I have a safari extension that acts in favor of our website. It needs to share the session cookie with the website. The website sets session as,
Set-Cookie: SESS=SESS_VALUE; expires=Sat, 09-Feb-2013 11:59:05 GMT;
path=/; domain=.MY_DOMAIN; HttpOnly
The extension makes requests using Jquery. The session is properly shared in all other major browsers including IE 7. But in safari, it maintains two sessions. My safari extension has the right domain MY_DOMAIN in its manifest file. I will be happy to hear your suggestions.
Related
I have a parent webpage with a child iframe:
parent at https://first-site.com
child at <iframe src="https://second-site.com"> (inside of parent)
cookie is set by the second-site.com server upon page load using this HTTP header:
Set-Cookie: iqsession=869194b8e575d0d333f9395557f564f5eca31c15761c; expires=Wed, 08-Feb-2023 03:51:14 GMT; Max-Age=600; path=/; secure; httponly; samesite=none
When I load the page on first-site.com (with second-site.com in an iframe), Firefox fails to store the cookie for second-site.com. It's not accessible under the cookies tab, nor is it available to second-site.com on subsequent page loads. There are no warnings or errors in the console.
This does work in Chrome.
Note that I am not attempting to access cookies across domains. The cookie is only set by second-site.com on the server side and only read by second-site.com on the server side. The outer parent doesn't need to know anything about the cookie.
Any ideas why this isn't working in Firefox? This issue looks related but isn't super clear.
After logging in I am setting some cookies, which works in FF, Chrome, Edge etc. However for some reason, Samsung Internet Browser seems to be ignoring my cookies.
I've got cookies enabled, and it is accepting cookies from other sites, but I can't figure out why it won't accept them. I've got this capture from my server:
HTTP/1.1 200 OK
Content-Type: application/json
Set-Cookie: token=e1c137y8WEZItXVWExXBWRyQl9mxgxEvEMG++F6pzwart%2FAO0lTSA3tL48oeHclD%2FLQMdXWhgXvefpGR3QGMqwMe8cg%3D; HttpOnly; SameSite=Strict; Path=/; Expires=Wed, 08 May 2019 07:03:43 GMT
Set-Cookie: email=%2FwGLVu+6Yv5fYpSyZwRE8TIi0MlZZ6WaN+OaKusCF6pEyQjomquJmWwqSgrcHg2dcBeMBU%2Foeg%3D%3D; HttpOnly; SameSite=Strict; Path=/; Expires=Wed, 08 May 2019 07:03:43 GMT
Set-Cookie: testing=TESTETSETESET; HttpOnly
Server: Rocket
Content-Length: 56
Date: Wed, 01 May 2019 07:03:43 GMT
{ ... }
I've tried changing the HttpOnly, SameSite, Secure and domain settings, but so far nothing.
Any ideas?
Samsung internet version 9.2.00.70
Edit:
It seems like maybe it's because the cookies are being set from an Ajax query. I changed it to be a response from a normal form POST, and it seems to have worked. More digging...
Turns out it was due to my Ajax request. Once I added credentials: "same-origin" to the request, it works as expected.
your question have helped me too. I have the exactly same bug in Samsung Browser 9.2. I'm using github fetch implementation and in the docs you can see:
The default value for credentials is "same-origin".
The default for credentials wasn't always the same, though. The
following versions of browsers implemented an older version of the
fetch specification where the default was "omit":
Firefox 39-60
Chrome 42-67
Safari 10.1-11.1.2
If you target these browsers, it's advisable to always specify credentials: 'same origin'
explicitly with all fetch requests instead of relying on the default:
So it's why explicitly set credentials: "same-origin" have worked for you and for me too.
I have a Asgard CMS Laravel application that I am accessing through my company's VPN network, as the server its running on, is not accessible from outside the private network.
Whenever I go to the login page, I do not see the laraval_session cookies set. The HTTP header shows the following values
Set-Cookie:HttpOnly;Secure
Transfer-Encoding:chunked
X-Content-Security-Policy:default-src 'self';
X-Content-Type-Options:nosniff
X-Frame-Options:SAMEORIGIN
As you would notice, a normal Asgard CMS application running fine will have some cookies set like
Set-Cookie:XSRF-TOKEN=<cookie value>; expires=Fri, 15-Jul-2016 10:29:57 GMT; Max-Age=7200; path=/
Set-Cookie:laravel_session=<cookie value>; expires=Fri, 15-Jul-2016 10:29:57 GMT; Max-Age=7200; path=/; httponly
We see above two cookies (XSRF-TOKEN, laravel_session) are being set on an application running fine.
However in my application none of these cookies are set on the login page. Due to this token mismatch error occurs after the user tries to login, as a new token gets generated, and the one in the form is the old one.
Also note that additional headers (X-Content-Security-Policy, X-Content-Type-Options, X-Frame-Options) show up which are not there in case of normal functional laravel application.
Once we access this application outside the network, it continuously shows up this error.
Any clues on how to get the cookies show up properly, and to make my laravel application to run as normal.
My application works beautifully on Chrome, Firefox, Safari, and Opera, but fails on Internet Explorer 11 (I haven't tried earlier versions yet). Basically, I find that I cannot log in. I have narrowed the problem down to an issue with cookies. On login attempt, I get through to the server fine, and the response is the exact same as with any other browser. But for whatever reason, even though the Set-Cookie header is set, the cookie is not saved and sent on the next request to the server. My application has a (mostly) RESTful backend, and so authenticates on most requests. This obviously fails because the cookie is not set!
This problem persists whether served from localhost or from a real server. I should mention that it is a cross origin request, but the proper headers are in place (and they work on other browsers)
The response headers (when served from localhost) are as follows:
Response HTTP/1.1 200 OK
Access-Control-Allow-Credentials true
Access-Control-Allow-Headers accept, content-type
Access-Control-Allow-Methods POST, PATCH, DELETE
Access-Control-Allow-Origin http://localhost:8000
Cache-Control no-cache,no-store
Content-Length 68
Content-Type application/json
Date Thu, 05 Mar 2015 20:00:20 GMT
Frame-Ancestors none
Server waitress
Set-Cookie session-id=ZqANyJ4KRUFoOaVgtGs/hcX+fxjMcCVM0kdRqF4riHglfAeBJJK56X9wn0XsNdPwUg; Domain=; HttpOnly;
Strict-Transport-Security max-age=31536000;
X-Frame-Options deny
I cannot figure out why this doesn't work solely in IE11! The app is not in an iframe, and the cookie actually appears in the cookies tab in the IE developer tools when I click on the network request, but it is not subsequently sent along with the next ones.
Some of my attempted solutions were:
Adding the Cache-Control header
Removing the HttpOnly flag from the cookie
Adding the Domain flag to the cookie (set as localhost or 127.0.0.1)
Removing Headers like X-Frame-Options, Frame-Ancestors, and Strict-Transport-Security
Tried multiple computers
Changed security settings to accept all cookies
All failed. Ideas?
Using Internet Options I can see all persistent cookies, and using Developer Tools I can see all JS-accessible session cookies. There does not seem to be a way to view HTTPOnly session cookies.
In Firefox there are many options, both built-in and with Firebug, to view cookies, including being able to see the request/response headers. Is there no way in IE8 to see HTTPOnly session cookies?
Related questions (no solutions for HttpOnly):
IE7 IE8
Check this out: http://blogs.msdn.com/b/jpsanders/archive/2009/06/04/understanding-the-new-wininet-flag-internet-cookie-httponly.aspx
There are a couple of new Cookie flags introduced with the Internet
Explorer 8 WinInet.dll. The INTERNET_COOKIE_HTTPONLY flag allows you
to read the HttpOnly cookies in your WinInet Code. This flag is
documented here:
http://msdn.microsoft.com/en-us/library/aa384714(VS.85).aspx.
and here's a way to build a tool and use this:
http://www.codeproject.com/Articles/38616/Retrieve-HttpOnly-Session-Cookie-in-WebBrowser
Off the IE8 shelf not sure I see a way to retrieve HTTPOnlyCookies, since the dev tools seems to show only non HTTPOnly cookies. If you want to use a tool, use Fiddler2 and set response type to HTTPOnly.