A cookie has been set with the SameSite=Strict attribute. When Javascript tries to read the cookie before making an XHR request the cookie seem to be unavailable. But the developer tools show the cookie exists. This problem is happening only in the recent version of Firefox. Not sure if I am missing anything. The domain and the path are set right on the cookie.
Apparently, it depends on how you get to the page that performs the XHR request. If you get there by clicking on a link on another website (say, following a link on your webmail client), the Strict cookies will not be available, even in subsequent XHR requests! This behaviour seems to be different in Firefox than in other browsers.
Some more info you may find here: https://www.netsparker.com/blog/web-security/same-site-cookie-attribute-prevent-cross-site-request-forgery/
I still don't know why, I think it about the firefox behavior, I fixed by using location.replace("") to reload page, but you can also use "lax" or "none" to fix that.
Related
None of my cookies have a SameSite attribute set. I have just noticed that Firefox DevTools console shows the following warning for my website:
Cookie “PHPSESSID” will be soon rejected because it has the “SameSite” attribute set to “None” or an invalid value, without the “secure” attribute. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite
It also displays exactly the same warning message for my first party cookies (such as that I use to store a shopping basket) as well as for all the Google gtag cookies. I have checked and both Safari and Chrome show no warning. If I didn't happen to use Firefox for development I would never have known!
The link provided to the Mozilla website provides no timeframe for when such cookies may be rejected by the browser and confusingly states that cookies without a SameSite attribute will be treated as Lax (which would be fine).
So my question really is can I ignore this warning as it seems somewhat erroneous or must I take steps to set a SameSite attribute for all cookies including session cookies which is a bit of a hassle!
Thanks.
To answer my own question, in case this is of help to anyone I decided to be on the safe side I wouldn't ignore the Firefox warning and implemented the following code in htaccess:
<ifmodule mod_headers.c>
Header always edit Set-Cookie ^(.*)$ $1;SameSite=Lax
</ifmodule>
This sets SameSite to Lax for all my first party cookies including the PHP session cookie.
I didn't set Secure and SameSite to None as I don't require this and anyway it apparently has some support issues on older browsers.
Is it possible to change the HTTP_REFERER value in VBScript? To avoid XSS attacks I am using CSRF data in my links. But when I am linking the user to an external website, this CSRF data could be caught by the destination webpage if they are checking the HTTP_REFERER.
So I read you should put an intermediate page in between, which will redirect to the desired page. So I tried creating a page named RedirectPage.asp which takes the URL as a parameter and does a Server.Redirect. But if I would click an external link on pagex.asp?CSRF..., the final HTTP_REFERER I catch is still pagex.asp.
So is there a way to "clean up" my REFERER header?
Thanks!!
By using a meta redirect instead of a redirect header, you can alter the referrer in Firefox and IE, but not Chrome, as mentioned here: https://stackoverflow.com/a/2985629/160565
You can consistently clear (not change, but eliminate) the http_referer by redirecting through an SSL page however.
To save yourself a redirect, you could also check for browsers that support the rel="noreferrer" html5 attribute and use that instead in those cases. I believe currently that's just webkit browsers.
http://www.whatwg.org/specs/web-apps/current-work/multipage/links.html#link-type-noreferrer
I have a number of sites using Kohana's session handler set to use database sessions. Everything works fine until I turn on Resource Tracking in Safari's Web Inspector. After enabling resource tracking, the page refreshes (normal), but then if I refresh the page twice I get logged out. From what I can tell, the session id/key changes therefore it has no session. Upon watching the storage/cookies area, I can see the session id cookie change immediately.
I haven't been able to reproduce similar behaviour in any other browser, including Chrome (Webkit).
Any ideas what might be causing this?
This appears to be fixed in Safari 5.1, so in other words, no longer an issue. Still love to know why it was happening (in case there's another issue), but for now it's resolved.
I'm using jQuery's ajax .get method to retrieve data from my server. Works perfect in Chrome, but in IE9 it is not sending the Cookie header and that breaks the app. Any idea why? Here's the jQuery code:
$.get(this.server + 'rest/photo/' + this.profileId + '/count', function(data) {
$('#imageCount').html(data);
});
I have the same problem here, I can't get the jQuery .ajax() function to work. The only workaround I found is this:
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" />
You can add this meta tag to the top of the page to get it working. But it doesn't feel like a good solution. I think the problem is that the xmlhttprequest object in IE9 is different, so jQuery cannot find the respective object, therefore ajax is not triggering.
I ran into a similar issue to the OP many years later with IE9 which, sadly, is still hanging on.
Every browser I tried, including IE10+, seemed fine with passing cookies to my backend, but IE9 would just drop them. It didn't seem to matter what attributes were on the cookies. The main page and API were on the same domains and the cookies matched, the schemes were the same. I wasn't doing anything with IFRAMES, so the P3P 'potato' hack didn't help.
So I started doing some research on what it was about IE9 that could be different. This Microsoft post was very enlightening, and outlines all the things the IE8 and IE9 did to help lock down CORS security holes:
Must use HTTP(S), and both endpoints must use the same scheme
Must use GET/POST
No custom headers allowed
Only text/plain content-type allowed
More sensitive to Security Zone settings
Cookies will be stripped from the request
That last item about the cookies got me thinking, what if IE9 thought I was making a cross-site request? It certainly looked like it was getting shot down in fine fashion like that. I had already checked some of the obvious things like the scheme and domain, but maybe I didn't check everything.
The solution? Specifically, I was using reqwest as my ajax library. It has a cross-origin parameter, which I had left set to true for some reason. Setting it (correctly) to false did the trick - all my cookies were picked up by the server. So it was a dumb mistake, but I learned a thing or two.
Hope this helps someone!
How can I use Fiddler to confirm that HTTP caching is working? Is there another better way?
You can confirm caching by having a page fetch a resource and note that no request for the resource appeared in Fiddler. I can't think of a better way to do it. Works for me.
right click the URL in the fiddler and click properties, you can check the cach info in that popup under "WININET CACHE INFO"
Browse the site through the Fiddler as proxy. In each response details, there's a tab "Caching". This shows useful info about the response headers - e.g. what the different Cache-Control and Expires values mean.
I think the best way is to use the method demonstrated within most caching tutorials - Have a label on the page that displays the current server time. If the value is cached, you will not see it update with subsequent page refreshes until the cache is regenerated.
If your requirement is more complex (you need to use Fiddler), Anthony's suggestion is the one I have used successfully in the past.
Fiddler will definitely help with this. You'll either see the server respond with an HTTP 304 response (Not Modified - which tells the client that the cached item is still valid) or for content that has it's web expiry set correctly, you won't see a request at all.
In fact, you'll find Firefox plus FireBug will do this for you too.