I am trying to set a cookie using go in the chrome browser but can only get it to set in postman.
The cookie successfully sets in postman but is simply not setting in chrome with no error.
I have set CORS as default using this package https://github.com/gin-contrib/cors as I have had issues with CORS requests in the past and this seemed to solve the issue.
I set the cookie using:
c.SetCookie(
"TOKEN",
tokenString,
3600,
"/",
"localhost",
false,
true)
I have tried replacing localhost with http://127.0.0.1 which again works in postman but not chrome or firefox. I have also tried setting the cookie with the http package instead but this has failed in the same way.
EDIT I have also tried domain as blank ("") but this has the same outcome.
You passed true to the secure argument of SetCookie but you're sending the cookie to an insecure http address.
As per the MDN docs:
A secure cookie is only sent to the server with an encrypted request over the HTTPS protocol.
Related
I've recently started using Postman and I am testing an API where I get a CSRF token and then login but I always get a CSRF token mismatch. I am including X-XSRF-TOKEN header but I think the issue is around the cookies not being stored correctly.
I am calling a Laravel Sanctum endpoint to get a CSRF token and when I look in the in the console I can see Set-Cookie response headers
However, when I look in the cookies tab it says no cookies were received from the server
However, when I look at the cookies store they are listed for my test domain (home.local)
Due to this issue, when I send a request to the login, the session cookies are not sent in the request as shown in the console on the request to the login endpoint
I can do this fine using Insomnia.Rest client so I know the API is working as expected - I am however trying to replace Insomnia with Postman.
I've tried Google, but I've only found some bugs that were introduced that seemed to cause something similar back in 2016
Update
I managed to Postman working with production fine using a pre-request script to get the CSRF token and set the environment variable using the below:
const url = pm.environment.get('base_url');
const referer = pm.environment.get('Referer');
pm.sendRequest({
url: `${url}/sanctum/csrf-cookie`,
method: 'GET',
}, function (err, response, {cookies}) {
if (!err) {
console.log("cookies", cookies);
pm.environment.set('xsrf_token', cookies.get('XSRF-TOKEN'))
}
});
Although this worked on production and successfully did the POST request, on my local dev PC, I was still getting the CSRF mismatch.
Although the request/response looked the same between dev/and prod I for some reason had the idea to change my dev URL from my-app.home.local to my-app.home.com and now the cookies are received and send in the next request to login without getting a CSRF token mismatch.
There's clearly an issue with postman here but not sure if it's something I'm doing or a bug in Postman. Does .local mean something different?
I am trying to implement CSRF protection using spring and angular. In Spring, I configured:
CookieCsrfTokenRepository cookieCsrfTokenRepository = new CookieCsrfTokenRepository();
cookieCsrfTokenRepository.setCookieHttpOnly(false);
cookieCsrfTokenRepository.setCookiePath("/");
cookieCsrfTokenRepository.setCookieName("test");
cookieCsrfTokenRepository.setHeaderName("test");
Which works as can be seen in the server's response:
Response headers showing Set-Cookie: test=....
But somehow the cookie is not being set. When looking at my the cookies for the website or even all cookies of Chrome which I freshly cleaned before, there simply are no cookies at all:
No cookies shown by chrome
The setting in Chrome is "Allow all cookies".
I read that the set-cookie header sometimes causes troubles on localhost and without https, so I also tried on my deployment server with the same result unfortunately. Any ideas on why that happens?
I don't understand why the following response is not able to set cookies.
It works in localhost.
I am developing a Laravel application and have added an iframe as follows:
The iframe does not connect and simply says www.google.com refused to connect. I have done some research and it appears this related to X-Frame-Options being set. Within the Chrome Browser Developer Tools, I see the following error message:
A cookie associated with a cross-site resource at https://www.google.com/ was set without the SameSite attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with SameSite=None and Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
My guess is this is a setting that needs to be changed at the XAMPP server level within Apache but I cannot figure out where. Any ideas?
If you are testing on localhost and you have no control of the response headers, you can disable it with a chrome flag.
open this URL :
chrome://flags/#same-site-by-default-cookies
and disable SameSite by default cookies
SameSite prevents the browser from sending the cookie along with cross-site requests.
if you don't want to disable SameSite by default cookies you can add response header before sending back response to resolve this:
return response($content)
->header("Set-Cookie", "HttpOnly;Secure;SameSite=Strict");
I've managed to make a CORS request on IE8 using XDomainRequest. However it seems the cookies are not sent on IE8. Is there any hack for that ? The request is made from buy.example.com to buy.api.example.com
There is no way except to include the authentication cookie value / token in the query string e.g. : buy.api.example.com/?sessionId=$sessionId&otherparameters=test and set your webservice to check the query string if cookies are not present.
There is another way. If you use SSL on the non-default https port, it will keep sending the cookies.
For example, if your URL is something like this https://example.com:8443/xxxx, then it will send the cookies.
I experience the same issue you have. My web app (internal web app) was working with https but in a non standard port and it just works fine. When I configure to use 443, it stops working because the cookies are not sent by XDomainRequest object.
I hope this will help