I'm sending an AJAX request to another domain, and it's sending me a response with a cookie, but document.cookie is empty. How can I make it visible? What permissions do I need? Thanks.
What you're attempting can't be done. (It's a browser security issue)
can only be solved by getting the user's browser to submit requests to each domain which will then set its own cookie.
Related
We are experiencing an issue with Browser sending Authorization header of initial request for subsequent requests to the same requestURI.
Problem:
We have a webproject which has user specific business logic so we have this login logic where for the initial request, if we don't have a existing session we send a 401 response along with WWW-Authenticate: Basic realm="production site" header to get credentials via the client and the browser issues a rerequest with the Authorization header and we use it to create a sesssion and initiate the login process.
But however, once the browser cache & cookies are cleared the session gets destroyed but we are still getting the old(Got from the initial request) Authorization header sent to that URI.
We susupect it was cache issue but not sure.
Can someone please help us to understand whats happening here and why we are getting the same Authorization header everytime. Thanks in advance.
Basic/Digest authentication usually gets stored separate from the cache and is unrelated to cookies.
The server doesn't have a ton of control over this, but one way to force the browser to clear credentials is to just send a 401 with a new WWW-Authenticate header (even if the credentials you got are correct, you basically need some way to track that the intent was to log out), but this will create a new login dialog that the user will need to dismiss.
I'd recommend not mixing cookies and HTTP Authorization. You don't need sessions because you already know who's making the request.
Generally HTTP Auth in browsers kinda sucks and browser developers have not done a good job creating a good UX for this, which is why almost everyone just renders HTML login forms instead.
I have multiple subdomains in my app. There is a parent domain cookie for user logins/session, and a subdomain cookie for cross site request forgery protection (CSRF). Requests go between subdomains using cross origin resource sharing (CORS), using the login/session cookie for all subdomains.
main.foo.com is where the user logs in. The login/session cookie uses the domain foo.com.
app.foo.com is where a large portion of the app resides. This is the active page when my error occurs.
message.foo.com is used for sending messages between users. It is its own django app, with a csrf cookie using domain message.foo.com for use with its forms. It also uses the login/session cookie from foo.com.
So the user is on app.foo.com/index.php and an ajax POST needs to go to message.foo.com. The browser has made ajax GET requests to message.foo.com, which have set the CSRF cookie. The ajax POST is sent with proper CORS headers.
If I disable CSRF in the Django view using #csrf_exempt decorator, then the missing cookie is ignored and the POST is processed fine. Otherwise, I get the 403 error for CSRF.
The CSRF cookie is sent from Firefox and Chrome in normal mode. When Chrome is Incognito, the CSRF cookie is not sent.
From what I can tell, the difference between the cookies is their domain. The login/session cookie is set to foo.com, so all subdomains use it. The CSRF cookie is set by message.foo.com so it should only be sent back to that domain. But even when the request is going to message.foo.com, Chrome Incognito does not send the cookie. It may not have even accepted the cookie. (It's hard to tell if it didn't accept the cookie or if it's just not sending it back.)
This cookie scenario seems legit. The cookie is being sent back to the subdomain which set it. No other subdomains are trying to read or modify the cookie. The origin sending the request has been authorized with CORS headers.
Why does Chrome not send that cookie? Is this behavior documented somewhere?
Sorry, Stack Overflow. This question isn't actually about what I thought it was.
The problem is that I did something in my Django code which was stopping the CSRF cookie from being sent to the browser. The non-incognito browsers still had the cookie saved, but the incognito one dropped the cookie when it was closed. So when I re-opened the browsers, they still had their old CSRF cookie except the incognito browser.
I discovered this when I renamed the CSRF cookie and all the browsers stopped working. I had seen the cookie in Firebug and the Chrome dev tools, so I thought it was still being sent when it wasn't.
So, the end result is that the cookies work as I expected. All my confusion was due to the cached cookies still being sent. As far as I can tell now, the only difference with Incognito is that it clears out all the cookies when you close the last Incognito window.
Hopefully others will be reminded by this question that the cache could be getting in the way of your debugging. Checking for that early in this process could have saved me a lot of time.
I have a website that uses asynchronous http requests (ajax, to use the common misnomer) for performing login and registration. The authentication cookie is set by the asynchronous request and it all works great.
I recently locked down the registration and login actions to require https. Everything appears to work, except that the authentication cookie returned isn't functioning properly and the user doesn't actually get logged in.
In Chrome, in the development tools, under resources, it doesn't show any cookies having been created. If I go to the Chrome settings and view all the cookies, I can see that a cookie has been created. Perhaps it's encrypted and not readable?
So, to summarize:
The initial page is loaded using normal HTTP
The Login action is an asynchronous HTTPS request
The authentication cookie returned by the HTTPS request doesn't seem to be working
How do I get this to work?
A couple things I should note:
This is not a CORS issue.
I am aware of the potential man-in-the-middle attack. This website does not house sensitive data. I'm attempting to do something very similar (if not exactly the same) to what reddit is doing.
I managed to figure this out. Turns out that in the Http response, you need to set the Access-Control-Allow-Credentials header to true. Also, you must set the withCredentials to true on the client-side http request.
I see that google or twitter autosuggest's sends ajax requests which are very lightweight since they don't send any cookies with the request. I was wondering how do they do it?
I googled about ways but i found ways like sending via CORS but they are sending the request to the same domain.
Any idea or ways on how to do that.
I am using chrome.
Thanks in advance
These are the two options I can think of to answer your question:
Option 1: Set withCredentials: false when using XMLHttpRequest: https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/withCredentials
Option 2: Delete cookies before sending the request and (in the case of wanted re-use restore them afterwards from temp variable) like so:
Get cookies and store them somewhere (f.i. in global var)
Delete cookies from domain
Send AJAX request
Restore cookies from variable
Can an AJAX response set a cookie? If not, what is my alternative solution? Should I set it with Javascript or something similar?
According to the w3 spec section 4.6.3 for XMLHttpRequest a user agent should honor the Set-Cookie header. So the answer is yes you should be able to.
Quotation:
If the user agent supports HTTP State Management it should persist,
discard and send cookies (as received in the Set-Cookie response
header, and sent in the Cookie header) as applicable.
Yes, you can set cookie in the AJAX request in the server-side code just as you'd do for a normal request since the server cannot differentiate between a normal request or an AJAX request.
AJAX requests are just a special way of requesting to server, the server will need to respond back as in any HTTP request. In the response of the request you can add cookies.
For the record, be advised that all of the above is (still) true only if the AJAX call is made on the same domain. If you're looking into setting cookies on another domain using AJAX, you're opening a totally different can of worms. Reading cross-domain cookies does work, however (or at least the server serves them; whether your client's UA allows your code to access them is, again, a different topic; as of 2014 they do).
Also check that your server isn't setting secure cookies on a non http request. Just found out that my ajax request was getting a php session with "secure" set. Because I was not on https it was not sending back the session cookie and my session was getting reset on each ajax request.