Develop Reference

Spring boot: Requests with an expired Cookie is still available after logging out

In the spring boot project, when the user logouts, we invalidate the cookie with this block of code:
//name = "Token"
//value = "expired"
//age = 0
private void setExpiredCookie(HttpServletResponse response, String name, String value, int age) {
Cookie cookie = new Cookie(name, value);
cookie.setSecure(true); //Send cookie to the server only over an encrypted HTTPS connection
cookie.setHttpOnly(true); //Preventing cross-site scripting attacks
cookie.setPath("/"); //Global cookie accessible every where
cookie.setMaxAge(age); //Deleting a cookie. I Passed the same other cookie properties when you used to set it
response.addCookie(cookie);
}
However, after logout, I tested my website with an application for catching the request and resending it through the repeater, with exact values, such as token and payload.
I resent a request, for example, to change the email address, and this request, despite logging out, is valid for 15 minutes (for the life of the original cookie).
What am I missing? Because I am properly deleting and protecting cookies.

You are just creating new cookie.
You should invalidate cookie with session id, which was given to you when you authenticated. Simply use this:
HttpSession session = httpServletRequest.getSession(false);
session.invalidate();

Session object Not getting clear after log out when calling through postman

I have a page when i login and then do f12 , i copy the request header , cookies and the request url and using post in postman i get the data.
After i logout and refersh the page again i use the same cookie in the postman and post the url data but i still get the data, even if i have done log out i still get the data.
I dont want to get any data after i logged out.i want the cookie to get expire or change when i logout.
If useing postman after logout should not return any data in the response.
Please help me.
Here is my logout code
Dim authCookie As HttpCookie = Request.Cookies(FormsAuthentication.FormsCookieName)
Dim authTicket As FormsAuthenticationTicket = FormsAuthentication.Decrypt(authCookie.Value)
Session.Abandon()
Session.Clear()
FormsAuthentication.SignOut()
End If
Session.Contents.Clear()
Session.Clear()
Session.RemoveAll()
Session.Abandon()
HttpContext.Session.Clear()
FormsAuthentication.SignOut()
Response.Cache.SetCacheability(HttpCacheability.NoCache)
Response.Cache.SetNoStore()
Response.Cache.SetExpires(DateTime.UtcNow.AddMinutes(-1))
Response.Cache.SetNoStore()
Response.Expires = 60
Response.ExpiresAbsolute = Now
Response.CacheControl = "no-cache"
HttpContext.User = New GenericPrincipal(New GenericIdentity(String.Empty), Nothing)
Response.Redirect(System.Configuration.ConfigurationManager.AppSettings("root").ToString() + "logon.aspx")

How to set domain for cookie in the Spring MVC web app?

I have a Spring MVC app where I want to manually add cookie for page. The code below demonstrates the way I am doing it:
#RequestMapping(value="/add-cookie",
method = RequestMethod.GET,
produces = "text/html;charset=UTF-8")
#ResponseBody
public String addCookie(HttpServletResponse response) {
Cookie cookie = new Cookie("cookiename", "cookievalue");
response.addCookie(cookie);
return "<html></html>"
}
This code works fine and adds cookie as expected. But I want to add cookie with specific domain. So I add this line cookie.setDomain("mydomain.com"); after declaring cookie object. Now instead of adding cookie with this domain it does not add cookie at all.
So is it possible to add cookie with specific domain to your page? And how to do it?

spring csrf token from session

Hi I am using Spring MVC 4.3 version. We have using Spring CSRF functionality. springSecurityFilterChain defined in web.xml will make sure to go through CSRFFilter class. As per my knowledge Spring stores csrf token in session.
I have created a controller method which accepts HTTP GET call. This is the first method in my application. First time when I am trying to access the token from session I am getting null. I tried below possibilities only for request.getAttribute("_csrf") call is returning null. Why am I getting null from session call? Is it okay to use request attributes?
HttpSession session = objHttpRequest.getSession(false);
HttpSessionCsrfTokenRepository sessionToken = neWHttpSessionCsrfTokenRepository();
System.out.println("HttpSessionCsrfTokenRepository token = " + sessionToken.loadToken(objHttpRequest)); // Returned **null**
CsrfToken token = (CsrfToken) session.getAttribute("org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository.CSRF_TOKEN");
System.out.println(">>>>> session token "+ token); // Returned **null**
token = (CsrfToken)objHttpRequest.getAttribute("_csrf");
System.out.println(">>>>> request token "+ token); // Returned token value

Be very careful using session.
The session attribute is set as stated. But it is for the duration of the user interaction. So you don't have any indication on the server side where this came from. So the "bad-guy" code can simply ride on your session and the check will think it is ok.
The token must be part of the form data submitted or as part of the header.

How to get session token after successful authentication?

After successful authentication via a form post sign-in, I need to be able to use the same session token within the response to do another post to a protected route, but this time using XMLHttpRequest.
How would I get the session token, considering that the successful authentication response has already passed.

The session token is stored in a laravel_session cookie, assuming default Laravel settings (see config/session.php).
You can read the cookie in javascript using document.cookie. For example:
function readCookie(name)
{
var matches = document.cookie.match('(^|; )'+name+'=([^;]*)');
if (matches) {
return decodeURIComponent(matches[2]);
}
return null;
}
var token = readCookie('laravel_session');