Iframe content load in Chrome browser - ajax

I am trying to launch my application which loads iframe as soon as url completely gets loaded.
The iframe has 3 fields:
username,
password
next button.
When I pass the details and click on the next button, it should load otp content (ajax call) in the same iframe, when I use chrome I can pass a username and password, but upon clicking on next button, it's going to some private site instead of loading the otp content in the same iframe, whereas things are working fine in IE browser. I am not getting any exception also.
What could be the reason?

Related

Laravel session killed when opening site in iframe in Firefox

This issue only seems to be affecting Firefox, and then only some users (with no obvious version/security setting differences). We are getting session loss in our Laravel app.
We have a payment integration that uses the iframe Opayo server integration. This opens up the payment form in an iframe in the Laravel app. Payment details are provided, and the payment is successful - including hitting an Opayo webhook to confirm the transaction.
The webhook returns a redirect URL, that Opayo uses to redirect the user (in the iframe naturally). This redirect URL is simply a URL on the same site as the app (i.e. the iframe parent).
At the point that the iframe loads the redirect URL, the site session is immediately killed. Originally, the page at the URL broke out of the iframe (set window.top.location), and also did some ajax calls - I removed both these actions, to confirm they weren't somehow responsible for the session getting nuked.
The site is served over HTTPS with a valid certificate. A session cookie is set to secure, HTTP only, and the same site is 'lax'
What could be causing this behavior?
This is because the iframe is not exactly your page running on your system. So, if the iframe is not on your system, it will not have access to the cookies that are in your application.
If the iframe is from your application, I advise you to use query params in the url of the iframe to pass such necessary information within the iframe. Something like:
<iframe src="https://www.foo.bar?value=1&value_2=2"></iframe>

Chrome and MS Edge does not share the same session cookie for the same domain, for separate browser instance

I am testing my Asp.Net Core 3.1 web app for session cookie behaviors.
I created a very simple app with login functionality which works perfectly. After I log in, I can access a protected page (with [Authorize] attribute).
Then I tested the following scenarios.
After log in,
Chrome/Edge: Open a new tab to access the protected page - it works (no login screen appears)
Chrome/Edge: Open a new window (same instance) to access the protected page - it works (no login screen appears)
Chrome/Edge: Open a new instance to access the protected page - then it shows login screen, not authenticated
However, when I run using IE, all the above cases, the accepted as authenticated (no login screen appears)
What should I do to share the same session cookie for separate browser instances for Chrome and Edge?

How to Invalidate previous login session

I'm facing some security issue
I have two jsp pages(login page and after login) and I'm exploring them on Chrome.
After I login, the browser moves the page.
Then, if I press the back button on browser tab, the browser moves back to login page. However, The session from my previous login is still valid.
So, I can explore entire web freely by just removing '/login' from my url
What I have to do is..
if the browser moves back to login page, I should invalidate previous session.
In your login page you can check if session is set or not always like below :
<% if(session.getAttribute("user")!=null){
response.sendRedirect("your profile page");//redirect to some page
}
%>
In above code,if user is not null ,then it will go to your profile-page ,put this code in your login.jsp to prevent user to login again ,also don't forget to set your Attribute i.e : user

JMeter proxy is blocking the login

I am trying to record a test script with JMeter for an internal website hosted on company intranet. I can record only till navigation of the login page, submitting username/password, and click on login button. The login page reloads all the time. Nothing else happens.
Steps to reproduce ->
1) I started the JMTeter HTTP Test script recorder
2) I changed the browser settings to point it to the proxy.
3) Navigated to login page, keyed in username/password, and clicked login
4) The login page reloads, nothing else happens.
I tried it on all the browser. It's same everywhere. I recorded testes on gmail and facebook successfully. I did not face any issue there for navigation. Please help me. Is it an issue with the server where the site is hosted?
What kind of login authentication that you used in your internal website? Is it the same authentication as gmail or facebook (using login form, then compare it to database)? Or is it Active Directory User (windows account) authentication (usually, there is browser popup to enter username and password).
You can try this:
Start the JMTeter HTTP Test script recorder
changed the browser settings to point it to the proxy
Navigate to login page, keyed in username/password, and clicked login. From this point, you will have sampler for login step
changed the browser settings to not using JMeter proxy
Navigate to login page, keyed in username/password, and clicked login. It should be working
changed the browser settings to point it to the proxy again
Do the rest recording normally to get the rest scenarios.
I hope that will help you.

session timeout handling in jquery popup window

I have used jquery model pop up in my application in mvc, after the session time out user should be navigate to login page, but when we click on button which opens model popup, login page is opened in the popup, it should not happend in popup, pls give me some solution for this..thanks...
Your xhr seems to get redirected to the login page, this is probably due to your server not handling session timeouts for xhrs (the xhr response is the markup of the redirect target). What techs do you use on the server side and some code (especially server side) would be nice.

Resources