Issues with Webclient since update from 5.2.2 to 5.2.11

Has anything changed dramatically in web client in servoy 5. I did an upgrade of our server from 5.2.2 to 5.2.11 as I hadn’t done it for a long time this morning.

A number of our users are now saying they are getting kicked out of web client with a message “Invalid Credentials”.

There seem to be new errors in the log, which may show the issue although it is hard to track as i cannot reproduce it using Safari on my mac:

2011-11-29 18:59	http-8082-12	WARN	com.servoy.j2db.util.Debug	Unable to decode the url: 'servoy-webclient/?x=K5PGYs0AO*DhVrQqvRWp8Oah6UtwTzpsAkljWd75AeifzSuSPkrdrRN*SYkPDvS-&ignoremp=true&random=0.6479459684809737' most likely because the session expired
org.apache.wicket.protocol.http.PageExpiredException: Invalid URL 
    	at org.apache.wicket.protocol.http.request.CryptedUrlWebRequestCodingStrategy.onError(CryptedUrlWebRequestCodingStrategy.java:308) 
    	at org.apache.wicket.protocol.http.request.CryptedUrlWebRequestCodingStrategy.onError(CryptedUrlWebRequestCodingStrategy.java:321) 
    	at org.apache.wicket.protocol.http.request.CryptedUrlWebRequestCodingStrategy.decodeURL(CryptedUrlWebRequestCodingStrategy.java:293) 
    	at com.servoy.j2db.server.headlessclient.WebClientsApplication$ServoyCryptedUrlWebRequestCodingStrategy.decodeURL(WebClientsApplication.java:117) 
    	at org.apache.wicket.protocol.http.request.CryptedUrlWebRequestCodingStrategy.decode(CryptedUrlWebRequestCodingStrategy.java:118) 
    	at org.apache.wicket.Request.getRequestParameters(Request.java:183) 
    	at org.apache.wicket.RequestCycle.step(RequestCycle.java:1313) 
    	at org.apache.wicket.RequestCycle.steps(RequestCycle.java:1438) 
    	at org.apache.wicket.RequestCycle.request(RequestCycle.java:546) 
    	at org.apache.wicket.protocol.http.WicketFilter.doGet(WicketFilter.java:486) 
    	at com.servoy.j2db.server.servlets.Zl.doGet(Zl.java:9) 
    	at org.apache.wicket.protocol.http.WicketServlet.doGet(WicketServlet.java:138) 
    	at javax.servlet.http.HttpServlet.service(HttpServlet.java:617) 
    	at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) 
    	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) 
    	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) 
    	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) 
    	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) 
    	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128) 
    	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) 
    	at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:567) 
    	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) 
    	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293) 
    	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:849) 
    	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583) 
    	at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:454) 
    	at java.lang.Thread.run(Thread.java:680) 
    Caused by: org.apache.wicket.WicketRuntimeException: Unable to decrypt the text '+ì?bÕ;?·V¥*?©?Ê°ÈKpO:lIcY??
ËüÕ+í>J??~IâÙø' 
    	at org.apache.wicket.util.crypt.AbstractCrypt.decryptByteArray(AbstractCrypt.java:145) 
    	at org.apache.wicket.util.crypt.AbstractCrypt.decryptUrlSafe(AbstractCrypt.java:67) 
    	at org.apache.wicket.protocol.http.request.CryptedUrlWebRequestCodingStrategy.decodeURL(CryptedUrlWebRequestCodingStrategy.java:284) 
    	... 24 more 
    Caused by: javax.crypto.BadPaddingException: Given final block not properly padded 
    	at com.sun.crypto.provider.SunJCE_f.b(DashoA13*..) 
    	at com.sun.crypto.provider.SunJCE_f.b(DashoA13*..) 
    	at com.sun.crypto.provider.SunJCE_ab.b(DashoA13*..) 
    	at com.sun.crypto.provider.PBEWithMD5AndDESCipher.engineDoFinal(DashoA13*..) 
    	at javax.crypto.Cipher.doFinal(DashoA13*..) 
    	at org.apache.wicket.util.crypt.SunJceCrypt.crypt(SunJceCrypt.java:101) 
    	at org.apache.wicket.util.crypt.AbstractCrypt.decryptByteArray(AbstractCrypt.java:141) 
    	... 26 more

Can anyone tell me whether anything dramatic has changed, and what this error message, if it is the appropriate one, is telling me! We have had about 20 physiotherapists who have used this solution for six months all ring up saying it is kicking them out suddenly!!!

Thanks if you can make sense of this one.

David

those errors are just added now to log a bit more, they where always there
This is because they are hitting the server with an url where the session is already expired on.
Then urls which are encrypted by a session key can’t be decrypted anymore so you get this error, but if that didn’t happen then 1 step later on they would again get an session/page expire message anyway.

My guess is that it has something to do with the other thing you posted on this forum and that is the IE error