I'm using Faraday as an HTTP client to test my HTTP service (based on Sinatra). It's very powerful for me, but I have a problem.
We track sessions on the Sinatra service, but I cannot set the cookie value with the Faraday client. This is the sample code:
# `response` is from the Sinatra service
cookie = response.headers['set-cookie']
# now, for the follow up request...
response = client.get '/api/profile' do |req|
req.headers['Cookie'] = cookie
end
The server cannot find the session. Why?
The Set-Cookie and Cookie headers are not the same, read the RFC to know how to interpret them. In short the Set-Cookie header also contains instructions for the client how to handle the data (domain, path, expiry, etc.) and gives an update to the existing cookie store. The Cookie header on the other hand provides the contents of the cookie store, but not the meta data.
You would need to obtain or implement some kind of cookie handler to insert into your Faraday middle-ware stack.
Related
In Postman Or Jmeter, I want to call a POST API for 100 users in my collection, but after each user login, csrftoken is added to the cookie with the session, but the POST API fails when the cookie contains a csrftoken.
so how to delete the csrftoken from the cookie while maintaining the session ?
Use this as test-script in the postman request. (Note that you have to whitelist your domain in the cookie manager window if you run the collection from postman)
const cookieJar = pm.cookies.jar()
cookieJar.unset("domain.com", "csrftoken", function(error){
})
Refer documentation for more details
You don't need to remove this CSRF token cookie, you need to send correct one.
Not knowing the details of your application it is hard to say what exactly needs to be done, i.e. where the token comes from. If it is being sent by your application in the Set-Cookie header in JMeter it will be enough to add HTTP Cookie Manager
If it comes in the different header or in the response body - you will need to extract it from the previous response using a suitable JMeter Post-Processor and manually add the needed cookie in the HTTP Cookie Manager.
More information: How to Load Test CSRF-Protected Web Sites
If I am making this get request using rest-client gem
https://www.google.co.in/
I want get the following details:-
cookie
expire date
Also i want to remove the cookie(like we do clear cookies in browser).
How can i do it?
You can do the following with rest-client:
request = RestClient.get 'https://www.google.co.in/'
then inspect the cookies you have with
request.cookies
but from what I've seen there's no expire date.
To remove the cookies do the following
request.cookies.clear
I am dealing with oauth 1.0 (twitter and flickr). Website works at port 80 and oauth server works at port 8080
Algorithm:
send ajax request to oauth server to check if user have valid access_token
open authorization window if user have no access_token or access_token is expired
save access_token in user's session at the oauth server
send sharing data to the oauth server
It uses sinatra + rack:session + rack::session::sequel + sqlite to store sessions. It sends Set-Cookie: rack.session=id in each response
I am using 2 types of request: crossdomain ajax with jquery and usual request with window.open. I have a big security problem passing cookies to crossdomain ajax request.
No matter that server's response headers contains
Access-Control-Allow-Headers: *
chromium will throw security error:
Refused to set unsafe header "Cookie"
I want to avoid this problem by passing rack.session=id to post data and load it:
before "/twitter/connect.json" do
session = Rack::Session::something(params["rack.session"])
end
But I cant find in documentation how to do this
Rack::Session::Abstract::ID has an option called cookie_only that allows the session id to be passed in via the params. However, it defaults to true, and most session middleware implementations don't bother to override it.
Your best bet is probably to monkey patch Rack::Session::Abstract::ID to default cookie_only to false.
Rack::Session::Abstract::ID::DEFAULT_OPTIONS.merge! :cookie_only => false
This is just pure ruby not rail.
I'm trying to code an auto login form to change some configurations of my web hosting panel.
There are two and more cookies returned.
I wish to get ruby version of this post
How to handle multiple Set-Cookie header in HTTP response
open-uri also takes the last set-cookie header.
h1 = open("http://www.w3.org/")
h1.meta['set-cookie']
get_fields() solves this problem.
Can an AJAX response set a cookie? If not, what is my alternative solution? Should I set it with Javascript or something similar?
According to the w3 spec section 4.6.3 for XMLHttpRequest a user agent should honor the Set-Cookie header. So the answer is yes you should be able to.
Quotation:
If the user agent supports HTTP State Management it should persist,
discard and send cookies (as received in the Set-Cookie response
header, and sent in the Cookie header) as applicable.
Yes, you can set cookie in the AJAX request in the server-side code just as you'd do for a normal request since the server cannot differentiate between a normal request or an AJAX request.
AJAX requests are just a special way of requesting to server, the server will need to respond back as in any HTTP request. In the response of the request you can add cookies.
For the record, be advised that all of the above is (still) true only if the AJAX call is made on the same domain. If you're looking into setting cookies on another domain using AJAX, you're opening a totally different can of worms. Reading cross-domain cookies does work, however (or at least the server serves them; whether your client's UA allows your code to access them is, again, a different topic; as of 2014 they do).
Also check that your server isn't setting secure cookies on a non http request. Just found out that my ajax request was getting a php session with "secure" set. Because I was not on https it was not sending back the session cookie and my session was getting reset on each ajax request.