I have a tornado webserver with login page:
If the client try to access any endpoint it checks if the user is logged in and if he isn't then is redirected to login endpoint for the user log in.
The problem is that if i allow cache in the browser then when i access to any endpoint i have been before, the browser try to be clever and begin to requests all css and static files inside that endpoint despite that all of the requests are being redirected to login page provoking strange behaviors.
I could add in all my responses no-cache headers but i wanted to know if this is a good approach or is there a better management of this case.
Related
I have a Webapp (HTML, JS, PHP) on an Amazon cloud server which is integrated in our companies network. Lets say the servers name is
dev-myapp.cloud.myentity.mycompany.com
This app is using the companies global SSO login by getting an oauth token from the SSO login page and then sending client, secret and callback (as usual). If Login is successful, the SSO login redirects to my callback (which in that case is my apps url above)
The SSO login creates many cookies in the browser. Most of them are flagged as secure but also some are not. For all of this cookies I now get an error
Cookie "xxx" will be soon treated as cross-site cookie against "path_to_any_of_my_sources" because the scheme does not match
I get this error for every script which is loaded (HTML, js, PHP, css) with FireFox.
The domain of the created cookies is
mycompany.com
so there should be no cross site at all.
What can I do to remove this hundreds of warnings, which makes debugging really annoying
If you need more information please let me know. Please understand I cannot provide you with real data from my company.
I was able to fix this same problem by clearing my cookies in the browser.
I have read on some blog (sorry for not mentioning the reference but I can't find it anymore) that you will lose all your work on securing your site if you redirect a user from an https page to an http page.
So, could someone please explain to me if I am right or wrong here in the following scenario:
Is it right practice to use https on the login page then redirect him to Admin Page with http, or will this will create a security issue like Session Fixation hijacking, stealing session, etc.?
Or must I keep the Admin Page also in https?
Another side of the question is: will https allow caching of static files?
I have read other articles here but I am still confused as some say 'yes' and some say 'no'; also some say it depends on browser.
In your instance (in only securing the login page with HTTPS) while login details will be protected (e.g. username/password), your users will be susceptible to Session Hijacking.
Whether you use a mixture of HTTP/HTTPS or full HTTPS depends on your situation. Amazon for instance, will use HTTPS for the login, but you'll browse the site with HTTP, but as soon as you go to a sensitive area (Order details screen, change account/password details etc.) it switches to HTTPS and asks you to re-authenticate. Re-Authenticating the user after switching from HTTP to HTTPS is the key to stop Session Hijacking because you're effectively issuing a new Session token. So if a user steals the session token, they still don't have your username/password and can't access your account section.
If the admin area is particularly sensitive then just HTTPS the whole thing. Google found the overhead from using full HTTPS was between 1-5% overhead on the CPU, hardly anything basically.
As for caching static files on HTTPS I'm not sure, but this SO post suggest it'll cache as normal Will web browsers cache content over https
Everything must be used with https. If you switch over to http, everybody can see the content being sent, which means those security issues you mentioned will emerge.
The reason is that you have to identify your client in order to assign access rights in your admin site. One possibility to do so, is sending back a token (some hash or whatever). Depending on the token you know if it's an authenticated client or not. But everybody else does see this token => security issue.
Of course you could use the previous https session to exchange a private key. And use it to encrypt your http stuff somehow. But this is a bad idea, since https does this much more conveniently..
I have a site (built on LAMP (cakephp) and has ssl certificate installed) which has a secure payment page. After filling up necessary information user proceeds to a payment gateway page. After all the process at the gateway end, gateway redirects to one of my URL, which I have to mention with a payment request.
Now when I keep this url as http redirect happens properly and all the sessions are maintained. But I want to make this page as https, and when the payment gateway redirects to the https version of the URL, my session information dies and I get redirected to my home page.
eg: my payment page
https://www.mysite.com/payment
from here user goes to the payment gateway site, does necessary things and payment gateway redirects it to
http://www.mysite.com/paymentResponse (this url i have to mention in the request)
now i have to make this as HTTPS, but when I do that my session info dies
Plz help me
Thanks,
Dinesh
I don't know why it supposedly works for plain HTTP requests, but the problem may be related to Configure::write('Security.level') being set to medium or high, which activates PHP's session.referer_check, which may be the reason sessions are dying for you when being redirected from external sites.
I have a website that I would like to allow both Forms and Windows Auth for. My problem is that it seems that when you setup IIS to allow both anonymous (Required for forms auth) and Windows auth that the browser won't send the user's network credentials.
It just uses the anonymous login. Is there any way either in IE8 or IIS to have it try Windows Auth 1st and then fall back to Anonymous?
Thanks for any help.
You can't ask for HTTP authentication (whether that's Basic Authentication or Integrated Windows Authentication) without causing the authentication dialogue box to pop in the case where there are no credentials yet.
So in general for hybrid HTTP-auth+cookie-auth approaches you enable both anonymous and authenticated access for the bulk of the site, but allow only authenticated access to one particular script.
When the user accesses a page without either kind of auth, you spit out a page with a login form for the cookie-based auth, and also a link to the one URL that allows only authenticated access. The user can fill out the form for cookies&forms auth, or hit the link to log in with HTTP auth instead.
If the user follows that link, they will be given a 401 response and must provide HTTP authentication, either through the auth dialog, or potentially automatically using integrated Windows authentication. Once this has happened once, the browser will start submitting the same credentials to every future page, so IIS will decode the credentials to give you the expected REMOTE_USER when your main site scripts are run.
Browsers will only submit the credentials to pages in the same directory as the 401 script, or subdirectories of this. For this reason it is best to put the HTTP-auth-required script in the root, for example as /login.aspx.
However, there are a few browsers that won't automatically submit credentials for further pages, and require every HTTP request to respond 401 first, before sending the request again with credentials. This makes optional-auth and hybrid-auth schemes impossible (as well as making browsing of protected sites much slower!). The only modern browser that does this is Safari. You may not care, as Safari's support for Integrated Windows Authentication has traditionally been shaky anyway, and it can still use the forms+cookies auth type.
Setup: Grails 1.1, Acegi/Spring Security plug-in
I want users to log in over SSL, so I have '/login/**' in my channelConfig.secure[] list, but almost everything else is in channelConfig.insecure[]. Every request for /login gets redirected to https:// and every other request is redirected to http://.
My problem is that the login process sets the cookie to "Send over encrypted connections only," so when the login page redirects to /home, the home page doesn't see the cookie and redirects me back to the landing page. When I try to log in again, the login page sees the cookie and redirects me...etc.
I hunted through this page about SecurityConfig to see if there is an option to allow cookies created over SSL to be read over unencrypted HTTP, but I found nothing. Is there some option I can set to make my login cookie available to my unencrypted controllers?
This would be a vulnerability.
Any man-in-the-middle that can see the session cookie would be able to make requests as the user. This is almost as bad as the password being intercepted. The man-in-the-middle wouldn't be able to establish new sessions on his own, but he would be able to do anything the user can do once a user logs in.
Using SSL does a lot more than simply hiding the user name and password at login.
First, it provides confidentiality for all messages between the client and server. It's easy to recognize the password as sensitive data, but it might not be as obvious which application features use sensitive data as well. Protecting any user input and dynamically generated content is safer and easier than trying to carefully evaluate the privacy issues of each data field used in your application. Static content such as images, help pages, etc., probably isn't as sensitive, but by analyzing requests for that content, an attacker might get a good idea of what a user is doing on the site.
Second, SSL provides integrity for every request. This prevents an attacker from modifying or appending their own nefarious input to user requests, or modifying the results produced by the server.