalidates the other sessions from the user's point of view, even if the server thinks it's still alive.



  • This post is deleted!


  • @anonymous234 said:

    could have been the "showModalDialog" function

    Looks like it.

    @anonymous234 said:

    Maybe your Chrome wasn't 100% up to date

    Chrome had been nagging me to update for a while, but it must have been a minor patch. It was, and is still, on 37.0.x.y, which supposedly disables that.

    @anonymous234 said:

    sysadmin reenabled it through enterprise policy

    Probably. For a new app, created after Chrome disabled it and FF announced they would soon. Yeah.


Log in to reply