We are using Set-Cookie to achieve SSO for our application. It is working fine in android and iOS versions<10. But, for iOS10 though we are receiving Set-Cookie value in repsonseHeader , it is being ignored by safari. When I try jqHR.getAllResponseHeaders() method all the values except 'Set-Cookie' can be seen in console.
Can you please suggest a solution for this?
Related
I am trying to implement CSRF protection using spring and angular. In Spring, I configured:
CookieCsrfTokenRepository cookieCsrfTokenRepository = new CookieCsrfTokenRepository();
cookieCsrfTokenRepository.setCookieHttpOnly(false);
cookieCsrfTokenRepository.setCookiePath("/");
cookieCsrfTokenRepository.setCookieName("test");
cookieCsrfTokenRepository.setHeaderName("test");
Which works as can be seen in the server's response:
Response headers showing Set-Cookie: test=....
But somehow the cookie is not being set. When looking at my the cookies for the website or even all cookies of Chrome which I freshly cleaned before, there simply are no cookies at all:
No cookies shown by chrome
The setting in Chrome is "Allow all cookies".
I read that the set-cookie header sometimes causes troubles on localhost and without https, so I also tried on my deployment server with the same result unfortunately. Any ideas on why that happens?
Since IE10 has installed on my Windows 7 box, it is impossible to login into my application...
It was OK with IE9 and it still OK with FF and Chrome.
The problem is that session cookies (jsession id) are not send by IE when doing ajax request (POST or GET).
I've seen on SO many trouble with IE10 and cookies but no one can applied to my problem :
IE10 User-Agent causes ASP.Net to not send back Set-Cookie (IE10 not setting cookies)
jquery ajax $.post not working IE10
IE10 sharing cookies across subdomains by default
I precise that I'm not crossdomain. I use a Jasig/CAS for authentication and CAS cookies nor session cookies are send by ajax request.
Ajax request are send via JQuery (last version).
Any help would be greatly appreciated.
Thanks in advance.
EDIT1:
I tried all IE security options and the last do not track without success.
EDIT2:
I try Google Chrome Frame into my IE10 with adding but nothing better.
I've found what happens, and it can be usefull for others. #Mark Ormston was not so far :
Cookies set with path /cas are send by IE10 to URL beginings with /cas-services
In my case /cas and /cas-services are not in the same WebApp and each have its own JSESSIONID. Sending JSESSIONID created for /cas to /cas-services lead to the problem describe above.
To correct, I simply rename /cas-services with /app-services (I guess that everything not beginning with /cas should work).
JM.
I've had a similar problem and just added to the Web.Config in IIS cookieless="UseCookies" in the Authentication section.
I've managed to make a CORS request on IE8 using XDomainRequest. However it seems the cookies are not sent on IE8. Is there any hack for that ? The request is made from buy.example.com to buy.api.example.com
There is no way except to include the authentication cookie value / token in the query string e.g. : buy.api.example.com/?sessionId=$sessionId&otherparameters=test and set your webservice to check the query string if cookies are not present.
There is another way. If you use SSL on the non-default https port, it will keep sending the cookies.
For example, if your URL is something like this https://example.com:8443/xxxx, then it will send the cookies.
I experience the same issue you have. My web app (internal web app) was working with https but in a non standard port and it just works fine. When I configure to use 443, it stops working because the cookies are not sent by XDomainRequest object.
I hope this will help
SCENARIO:
I have a java web app running in the latest Tomcat 6. I also have a single servlet filter that provides authentication. I support BASIC auth and it appears to work fine - most of the time.
The first time a browser [pick any one - IE, FireFox, Opera, Safari, Chrome] hits one of our protected URL(s), it displays the standard browser-specific login prompt. IFF you enter the proper username/password - everything is fine, a new session is created, and everything operates normally.
IF, however, you entered invalid credentials in the initial BASIC auth dialog, my authentication filter logic handles this by returning another 401 response.
PROBLEM:
Unfortunately, at this point, Chrome is the only browser that will display another BASIC auth dialog. All other browsers listed automatically send the cached "Authorization: Basic.." header - instead of clearing it and prompting the user again.
If anyone has seen this or may know why this is happening, I would greatly appreciate any suggestions!
Thanks and Best Regards,
Bob
problem solved:
After looking over my code again, I found a point where a 401 was being returned without also setting the WWW-Authenticate HEADER.
-bob
When I am calling a REST service through AJAX, its working fine. I am calling it with the URL staring with HTTP e.g.: http://www.myserver.com/customers. Its works really great.
But when I am calling a same URL but with HTTPs e.g.: https://www.myserver.com/customers,
I am not getting any response from server.
Its not working for GET or POST both.
Its not working in Mac firefox, actually I am developing an application for iPhone using phonegap framework.
Its also not working in iPhone simulator's mobile safari.
Can anyone here know what problem is this? And how to solve this?
The requesting domain must match the requested domain down to the protocol, according to the Same Origin Policy
It could probably be because of same origin policy. read
http://en.wikipedia.org/wiki/Same_origin_policy