I'm trying to determine how Keycloak randomizes its session IDs. The value for set-cookie: KEYCLOAK_SESSION appears to be random. What function or randomizer is it using? Could not find it in its documentation.
Could not find it in Keycloak documentation.
Related
I have a single page application that's using a web API. When a user logs in, I would want the server to set a cookie for further identification.
AJAX requests are obviously HTTP, only with a small identifying header. For as far as I know, the browser's agent should not differentiate between XMLHttpRequest and normal requests. Especially since I'm using a relatively old version of firefox.
App URL: http://sub.domain.com/app
API Request: http://sub.domain.com/service/method
The domain and subdomain are exactly the same. There's no attempt to change other domains cookies.
As you can see the cookie is recognized by the browser's request parser. Even after digging all over SO and Google, I haven't found one logical explanation to why this isn't setting the cookie.
Tried a bunch of different Set-Cookie arguments combinations. I figured the most stable syntax is key=value; expires=date; domain=.domain.com and that's what I use in the example above.
P.S.
I am using actual domain and subdomain, NOT localhost.
Using a relatively old and stable version of Firefox.
I think you issue is quite well explained here
How does a browser handle cookie with no path and no domain
For Set-Cookie without path attribute, RFC6265 states that:
If the server omits the Path attribute, the user agent will use the "directory" of the request-uri's path component as the default value.
So from your server you need to set path=/ as well to make sure cookie is accessible to everyone
Edit-1
Also make sure that your webpage and API both run on the same protocol. Because if the cookie is marked secured then the same cannot be read by an http url
The problem can occur due to two reasons:
The Set-Cookie header returns from an HTTPS request to an HTTP website.
"Path" attribute is not set so it defaults to the API URI's path (as explained by Tarun Lalwani).
The syntax that ended up working was:
Set-Cookie: test=working; Domain=.domain.com; Path=/; Secure
I have a LoopbackJS app deployed on IBM Bluemix and horizontally scaled across 3 instances. This app also uses Socket.io to implement a chat system.
I'd like to activate sticky sessions so that each request coming from the same client is routed to the same app instance.
I know that sticky sessions are supposed to be avoided according to the 12 factors. But it seems to be the only solution in order to have socket.io working properly with multiple nodes.
As stated here, seems like I need to set a JSESSIONID session cookie in the loopback application.
I then did the following in the server.js of the LoopbackJS app:
var session = require('express-session');
app.use(session({
secret: 's3Cur3',
name: 'JSESSIONID',
proxy: true,
resave: true,
saveUninitialized: true
}));
After making that change, when I issue a request to the Loopback app, I can see that two cookies are set in the response headers:
Set-Cookie:__VCAP_ID__=988ce9aa9b7f49cdb31d04f697d892b6024579565ea443589ed10e7a4c1c05f0; Path=/; HttpOnly, JSESSIONID=s%3Adb3KsqgZfkwEg39wrLKcsB3AWpazcOgd.TcA1vYbVB5DqemJXDS%2BLxUJ207WNC7UGmS5BpjZQ9Xc; Path=/; HttpOnly; Secure
Set-Cookie:JSESSIONID=s%3Adb3KsqgZfkwEg39wrLKcsB3AWpazcOgd.TcA1vYbVB5DqemJXDS%2BLxUJ207WNC7UGmS5BpjZQ9Xc; Path=/; HttpOnly
Anyway, when I issue the request again from the same browser, I can see in the logs on the Bluemix side that the request is served by a different app instance.
I'm really inexperienced on those subjects, so would really appreciate any advice that would help to properly configure sticky sessions.
Per https://docs.cloudfoundry.org/concepts/http-routing.html#sessions
"On subsequent requests, the client must provide both the JSESSIONID and VCAP_ID cookies. The CF routing tier uses the VCAP_ID to forward client requests to the same application instance every time."
e.g. pick VCAP_ID and supply alongside with JSESSIONID
I have 2 scenarios where I want to implement the token based authentication:
I want to implement token based authentication when a user logs in. i.e.. based on username and password , user should get a token and that token should be used with every request.
I have a separate independent module which has ID and secret Key. It has to communicate with server in specific interval. I want to implement token based authentication for this module also.
In both the cases token should have these properties:
It should be in payload.
It should have a timeout period
When token expires server should provide a new token,if the session is not expired else it should logout.
Is OAuth 2.0 right choice? If any other approach is better, Please tell me.
What should I do to solve this problem?
Which is the best place to put token in request -Payload or header? and Why?
OAuth 2.0 is a good choice for the requirements you mentioned: timeout period and refresh-ability.
Stormpath has an excellent OAuth2.0 implementation that gives you what you are looking for out of the box.
Stormpath has both remote and local OAuth2 Implementations and both are freely available. For the remote case you can rely on our backend using any REST client (http://docs.stormpath.com/guides/token-management/) and any of our SDKs. For the local case you can use our Servlet plugin to run a Web-app with out of the box OAuth2 support. Using the docs link above, you can find documentation for these resources.
Using the Stormpath Spring Boot integration, for instance, you could do something like this:
http -v --form POST http://localhost:8080/oauth/token \
> 'Origin:http://localhost:8080' \
> grant_type=password username=micah+demo.jsmith#stormpath.com password=<actual password>
(This example uses httpie to interact with a locally running Spring Boot instance). The line I've bolded above conforms to the OAuth2.0 spec for authenticating with usernames and passwords. What you get back is a response like:
HTTP/1.1 200 OK
Cache-Control: no-store
Content-Length: 325
Content-Type: application/json;charset=UTF-8
Date: Tue, 04 Aug 2015 16:02:08 GMT
Pragma: no-cache
Server: Apache-Coyote/1.1
Set-Cookie: account=eyJhbGciOiJIUzI1NiJ9.eyJqdGkiOiIxNDQyNmQxMy1mNThiLTRhNDEtYmVkZS0wYjM0M2ZjZDFhYzAiLCJpYXQiOjE0Mzg3MDQxMjgsInN1YiI6Imh0dHBzOi8vYXBpLnN0b3JtcGF0aC5jb20vdjEvYWNjb3VudHMvNW9NNFdJM1A0eEl3cDRXaURiUmo4MCIsImV4cCI6MTQzODk2MzMyOH0.wcXrS5yGtUoewAKqoqL5JhIQ109s1FMNopL_50HR_t4; Expires=Wed, 05-Aug-2015 16:02:08 GMT; Path=/; HttpOnly
{
"access_token": "eyJhbGciOiJIUzI1NiJ9.eyJqdGkiOiIxNDQyNmQxMy1mNThiLTRhNDEtYmVkZS0wYjM0M2ZjZDFhYzAiLCJpYXQiOjE0Mzg3MDQxMjgsInN1YiI6Imh0dHBzOi8vYXBpLnN0b3JtcGF0aC5jb20vdjEvYWNjb3VudHMvNW9NNFdJM1A0eEl3cDRXaURiUmo4MCIsImV4cCI6MTQzODk2MzMyOH0.wcXrS5yGtUoewAKqoqL5JhIQ109s1FMNopL_50HR_t4",
"expires_in": 259200,
"token_type": "Bearer"
}
This provides a bearer token that can be used on subsequent requests as well as an expiration. Plus, it has the advantage of being a JWT - JSON Web Token. The JWT is cryptographically signed to ensure that it hasn't been tampered with and it can be decoded to provide additional meta-information to your client, including user information, access controls and expiration.
You could do something very similar using the grant_type=authorization_code for interacting using an id and secret, such as for the independent module you mentioned.
This article goes into more detail on token authentication with Java.
Full disclosure: I am a Stormpath employee and I wrote the article referenced above.
I am writing a web application framework. To properly support reverse proxy servers, I want to make sure that whenever the web application is accessing cookie data, pages that are sent to the user are cached only for that user. As far as I know, there are two ways of achieving this:
header('Vary: Cookie');
or
header('Cache-Control: private');
The immediate benefit of using Vary: Cookie is that a reverse proxy server will cache non-authenticated requests. However, we're using Google Analytics which create cookies through javascript - so I am afraid the Vary: Cookie method is unusable?
For your case (using Google Analytics), this will not work as GA sets first-party cookies for ".yourdomain.tld"
As of now, I'm seeing the following first party cookies set by Google Analytics:
_gat_gtag_UA_#####_#
_ga
_gid
Cookies set by a script served by a given domain will only be sent to that domain.
The proxy will not receive the cookies set by google analytics.
I'm having a problem similar to the one in this post: JMeter; session cookie, but approached from a different angle.
The similarity is at the bottom of the post, where the OP writes:
How... can I set and submit a unique cookie for each user whose value is extracted from the first Response Header?
We're using JMeter for load testing, and need to have several users logged in to our email client at once. The way our website (and test plan) works is:
Enter username/ password, click Sign In.
Click Email.
Receive auth token (used for staying signed in to the email client) in a cookie.
Upon interaction with the email client (open a folder, mark an email as read, etc), send the auth token in the post body.
The problem is that the auth token is not getting stored as a value in such a way that it can be used in a POST request (and because the auth token is not sent as a cookie, we can't simply store it and send it with an HTTP Cookie Manager). The cookie is initially set like this:
AUTH_TOKEN=(long string of letters, numbers, and underscores); Domain=.ourdomain.net; Path=/
We've tried the following to extract the auth token value from the cookie:
Using a Regular Expression Extractor to extract the value from the response header of the "Click Email" step. We've tried two regular expressions; both simply cause JMeter to use the default auth token value when the test is run:
AUTH_TOKEN\=(\w+)\;
AUTH_TOKEN=([^;]+);
Defining the property "CookieManager.save.cookies=true" (as suggested by the user manual) and "CookieManager.check.cookies=false" (as suggested in this thread) in user.properties, then using "${COOKIE_AUTH_TOKEN}" in the post body.
With either or both of these in place, JMeter sets ${COOKIE_AUTH_TOKEN} as the auth token value in the post body.
We know that ${COOKIE_cookieName} is the correct format, as this has worked with other cookies that JMeter is storing.
I've read through a number of threads but none have dealt with this specific issue. I just started learning how to use JMeter a few weeks ago, so I'm not sure what to do here, and any help would be greatly appreciated. Thanks!
The problem was actually being caused by an incorrect request being sent to the server, to which it was then sending a blank response. Once we tore down and rewrote the entire test plan (what we were using was actually a modified version of another test plan) and had CookieManager.save.cookies=true in user.properties, we were able to use ${COOKIE_AUTH_TOKEN} and get the correct value.