I have a parent webpage with a child iframe:
parent at https://first-site.com
child at <iframe src="https://second-site.com"> (inside of parent)
cookie is set by the second-site.com server upon page load using this HTTP header:
Set-Cookie: iqsession=869194b8e575d0d333f9395557f564f5eca31c15761c; expires=Wed, 08-Feb-2023 03:51:14 GMT; Max-Age=600; path=/; secure; httponly; samesite=none
When I load the page on first-site.com (with second-site.com in an iframe), Firefox fails to store the cookie for second-site.com. It's not accessible under the cookies tab, nor is it available to second-site.com on subsequent page loads. There are no warnings or errors in the console.
This does work in Chrome.
Note that I am not attempting to access cookies across domains. The cookie is only set by second-site.com on the server side and only read by second-site.com on the server side. The outer parent doesn't need to know anything about the cookie.
Any ideas why this isn't working in Firefox? This issue looks related but isn't super clear.
Related
Context: I'm trying to couple a separate frontend (Nuxt.js) with a Laravel backend. Session (logged in user etc.) is maintained by the backend and should be stored and updated in the frontend using cookies. I am making API calls using Axios.
I am currently running my frontend on localhost:3000 and my backend on 127.0.0.1:8000. When I make API calls from the frontend, I get the following headers in the response:
Access-Control-Allow-Credentials:true
Access-Control-Allow-Origin:http://localhost:3000
Cache-Control:no-cache, private
Connection:close
Content-Type:application/json
Date:Sun, 15 Oct 2017 13:05:24 GMT
Host:127.0.0.1:8000
Set-Cookie:laravel_session=fuqQf1fX3ZwQYl7xORGPopgZhD4qw5Mfi8lFrHTJ; expires=Sun, 15-Oct-2017 15:05:24 GMT; Max-Age=7200; path=/;
Vary:Origin
X-Powered-By:PHP/7.0.10
From what I understand, the browser should now set/update the laravel_session cookie. However, when I check the cookies in Chrome devtools, nothing changes.
Are the different URLs (or at least ports) an issue here? Am I missing some kind of header or directive that is required? I've done some research but haven't found a solution yet.
I have a Asgard CMS Laravel application that I am accessing through my company's VPN network, as the server its running on, is not accessible from outside the private network.
Whenever I go to the login page, I do not see the laraval_session cookies set. The HTTP header shows the following values
Set-Cookie:HttpOnly;Secure
Transfer-Encoding:chunked
X-Content-Security-Policy:default-src 'self';
X-Content-Type-Options:nosniff
X-Frame-Options:SAMEORIGIN
As you would notice, a normal Asgard CMS application running fine will have some cookies set like
Set-Cookie:XSRF-TOKEN=<cookie value>; expires=Fri, 15-Jul-2016 10:29:57 GMT; Max-Age=7200; path=/
Set-Cookie:laravel_session=<cookie value>; expires=Fri, 15-Jul-2016 10:29:57 GMT; Max-Age=7200; path=/; httponly
We see above two cookies (XSRF-TOKEN, laravel_session) are being set on an application running fine.
However in my application none of these cookies are set on the login page. Due to this token mismatch error occurs after the user tries to login, as a new token gets generated, and the one in the form is the old one.
Also note that additional headers (X-Content-Security-Policy, X-Content-Type-Options, X-Frame-Options) show up which are not there in case of normal functional laravel application.
Once we access this application outside the network, it continuously shows up this error.
Any clues on how to get the cookies show up properly, and to make my laravel application to run as normal.
My application works beautifully on Chrome, Firefox, Safari, and Opera, but fails on Internet Explorer 11 (I haven't tried earlier versions yet). Basically, I find that I cannot log in. I have narrowed the problem down to an issue with cookies. On login attempt, I get through to the server fine, and the response is the exact same as with any other browser. But for whatever reason, even though the Set-Cookie header is set, the cookie is not saved and sent on the next request to the server. My application has a (mostly) RESTful backend, and so authenticates on most requests. This obviously fails because the cookie is not set!
This problem persists whether served from localhost or from a real server. I should mention that it is a cross origin request, but the proper headers are in place (and they work on other browsers)
The response headers (when served from localhost) are as follows:
Response HTTP/1.1 200 OK
Access-Control-Allow-Credentials true
Access-Control-Allow-Headers accept, content-type
Access-Control-Allow-Methods POST, PATCH, DELETE
Access-Control-Allow-Origin http://localhost:8000
Cache-Control no-cache,no-store
Content-Length 68
Content-Type application/json
Date Thu, 05 Mar 2015 20:00:20 GMT
Frame-Ancestors none
Server waitress
Set-Cookie session-id=ZqANyJ4KRUFoOaVgtGs/hcX+fxjMcCVM0kdRqF4riHglfAeBJJK56X9wn0XsNdPwUg; Domain=; HttpOnly;
Strict-Transport-Security max-age=31536000;
X-Frame-Options deny
I cannot figure out why this doesn't work solely in IE11! The app is not in an iframe, and the cookie actually appears in the cookies tab in the IE developer tools when I click on the network request, but it is not subsequently sent along with the next ones.
Some of my attempted solutions were:
Adding the Cache-Control header
Removing the HttpOnly flag from the cookie
Adding the Domain flag to the cookie (set as localhost or 127.0.0.1)
Removing Headers like X-Frame-Options, Frame-Ancestors, and Strict-Transport-Security
Tried multiple computers
Changed security settings to accept all cookies
All failed. Ideas?
I am noticing strange behaviour with my ColdFusion session cookies whereby the domain, path and httponly attributes are not retained.
In my application.cfc file I have this.setclientcookies set to false.
In my onSessionStart event I then have the following code:
<cfset sessionRotate()>
<cfcookie name="CFID" value="#session.cfid#" path="#application.sessioncookiespath#" domain="#application.sessioncookiesdomain#" httponly="yes">
<cfcookie name="CFTOKEN" value="#session.cftoken#" path="#application.sessioncookiespath#" domain="#application.sessioncookiesdomain#" httponly="yes">
The first time I visit a page the CFID and CFTOKEN cookies get sent to the browser with the correct values, domains, paths expiry dates etc.
But when viewing the request cookies for subsequent requests everything but the value of the cookie has been lost.
If I then close the browser, reopen it and go to a page the same cookies are sent to the server and so I get the same session, instead of the expected behaviour of the browser deleting the cookies when closed.
Can anybody shed any light on this?
Thanks.
In response to Sean.
Response cookies returned on initial request to www.domainname.com/sub are:
Set Cookie CFID=123456; Domain=.domainname.com; Expires=Fri, 07-Feb-2014 15:12:33 GMT; Path=/sub; HttpOnly
Set Cookie CFTOKEN=2cf168a89952feec%2D4DAC5903%2D1DD8%2DB71C%2D3B0166C2FDAF5D6B; Domain=.domainname.com; Expires=Fri, 07-Feb-2014 15:12:33 GMT; Path=/sub; HttpOnly
Subsequent requests to any other page (any page at the same level or deeper than the /sub directory) or the same page (i.e. refreshing the page) send the following request cookie string:
CFID=191297; CFTOKEN=2cf168a89952feec%2D4DAC5903%2D1DD8%2DB71C%2D0B0166C2FDAF5D6D; ASP.NET_SessionId=s43bplyduc0hkgintth4gcqh
It's a CF10 bug, fixed, but not available.
https://bugbase.adobe.com/index.cfm?event=bug&id=3593673
I have a safari extension that acts in favor of our website. It needs to share the session cookie with the website. The website sets session as,
Set-Cookie: SESS=SESS_VALUE; expires=Sat, 09-Feb-2013 11:59:05 GMT;
path=/; domain=.MY_DOMAIN; HttpOnly
The extension makes requests using Jquery. The session is properly shared in all other major browsers including IE 7. But in safari, it maintains two sessions. My safari extension has the right domain MY_DOMAIN in its manifest file. I will be happy to hear your suggestions.