otsukare Thoughts after a day of work

CAFBank and Server Side User Agent Sniffing

I always hesitate to share the issues we have when we try to contact companies with Web sites not working in Opera. The Open The Web Team is doing that every day. The intent of this post is to illustrate some of the issues we are facing. Hopefully it will help people:

  1. understand the context of our work
  2. take actions when they are users of these Web sites

Let's talk about OTW-2621. The bug was created on September 9, 2006 (more than 5 years ago). The bug report was very clear. At this time Opera 9 was released. Opera Users of this bank were unable to use the Bank Web site. In this case, sometimes a more advanced user will report the issue to Opera. It's normal. Users have no idea if the site is broken or if Opera has a bug. In Cinemascope…

What is happening for users

I start a clean version of Opera Next (beta 12) no cookies, no cache, nothing and I enter the address of the Web site. Type enter.

CAF bank

OK two things have happened. The address bar has changed. Opera has been redirected to a new address, and there is a request asking for certificate confirmation. Let's accept the certificate request. The browser is redirected to a Browser Unsupported page.

https://www.cafbank.org.uk/unsupported.htm

\ OK. Let's try something else. ctrl+click or right+click on the page and choose "Edit Site Preferences" then select the Network Tab and finally identifying Opera as Firefox. It means the user agent will send this User Agent String instead of the normal one.

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7.3; fr; rv:2.0) Gecko/20100101 Firefox/4.0 Opera 12.00

We try to access the Web site and drumroll…

CAF bank

https://www.cafbank.org.uk/online/ASPScripts/Logon.asp

Opera is redirected this time to the right page. Note at this moment that in the Web site stats, Opera will be identified as Firefox. Maybe we could change the motto of Opera to "We increase the market share of Firefox" wink

Our friend - User Agent Sniffing

So as usual in these circumstances, I go to the command line to see what is happening.

→ curl -sI -A "Opera/9.80 (Macintosh; Intel Mac OS X 10.7.3; U; fr) Presto/2.10.229 Version/11.62" http://www.cafbank.org.uk/

HTTP/1.1 302 Redirect
Content-Length: 156
Content-Type: text/html
Location: https://secure.cafbank.org/online
X-Powered-By: ASP.NET
Date: Thu, 26 Apr 2012 20:55:19 GMT

An initial redirection, then a second one.

→ curl -sI -A "Opera/9.80 (Macintosh; Intel Mac OS X 10.7.3; U; fr) Presto/2.10.229 Version/11.62" https://secure.cafbank.org/online

HTTP/1.1 301 Moved Permanently
Content-Length: 157
Content-Type: text/html
Location: https://secure.cafbank.org/online/
X-Powered-By: ASP.NET
Date: Thu, 26 Apr 2012 20:57:56 GMT

And finally the last one.

 curl -sI -A "Opera/9.80 (Macintosh; Intel Mac OS X 10.7.3; U; fr) Presto/2.10.229 Version/11.62" https://secure.cafbank.org/online/

HTTP/1.1 302 Object moved
Cache-Control: private
Content-Length: 163
Content-Type: text/html
Location: https://www.cafbank.org.uk/unsupported.htm
X-Powered-By: ASP.NET
Set-Cookie: ASPSESSIONIDCSTCAABS=GLINBDNAGGOAPPLAHFHABCFL; path=/
Date: Thu, 26 Apr 2012 20:58:45 GMT

OK Nothing much we can do. The site is working when identify as Firefox. There is no implementation bug on Opera side. The redirection is happening on the server side. Let's contact CAFBank.

Contacting companies

The first issue usually contacting Web sites is that it is almost impossible to reach the right persons. Options are terse. The bigger the company is, the harder it is. Some companies have zillions of Web sites, working with local Web agencies. When there is a contact form, the person receiving the message doesn't often have the right knowledge to be able to communicate the information.

But we try. It goes usually something like this.

Madam, Sir,

I'm working for Opera Software's Developer Relations team. 
We have received multiple reports from your customers that 
www.cafbank.org.uk website does not work properly in our 
browser  product in some circumstances.

Could you put me in contact with the appropriate person in 
the Communications/Marketing team and/or Technical team 
in charge of your Web site.

Issue

When accessing https://www.cafbank.org.uk/ with  Opera 
browsers, users are being redirected to 
https://www.cafbank.org.uk/unsupported.htm

They also can't access to their accounts.
https://secure.cafbank.org/online/ASPScripts/Logon.asp
Solution

It seems that the Web site is doing server-side sniffing
for https://secure.cafbank.org/online/ASPScripts/Logon.asp

  HTTP/1.1 302 Object moved
  Cache-Control: private
  Content-Length: 163
  Content-Type: text/html
  Location: https://www.cafbank.org.uk/unsupported.htm
  X-Powered-By: ASP.NET
  Set-Cookie: ASPSESSIONIDQAASSRBS=HFKPDKOAHHKNDBHEFPOHOOBL; path=/
  Date: Wed, 11 May 2011 14:32:31 GMT

We would like to find a solution for fixing these. Could you 
tell us what were your difficulties into creating this site which 
led to this user agent sniffing?

It would be very kind of you, if you could tell us when 
you have fixed this issue. If you have any additional 
issues with Opera browser, we would like to work together 
on solving them.

Best regards

I tried to contact them on May 11, 2011 from customer services telling me that they would contact their IT services. And then asked for status

Finally today: April 26, 2012! Hurrah! I received an answer. Imagine how happy I was… before reading this email.

Dear Mr Dubost

Thank you for your email, my apologies for our 
delay in replying.  CAF Bank customers are able 
to contact us in a variety of methods and not 
just through CAF Bank online.  We do not have 
any plans at present to extend the browsers 
which are supported for CAF Bank online however 
we have noted your comments for when we next 
review our online facility.

Thank you,
Regards,
**** *****

Bummer!

What is next?

In fact, I should have done something a lot earlier when we didn't receive replies to the request for the status. I should have asked that CAFbank was added to the sitepatch list. So that each time an Opera user tries to access this bank web site, he/she will be identified as Firefox and have a peaceful experience on the Web site.

What does it achieve?

\

I want to make something very clear here. I'm not complaining, I'm just expressing a sad reality. I can share stories like this very often. Maybe I should. I don't know.\