Yes, another question about httpOnly Cookies.
Like a lot of other people, i'm stuck at the same place.
I get the cookie from the server but it is never sent with other requests.
I have mysite.example.com in angularjs trying to connect to api.example.com.
Here is the response headers:
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: https://mysite.example.com
Connection: keep-alive
Content-Length: 2855
Content-Type: application/json
Date: Wed, 09 Jun 2021 00:52:54 GMT
Server: Apache/2.4.46 (Amazon) OpenSSL/1.0.2k-fips
Set-Cookie: WEB-TOKEN=158b691a-65fb-49c2-9d88-63bd1935531f;Version=1;Comment=;Max-Age=3600;Secure;HttpOnly;Expires=Wed, 09 Jun 2021 00:52:54 GMT
vary: Origin
Then, in AngularJS, i send a request like this (from mysite.example.com):
$http.get('https://api.example.com/userdetails', { withCredentials: true, headers: { } });
Is there anything not sent or just wrong?
Thank you!
The Path. Yes. I was missing the Path to %x2F. :)
Related
I've read through the suggestions here. I'm making an XHR request to my service in order to get the cookie. I've tried ensuring that the Domain is missing from the cookie (not just an empty string) -
Set-Cookie: file-auth=MTU0ODIzODU1M3xEdi1CQkFFQ180SUFBUXdCREFBQUh2LUNBQUVGZG1Gc2RXVVRaRzkzYm14dllXUXRZWFYwYUc5eWFYcGxaQT09fPzBg_EP9S6wn_7gAz0iUtS1cOOaeo78VAMdD5xxhunF; Path=/; Expires=Thu, 24 Jan 2019 10:15:53 GMT
I've tried adjusting my host file so that I make the request to app.localhost.com:12350 and then specifying the domain in the Set-Cookie header -
Set-Cookie: file-auth=MTU0ODIzODg4NnxEdi1CQkFFQ180SUFBUXdCREFBQUh2LUNBQUVGZG1Gc2RXVVRaRzkzYm14dllXUXRZWFYwYUc5eWFYcGxaQT09fCdT3LhVhHIA6mPq_65ndnP1XFD2IEzLpxCmiaosHZA5; Path=/; Domain=app.localhost.com; Expires=Thu, 24 Jan 2019 10:21:26 GMT
My initial XHR (GET) request is to http://app.localhost.com:12350/test/file_service/setcookie
with the following headers
GET /test/file_service/setcookie HTTP/1.1
Host: app.localhost.com:12350
Connection: keep-alive
Accept: application/json
Origin: http://app.localhost.com
Authorization: <MY-JWT>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Referer: http://app.localhost.com/tutorials
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
And the response comes back -
HTTP/1.1 200 OK
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: http://app.localhost.com
Access-Control-Expose-Headers: Content-Length
Content-Encoding: gzip
Set-Cookie: file-auth=MTU0ODIzODg4NnxEdi1CQkFFQ180SUFBUXdCREFBQUh2LUNBQUVGZG1Gc2RXVVRaRzkzYm14dllXUXRZWFYwYUc5eWFYcGxaQT09fCdT3LhVhHIA6mPq_65ndnP1XFD2IEzLpxCmiaosHZA5; Path=/; Domain=app.localhost.com; Expires=Thu, 24 Jan 2019 10:21:26 GMT
Vary: Accept-Encoding
Vary: Origin
Date: Wed, 23 Jan 2019 10:21:26 GMT
Content-Length: 23
Content-Type: application/x-gzip
But then when make a new GET request to http://app.localhost.com:12350/test/file_service/file? (not XHR - I'm just clicking a link in the browser), the cookie isn't sent. Looking in the cookies tab on the chrome debugger, there's nothing set for the domain
How do I make this work?
XMLHttpRequest has an attribute withCredentials which defaults to false. This attribute defines whether a Set-Cookie header will be honored for cross origin requests.
If you're hosting the page at http://app.localhost.com but calling http://app.localhost.com:12350 to get the cookie, the Set-Cookie header will be ignored if the withCredentials attribute is not set to true.
Setting withCredentials will depend on how you're making the request. In older browsers -
var client = new XMLHttpRequest()
client.open("GET", "./")
client.withCredentials = true
But a more modern solution is -
fetch("./", { credentials:"include" }).then(/* … */)
See here
I want to use the API from indeed.com (https://ads.indeed.com/).
The problem is, that they set their Response to "Same Origin" -> Meaning I can't use it on my platform. Since there is not much on google to find the question is, if anyone has figured out how to work with this API?
Example request:
http://api.indeed.com/ads/apisearch?publisher=xxxxx&q=java&l=austin%2C+tx&sort=&radius=&st=&jt=&start=&limit=&fromage=&filter=&latlong=1&co=us&chnl=&v=2&format=json&callback=results&v=2
Example response headers:
HTTP/1.1 200 OK
Date: Thu, 04 Aug 2016 12:59:01 GMT
Server: Apache
Set-Cookie: CTK=1apaq5d2k5mlkchh; Expires=Tue, 09-Aug-2033 07:47:32 GMT; Path=/
Set-Cookie: ctkgen=1; Expires=Thu, 04-Aug-2016 13:02:01 GMT; Path=/
Set-Cookie: JSESSIONID=47FBC363B7DE7AA7FB455319986F2DC3.jasxA_iad-job4; Path=/; HttpOnly
X-Frame-Options: SAMEORIGIN
Pragma: no-cache
Cache-control: no-store, no-cache, must-revalidate, private
Expires: Thu, 04 Aug 2016 12:58:01 GMT
X-Content-Type-Options: nosniff
Vary: User-Agent,Accept-Encoding
Content-Encoding: gzip
Keep-Alive: timeout=30, max=29977
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: application/javascript;charset=UTF-8
Set-Cookie: BIGipServerjob_iad=!WcxX2VJ58OOojFQRNhs+rOzpOInz86YFI2BZzMsbv9orNwX4rj5v6T936m7gDvyWulSDIiDuepFONA==; path=/
I basically fixed it by using a Server Side language (in this case Java) to make a request to the api. This solved the problem.
It is probably by design, so that the publisher ID is not visible by the client.
As I know, when a POST request has been submitted, it sends Header and Parameters to the web server and it gets the response.
I saw a Javascript Post request in a website that it returns a response, but when I send that Post request from my website, it returns error :
500 Internal Server Error
HEADERS
Connection: close
Content-Type: text/plain;charset=UTF-8
Date: Mon, 30 Nov 2015 15:03:52 GMT
Server: Apache/2.2.15 (CentOS)
Set-Cookie: JSESSIONID=47C9E12F87FC7345358782F6DA7C00E0; Path=/; HttpOnly
Transfer-Encoding: chunked
X-Frame-Options: SAMEORIGIN
BODY
Internal Server Error!
Any help would be appreciated.
The FourSquare API documentation states that it supports CORS. However calling to the /users/ endpoints clearly states that only GET requests are supported:
curl -X OPTIONS -i "https://api.foursquare.com/v2/users/self/checkins?oauth_token=CLIENT_OAUTH_TOKEN"
HTTP/1.1 405 Method Not Allowed
Access-Control-Allow-Origin: *
Cache-Control: no-cache, private, no-store
Content-Type: application/json; charset=utf-8
Date: Wed, 13 Feb 2013 04:31:54 GMT
Expires: Wed, 13 Feb 2013 04:31:54 GMT
Pragma: no-cache
Server: nginx/1.2.1
Tracer-Time: 17
Content-Length: 104
Connection: keep-alive
{"meta":{"code":405,"errorType":"other","errorDetail":"This endpoint only supports GET."},"response":{}}
Is this just particular to these API endpoints or has something changed?
I haven't looked into all the methods in the FourSquare API, but my guess is that FourSquare doesn't need to support preflight requests because all their API requests are simple. The docs here suggest that the API only supports GET and POST. If those requests don't have any custom headers, they will never need a preflight request.
I'm working on a web client that reads a JSON file from a remote server using jQuery. And I'm having trouble getting it to work.
Code:
jQuery.getJSON('http://[remote-ip]/openbeacon/test.json', updateJsonCallback);
Error:
XMLHttpRequest cannot load http://[remote-ip]/openbeacon/test.json.
Origin http://[remote-ip] is not allowed by Access-Control-Allow-Origin.
I've read up on the whole Access-Control-Allow-Origin thing and thought I had found the solution: Add 'Header set Access-Control-Allow-Origin "*"' to the Apache config file (httpd.conf) and restart the service. Unfortunately this didn't work.
I checked the header: the options does show up now - but Chrome still won't let me have access. I even compared the header to that of a json file that does work remotely:
http://api.openbeacon.net/get/brucon.json < WORKS
HTTP/1.1 200 OK
Date: Tue, 20 Nov 2012 15:01:43 GMT
Server: Apache
Last-Modified: Tue, 20 Nov 2012 15:01:43 GMT
ETag: W/"d073949-154d-4ceee830cdae1"
Accept-Ranges: bytes
Content-Length: 5453
Access-Control-Allow-Origin: *
Connection: close
Content-Type: application/json; charset=utf-8
http://[remote-ip]/openbeacon/test.json < DOES NOT WORK
HTTP/1.1 200 OK
Date: Tue, 20 Nov 2012 15:01:41 GMT
Server: Apache/2.2.14 (Unix) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l PHP/5.3.1 mod_perl/2.0.4 Perl/v5.10.1
Last-Modified: Tue, 20 Nov 2012 15:01:41 GMT
ETag: W/"2b8ab16-1e7-4ceee82edbf40"
Accept-Ranges: bytes
Content-Length: 487
Acces-Control-Allow-Origin: *
Connection: close
Content-Type: application/json
Help?
Okay this was pretty stupid. As #Rocket already pointed out I mistyped Access. Sigh.
Acces-Control-Allow-Origin: *
Should be
Access-Control-Allow-Origin: *