I am trying (for days) to make this work: I want to connect to a Media Servers using RTMPT netConnection. In order to reach that, I have to pass an authentication cookie along with my request. In Chrome and IE it works, but in Firefox it doesen't pass the auth_cookie.
When I look into logs I see the /open/1 request, but it has no cookie atached. Againg: in Chrome and IE it uses the cookie. The cookie doesn't have the HttpOnly flag.
Another weird scenario that I encountered is: Because it dosen't pass the cookie, the ApplicationServer wich holds the autentication, asks me for credentials. If I enter them it takes the cookie and works, and any subsequent connections work (firefox passes the auth_cookie along the /open/1 request); but if I delete all the cookies in browser (via CookieController-> Remove ALL cookies and DOM storage) the credentials are requested again (no cookie is passed).
Any sugestions? I've searched all the internet for a solution but I can't find anything...
Related
I have two servers, a.example.com and b.example.com
The cookie with domain .example.com was set in a.example.com/admin
I visit a.example.com/admin page, and in this page, a http request was send to b.example.com
I had a packet capture and just found that the cookie was not send when I use safari and firefox browser, but in chrome, the cookie was send.
so I was wondering way this happen, and does there exist any method by which the safari and firefox can send the cookie?
Check this link, it may help you figure this out: https://discourse.mozilla-community.org/t/webextension-xmlhttprequest-issues-no-cookies-or-referrer-solved/11224/15
It seems that either you need to enable 'third party cookies' or you need to wrap XMLHttpRequest. Also, make sure the website is listed in the permissions section of your manifest file: https://developer.mozilla.org/en-US/Add-ons/WebExtensions/manifest.json/permissions
I have multiple subdomains in my app. There is a parent domain cookie for user logins/session, and a subdomain cookie for cross site request forgery protection (CSRF). Requests go between subdomains using cross origin resource sharing (CORS), using the login/session cookie for all subdomains.
main.foo.com is where the user logs in. The login/session cookie uses the domain foo.com.
app.foo.com is where a large portion of the app resides. This is the active page when my error occurs.
message.foo.com is used for sending messages between users. It is its own django app, with a csrf cookie using domain message.foo.com for use with its forms. It also uses the login/session cookie from foo.com.
So the user is on app.foo.com/index.php and an ajax POST needs to go to message.foo.com. The browser has made ajax GET requests to message.foo.com, which have set the CSRF cookie. The ajax POST is sent with proper CORS headers.
If I disable CSRF in the Django view using #csrf_exempt decorator, then the missing cookie is ignored and the POST is processed fine. Otherwise, I get the 403 error for CSRF.
The CSRF cookie is sent from Firefox and Chrome in normal mode. When Chrome is Incognito, the CSRF cookie is not sent.
From what I can tell, the difference between the cookies is their domain. The login/session cookie is set to foo.com, so all subdomains use it. The CSRF cookie is set by message.foo.com so it should only be sent back to that domain. But even when the request is going to message.foo.com, Chrome Incognito does not send the cookie. It may not have even accepted the cookie. (It's hard to tell if it didn't accept the cookie or if it's just not sending it back.)
This cookie scenario seems legit. The cookie is being sent back to the subdomain which set it. No other subdomains are trying to read or modify the cookie. The origin sending the request has been authorized with CORS headers.
Why does Chrome not send that cookie? Is this behavior documented somewhere?
Sorry, Stack Overflow. This question isn't actually about what I thought it was.
The problem is that I did something in my Django code which was stopping the CSRF cookie from being sent to the browser. The non-incognito browsers still had the cookie saved, but the incognito one dropped the cookie when it was closed. So when I re-opened the browsers, they still had their old CSRF cookie except the incognito browser.
I discovered this when I renamed the CSRF cookie and all the browsers stopped working. I had seen the cookie in Firebug and the Chrome dev tools, so I thought it was still being sent when it wasn't.
So, the end result is that the cookies work as I expected. All my confusion was due to the cached cookies still being sent. As far as I can tell now, the only difference with Incognito is that it clears out all the cookies when you close the last Incognito window.
Hopefully others will be reminded by this question that the cache could be getting in the way of your debugging. Checking for that early in this process could have saved me a lot of time.
I am using Firefox 22 and Selenium IDE 2.2.0.
I have loaded a page in firefox using the HTTP protocol (not HTTPS). I know for sure that the page has set a secure cookie (as a result of an embedded AJAX request). I can verify this using the browser internal url chrome://web-developer/content/generated/view-cookie-information.html - because among other cookies that page shows a cookie like this:
Name WC_AUTHENTICATION_5122759
Value 5122759%2cDKppXa7BAqnZ0ERDLb0Wee%2bXqUk%3d
Host .testserver.dk
Path /
Expires At end of session
Secure Yes
HttpOnly No
However, when I run assertCookie in the Selenium IDE I can only see the unsecure cookies. I.e. all cookies - except then one above - are detected by Selenium IDE:
Executing: |assertCookie | glob:WC_AUTHENTICATION_* | | yields this set of visible cookies:
[error] Actual value 'JSESSIONID=0000uCQdh2FZ0ZA8z-O5zcGoUtD:-1;
WC_PERSISTENT=lT8Z5tbkQrvLhNm%2bGyCj%2bh4yPAU%3d%0d%0a%3b2013%2d07%2d05+13%3a18%3a18%2e807%5f1373023098807%2d3048%5f10201%5f5122827%2c%2d100%2cDKK%5f10201;
WC_SESSION_ESTABLISHED=true;
WC_ACTIVEPOINTER=%2d100%2c10201; WC_USERACTIVITY_5122827=5122827%2c10201%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cy6bjcrZgvCVe5c52BBKvcItxyF5lLravpDq9rd9I0ZmRfRNxcC2oG13Eyug3kKgbtLOHVLxm9T76%0d%0a%2fGJFLp5bOrkPoNqmc38TIr%2fO7eU%2fbd7Mfny2kQg7v6xGweYoRkXYgAEz91rH0QavFhlOjpd12A%3d%3d;'
did not match 'glob:WC_AUTHENTICATION_*'
So does anyone know how can I use the Selenium IDE to verify the presence of secure cookies on a page loaded with http:// (not https://) ?
Sadly, what you are doing is breaking the specifications. A secure cookie is suppose to be only available if the connection is secure. Hence, if you are connecting with HTTP, you can't see it.
However, if this is just on your test machine (not your end user), you can modify the response from the server using Fiddler. With Fiddler, you can program something like, if you see this cookie, add another cookie, or strip the secure flag.
EDIT:
Some background information about Selenium and cookies:
Selenium works through the browser with JavaScript as part of the page. Because it is essentially a part of the page, it has to follow all the same rules as the page. This means that it still has to abide by the security rules on cookies. A secure only cookie can only be read on a secure connection, thus Selenium cannot read a secure cookie if it's not on a secure connection.
The place where HTTP request comes in is that cookies are a part of the HTTP header. Both the request (from the browser) and the response (from the server) have an HTTP header. Cookies are present in both.
You want to verify if the server has set the cookie, so you want to inspect the HTTP response from the server for the presence of the cookie. Because of security restrictions, however, you cannot from Selenium. These security restrictions are enforced by the browser. All reputable browsers enforce these policies, since without these policies, the end user's credentials will be easily compromised.
This is where Fiddler comes in. Fiddler inspects the HTTP data at a lower level, before the browser gets to it. Thus, you can use Fiddler to manipulate the data before it gets to the browser to give some kind of indication that the cookie was present.
I have a website that uses asynchronous http requests (ajax, to use the common misnomer) for performing login and registration. The authentication cookie is set by the asynchronous request and it all works great.
I recently locked down the registration and login actions to require https. Everything appears to work, except that the authentication cookie returned isn't functioning properly and the user doesn't actually get logged in.
In Chrome, in the development tools, under resources, it doesn't show any cookies having been created. If I go to the Chrome settings and view all the cookies, I can see that a cookie has been created. Perhaps it's encrypted and not readable?
So, to summarize:
The initial page is loaded using normal HTTP
The Login action is an asynchronous HTTPS request
The authentication cookie returned by the HTTPS request doesn't seem to be working
How do I get this to work?
A couple things I should note:
This is not a CORS issue.
I am aware of the potential man-in-the-middle attack. This website does not house sensitive data. I'm attempting to do something very similar (if not exactly the same) to what reddit is doing.
I managed to figure this out. Turns out that in the Http response, you need to set the Access-Control-Allow-Credentials header to true. Also, you must set the withCredentials to true on the client-side http request.
I am interested to see what people are storing in my session and cookies when I visit websites. Is there any way to see what's in there between request and when I'm on pages in Safari, Chrome, or Firefox?
In Firefox you can use among others Firebug to check the cookies being sent forth and back. Check the Net panel for complete request and response headers. The cookies are present as Set-Cookie response header whenever the session starts and as Cookie request header on all subsequent requests in the same session.
Here's a screenshot of the transferred headers when requesting this topic:
(note that I removed the user cookie value from the screenshot, else someone else would be able to copy it and login as myself)
You cannot check in the client side in any way what's been stored in the server side session since that's usually not exposed in the cookie values. Only the session identifier is stored as cookie value. You can at highest make some guesses based on the behaviour of the website across the requests.