Announcement

**ILoveHostasaurus** · 03-30-21, 05:32 AM

It's likely optimizing javascript served by the admin.mvc URI, which breaks the subresource integrity hashes included in the page by the store to let your browser know the javascript has not been tinkered with. Turning that (and caching!) off for the admin URI, as well as json.mvc, should resolve.

**robinemcd** · 03-30-21, 08:04 AM

Thanks for the thoughts. I have set up the exemption to not cache for admin.mvc and json.mvc and also tested turning code compression and minify JS off. Neither solved the problem. However, I have been able to get in using IE (but not Chrome, Edge or FireFox).

Here are a few more tidbits on what does and does not work:

The WAF is set up to redirect all naked urls to www. I don't know why that is the way that they want to do it, but I just went along with that when we were setting it up. If I remove the www. from the URL so that it is (https://mysite.com/mm5/admin.mvc), then I get the login screen. When I fill in the credentials and enter, it takes me to this page: https://www.mysite.com/mm5/admin.mvc?Screen=LRDR and the page is blank again. If I remove the www., I go back to the login screen, log in again and now I am in a loop.
What is interesting is that when I do get in through IE, I get a screen telling me that we only have a license for 2 concurrent users (this is correct) and it suggests that I log off one of the concurrent users. When I "close session" for one of those users, then I get into the admin area. A couple of interesting observations about this:
1. I guess that even though my attempts in chrome where I remove the www are sending me into a loop, Miva Merchant is still seeing me as a logged in user.
2. I don't recognize the IP address it is showing for the logged in users. I assume it is an Imperva CDN?

At least for now I can get into Miva Merchant Admin through IE, but I still need to resolve this issue so I can use other browsers.

**ILoveHostasaurus** · 03-30-21, 08:19 AM

You'll probably need to use webdev tools in the browser to confirm if the javascript is being altered or not; it should report it's intentionally not running it if the SRI hash becomes invalid.

The second issue is it sounds like your store is set to not use www but the CDN is; they should match.

Third issue is your web server will need a new config to take what is likely an X-Forwarded-For header from Imperva, provided the request has come from a range they will need to provide you, and treat that as the visitor IP. You do not just want to blindly trust the header because someone could connect to the server directly and send it with whatever IP they want. Until you do this, your server will see you hopping around new IP's regularly as the traffic goes through different CDN end points.

**robinemcd** · 03-30-21, 08:56 AM

Awesome! Thank you!! I will work on these items. I really appreciate it!

Announcement

Newly implemented WAF is preventing admin login

Newly implemented WAF is preventing admin login

Comment

Comment

Comment

Comment