is there a config option to disable this;
dialog when visiting a URL and passing credentials in the URL, e.g.
https://user:password#protected-site.com/
Setting the somewhat hidden network.http.phishy-userpass-length to 1024 fixed it.
user_pref("network.http.phishy-userpass-length", 1024);
See http://forums.mozillazine.org/viewtopic.php?f=38&t=156433 for more information.
Related
In my staging environment (Shopware 6.4.17.2 with Varnish cache installed), I see an exception during register form submit.
ReCaptchaV3 is enabled
SHOPWARE_HTTP_CACHE_ENABLED=0
storefront->csrf->mode = twig
storefront->reverse_proxy->enabled = false
in this case I see no errors
ReCaptchaV3 is enabled
SHOPWARE_HTTP_CACHE_ENABLED=0
storefront->csrf->mode = ajax (correct setting for reverse proxy)
storefront->reverse_proxy->enabled = false
I see a call to
https://www.google.com/recaptcha/api2/reload?k=
And get invalid csrf token error, and no /csrf/generate call is sent.
Can you help me out?
Looks like your site key is missing from the request.
Look for an element with the class captcha-google-re-captcha-v3 in the source code of your page and see if the data-google-re-captcha-v3-options attribute of the element contains the siteKey.
If you can't find it in the source code, did you set your credentials in the administration at Settings > Basic Information > Captcha?
You can also set them via the CLI:
bin/console system:config:set core.basicInformation.activeCaptchasV2.googleReCaptchaV3.isActive true
bin/console system:config:set core.basicInformation.activeCaptchasV2.googleReCaptchaV3.config.siteKey xxxxxx
bin/console system:config:set core.basicInformation.activeCaptchasV2.googleReCaptchaV3.config.secretKey xxxxxx
I'm using node-http-proxy to run a proxy website. I would like to proxy any target website that the user chooses, similarly to what's done by https://www.proxysite.com/, https://www.croxyproxy.com/ or https://hide.me/en/proxy.
How would one achieve this with node-http-proxy?
Idea #1: use a ?target= query param.
My first naive idea was to add a query param to the proxy, so that the proxy can read it and redirect.
Code-wise, it would more or less look like (assuming we're deploy this to http://myproxy.com):
const BASE_URL = 'https://myproxy.com';
// handler is the unique handler of all routes.
async function handler(
req: NextApiRequest,
res: NextApiResponse
): Promise<void> {
try {
const url = new URL(req.url, BASE_URL); // For example: `https://myproxy.com?target=https://google.com`
const targetURLStr = url.searchParams.get('target'); // Get `?target=` query param.
return httpProxyMiddleware(req, res, {
changeOrigin: true,
target: targetURLStr,
});
} catch (err) {
res.status(500).json({ error: (err as Error).message });
}
}
Problem: If I deploy this code to myproxy.com, and load https://myproxy.com?target=https://google.com, then google.com is loaded, but:
if I click a link to google images, it loads https://myproxy.com/images instead of https://myproxy.com?target=https://google.com/images, also see URL as query param in proxy, how to navigate?
Idea #2: use cookies
Second idea is to read the ?target= query param like above, store its hostname in a cookie, and proxy all resources to the cookie's hostname.
So for example user wants to access https://google.com/a/b?c=d via the proxy. The flow is:
go to https://myproxy.com?target=${encodeURIComponent('https://google.com/a/b?c=d')}
proxy reads the ?target= query param, sets the hostname (https://google.com) in a cookie
proxy redirects to https://myproxy.com/a/b?c=d (307 redirect)
proxy sees a new request, and since the cookie is set, we proxy this request into node-http-proxy using cookie's target.
Code-wise, it would look like: https://gist.github.com/throwaway34241/de8a623c1925ce0acd9d75ff10746275
Problem: This works very well. But only for one proxy at a time. If I open one browser tab with https://myproxy.com?target=https://google.com, and another tab with https://myproxy.com?target=https://facebook.com, then:
first it'll set the cookie to https://google.com, and i can navigate in the 1st tab correctly
then I go to the 2nd tab (without closing the 1st one), it'll set the cookie to https://facebook.com, and I can navigate facebook on the 2nd tab correctly
but then if I go back to the first tab, it'll proxy google resources through facebook, because the cookie has been overwritten.
I'm a bit out of ideas, and am wondering how those generic proxy websites are doing. Ideally, I would not want to parse the HTML of the target website.
The idea of a Proxy is to intercept the client requests, either by ports or by backend APIs, extract the URLs of requested resources, modify them and make those requests by self from servers, and modify responses and send them back to the client.
your first approach does this except modify responses and send back modified responses.
one way to do this is to edit all links in resources return by proxy to have your web address in them, only then send them as responses back to the client.
another way is to wrap the target site in a frame, as most web proxy sites do, and have a script to crawl the page and replace all links.
there is a small problem though. javascript-based requests are mostly hardcoded in the script and it is not an easy job to replace them.
your seconds approach sounds as if it would work better, but just a sound, nothing concrete I can say. implement a tab activity checker so you can change the cookie to your active tab. please check how-to-tell-if-browser-tab-is-active discussion about that
I need to hit a post request to an API service which requires a session id along with other parameters in its post request field in order to get the required information.
I am using Postman to test this API.
I would like to know how to send a 'session id' in a post request when using Postman?
I am aware of pre-request script in Postman, but I am unaware of how to use the variable in post request.
In Postman native app:
Turn on the Interceptor.
Go to Headers
Key: Cookie
Value : sessionid=omuxrmt33mnetsfirxi2sdsfh4j1c2kv
This post is bit old but I want to still answer incase someone else is looking for an answer.
First, you need to see if intercepter is enabled in the toolbar, it is present one step away from sign-in
If does not not get enabled when you click on it, you can install extension. I think there is one for Chrome. Go ahead and add the extension.
After that you can go back to Postman and enable intercepter
You will be able to see cookies in postman and at this point you can add _session_id
I hope this will help.
Thanks,
Hit inspect on the site you are working on, when logged in
On your Chrome/browser, go to application - cookies.
Copy your PHPSESSID.
On postman headers Key: Cookie
Value: PHPSESSID=dsdjshvbjvsdh (your key)
For standalone Postman app
You can use global variables in postman. First in the Tests tab of the first request set the session as global variable:
var a = pm.cookies.get('session');
pm.globals.set("session", a);
It might be 'session_id' as well (check in the headers of your first request) instead of session. To check if this variable is set, after you do your first request, go to the gear icon and click on globals.
Then go to your second request -> Headers and for key add 'Cookie' while for value add 'session={{session}}'
Side note: be careful not to save keys that are used by your framework or they might be deleted for some reason.
On your browser:
Open the developer tools (right click and Inspect).
Go to Application Tab > Storage > Cookies.
Open your site Cookie and copy the Name and Value.
In Postman 8+:
In your Request tab, go to Headers.
Click in the eye icon to see the hidden headers.
Click in the "Cookie" link that is in the top right corner.
In the "Manage Cookies" popup, select your domain, click on "+Add" button, or edit the existent cookie.
Paste the values that you copy from the browser. The complete value will look like PHPSESSID=f20nbdor26v9r1k5hdfj6tji0p; Path=/;
Click on "Save", and close the popup.
Select Tests Section below the Request URL
if(postman.getResponseHeader("authorization")!==null)
{
postman.setGlobalVariable("token","Bearer " + postman.getResponseHeader("authorization") );
}
Here u can use SessionId to get SessionId from Header and put in global variable .
How to specify a user id and password for Visual Studio Code with an authenticating proxy?
I've seen the Proxy Server Support on the main VS Code site, but this only mentions two settings ...
"http.proxy": "http://10.203.0.1:5187/"
"http.proxyStrictSSL": false
I've set these, but still no luck, e.g. I can't install extensions ... can't even get a list of them
I suspect it's our proxy, as it needs a user id and password :-(
So how can you set these values?
Set credentials inside the proxy url:
http://username:password#10.203.0.1:5187/
WARNING: Setting your password in plaintext in a file can easily lead to your account being compromised. Further it might violate your companies data security guidelines. https://cwe.mitre.org/data/definitions/256.html
If you don't want to store your credentials in the settings file, fiddler can be used to proxy the call to the proxy. Furthermore, I believe the above only works for proxy servers using basic authentication, the following should work for NTLM.
VSCode Open Settings File:
%APPDATA%\Code\User\settings.json
add the following:
{
"http.proxy": "http://127.0.0.1:8888",
"http.proxyStrictSSL": false
}
Fiddler Confirm fiddler settings:
Fiddler Ensure Fiddler set to automatically authenticate:
VSCode Extensions should now be online:
Update
This is now no longer required following implementation of PR #22369 which was implemented in version 1.15 Proxy server authentication.
In my case I still needed to add:
"http.proxyStrictSSL": false
My favorite response here is David Martin's suggestion of using Fiddler. But in case that is not something you want to undertake, below is how to set your credentials for the proxy.
To specify DOMAIN + username + password: (It will likely not work with a slash, so use %5C in the place of the slash as shown below)
// The proxy setting to use. If not set will be taken from the http_proxy and https_proxy environment variables
"http.proxy": "http://DOMAIN%5Cusername:password#proxy_name_or_ip:port",
"https.proxy": "http://DOMAIN%5Cusername:password#proxy_name_or_ip:port",
// Whether the proxy server certificate should be verified against the list of supplied CAs.
"http.proxyStrictSSL": false,
To specify just username + password:
// The proxy setting to use. If not set will be taken from the http_proxy and https_proxy environment variables
"http.proxy": "http://username:password#proxy_name_or_ip:port",
"https.proxy": "http://username:password#proxy_name_or_ip:port",
// Whether the proxy server certificate should be verified against the list of supplied CAs.
"http.proxyStrictSSL": false,
The venerable CNTLM could help you. You give it your credentials, tell it about the upstream proxy, run it on your local machine, then point VS to the proxy at http://localhost:3128.
http://cntlm.sourceforge.net/
It's a handy solution for any application that doesn't support authenticated proxies.
I really like the solution David Martin posted (further below) using Fiddler, however I wanted to figure out how to use http.proxyAuthorization and here is my solution considering you are OK to have credentials saved in base64 encoded format in the settings.json file.
WARNING: Saving credentials in base64 encoded format is certainly better than plain text, however consider base64 encoding as obfuscation not an encryption and the account can still be compromised - use at your own risk. Consider modifying the ACL of the settings file to reduce read access to it.
Step 1: Encode your credentials using the code below:
var s = #"DOMAIN\user:pass";
var bytes = System.Text.Encoding.UTF8.GetBytes(s);
Console.WriteLine(Convert.ToBase64String(bytes));
RE9NQUlOXHVzZXI6cGFzcw==
Step 2: Update VS Code settings by adding http.proxyAuthorization using the base64 encoded value from above:
{
"https.proxy": "https://internal-proxy.corp.net:8080",
"http.proxyAuthorization": "Authorization: Basic RE9NQUlOXHVzZXI6cGFzcw=="
}
Step 3: Secure the settings.json by updating it's ACL
Since you have stored credentials in the file to increase the security you can modify the ACL of the settings file by removing the local administrators group - make sure only you can read this file. I used the following PowerShell script to remove the local admin group for example:
#Requires -Version 5.1
# PowerShell 5.1 min version required for the code below
$settings = "$env:appdata\Code\$env:username\settings.json"
$acl = (Get-Item $settings).GetAccessControl('Access')
$acl.SetAccessRuleProtection($true,$true) # removes the ACL inheritance
$accesToRemove = $acl.Access | ?{ $_.IsInherited -eq $false -and $_.IdentityReference -eq 'BUILTIN\Administrators' }
$acl.RemoveAccessRule($accesToRemove)
Set-Acl -AclObject $acl $settings
Please take ref to this article.
https://taeguk.co.uk/blog/working-in-visual-studio-behind-the-firewall/
Let’s assume my NTLM login is DOMAIN\User Name and my password is P#ssword!
The format for the credentials needs to be DOMAIN\User Name:P#ssword!, but you need to URL Encode the user name and password.
A simple online URL encoded can translate your username and password to: DOMAIN%5CUser%20Name and P%40ssword!.
Piece all this info into a single string like so: http://DOMAIN%5CUser%20Name:P%40ssword!#proxy-cluster.fqdn.local:8881
Then add this into your User Settings in File, Preferences against the "http.proxy" value:
// Place your settings in this file to overwrite the default settings
{
"http.proxy": "http://DOMAIN%5CUser%20Name:P%40ssword!#proxy-cluster.fqdn.local:8881"
}
"http.proxy": "http://DOMAIN//USER:PASSWORD#wsg.test.com:8080".
Do not forget to add the port.
Use the below command and replace the username,password and ip address of you proxy:port
PS C:\Users\rathakrishnan> npm config set proxy http://username:password#172.18.10.27:3128
PS C:\Users\rathakrishnan> npm install -g #angular/cli
in Visual Studio Code (my version is 1.32.3) you write a request, i.e.
### my request
GET https://defdomain.prefix.com/app/resource
Authorization: bXl1c2VyOnVzZXIyMkBwYXNzd29yZA==
Wherefore the Authorization header is of type "Basic base64encoded" and consists of
myuser:user22#password (username:usercredentials) base64 encoded. Thats all.
I am setting Mixpanel up, and I found out that if I log in with a user (and identify that user), log out and then re-register as a new user, the new user's details overwrite the previously logged in user (presumably when I call alias). How can I tell mixpanel that a user has logged out and to reset the identity token (make it anonymous again)?
I ran into the same issue, and after some sleuthing I discovered that you can manually clear the mixpanel cookies with mixpanel.cookie.clear().
However, you need to make sure that the mixpanel library has loaded, so I ended up putting it in a stupid timeout:
var id = window.setInterval(function() {
if (mixpanel.cookie && mixpanel.cookie.clear) {
mixpanel.cookie.clear();
window.clearInterval(id);
}
}, 50);
And then, since I didn't want to do this on every page, I added a query string parameter onto my logout redirect URL. So after visiting /logout it would redirect them to /home?_ref=logout, at which point I would clear the mixpanel cookie only if that query string parameter existed.
It was pretty annoying, but it seemed to work.
It was released on Mixpanel Javascript version v2.8.0 the mixpanel.reset() function, so that's officially what should be called on user logout. See https://github.com/mixpanel/mixpanel-js/issues/67 .
for android
on logout you can use this MixpanelAPI.reset()
Call clearSuperProperties() to remove any Super Properties in local
storage.
Set new_distinct_id = UUID.randomUUID().toString());
Call .identify(new_distinct_id) and .getPeople().identify(new_distinct_id)
This should wipe the device clean for a fresh user that can then register and be aliased to another distinct_id.
The best way to do this with javascript is to delete the cookie. The name of the cookie is mp_{mixpanel_token_id}_mixpanel