Need recommendation on my solution
I am having a multi-tenant product in the SaaS architecture means the same API is common for all the clients. so we hosted in the common domain (xyz.com).
but we having N number of frontend client ( ex: abc.com, fb.com, test.com).
we need to store a user's logged info in the token via a cookie. what is the best way to achieve this?
Problem is:
Getting invalid domain attribute with regards to the current host URL while setting cookies in the browser. chrome's F12 window network response screenshot
my website is running in abc.com now and API is hosted at xyz.com.
Trying to set a cookie with the domain as abc.com in Ajax call from abc.com to xyz.com, but getting above warring in the browser and cookie is not set.
But if I set the cookie domain as xyz.com, then the cookie is setting in abc.com.
My Conclusion:
Brower will accept the cookie only from the API's domain( UI - there is a way to skip - samesite). So I can make my cookie as an HTTP only and secure cookie.
xsrf-token -> will be in http only secure cookie
x-xsrf-token -> will be in local storage
so that it will be safe from XSS and CSRF(Edited)
Related
In my application authentication done by a third party service, that service generate a token cookie and save it on client side.
Problem: When user accessing the application, during accessing some user clear the site specific cookies in chrome browser and sometimes cookie session expired but there is no way to identify this in application. please suggest me how can I identify this that cookie is removed or expired.
Tried approach: I tried to get cookie by document.cookie but it's not returning that authentication cookie.
Your token cookie is httpOnly due to security reasons, because this kind of cookies are hidden to the code to prevent any third party lib to steal sessions in your application.
So you should not check if the cookie exists or not as a regular one, instead your identity service should provide you an endpoint where you could do a call (that will contain your httpOnly token cookie), and which will responde accordingly depending on the state of your token/session.
I have a web application that serves only static contents - HTML, CSS and JavaScript. I have another application which is an ASP.NET Web API. Both applications are on same machine on different ports (for testing purpose and they could be on different machine or domain in production environment). When I browse the web application, it gets both cookie as well as form token of Anti CSRF on first ajax call from Web API. So I am setting the body token as header with setRequestHeader function of XMLHttpRequest. It doesn't seem there is any need to set the cookie token since cookies are restricted with HttpOnly Attribute for a security reason and as far as I know browser is responsible to send the cookie to whichever domain the cookie belongs to.
However, when I make consecutive ajax calls, instead of both these tokens being passed back to server, only the header token is being received by the server.
Currently the Web API is set with CORS restriction for the web application. But if the problem was related to cross origin then I guess, headers could not have been passed as well, correct me if I am mistaken.
So can anyone help me with this problem? I just want to be able to send cookies from one application to another without compromising in terms of security.
Take a look Cookies With My CORS and Set-Cookie in HTTP header is ignored with AngularJS
I'm developing a page/form for a campaign inside my company. However, the first step is to check if the person is logged in. This is easily checked against a cookie - CUSTOMER - that is set once they're logged in.
However:
1) I'm developing locally, not on the same domain, and, as a result can't see that cookie
2) The final campaign may or may not end up residing on the actual domain. They may end up using a vanity URL or something.
For purposes of this, let's assume I do NOT have access to the main domain where the cookie was set.
How can I read that cookie from off the domain? Oh, and since IT folks don't let us touch the back-end grumble, it has to be a JS solution.
Thanks!
You can't.
The only cookies you can read with client side JavaScript are those belonging to the host of the HTML document in which the <script> is embedded.
By setting withCredentials you can support cookies in cross-origin requests, but they are handled transparently by the browser and JS has no direct access to them (the XHR spec goes to far as to explicitly ban getAllResponseHeaders from reading cookie related headers). The only way for a cross-origin request to get access to cookies is for the server (which you say you don't have access to) to copy the data into the body or a different response header).
You can if you can install server side components.
You can use a dedicated domain to host your cookie and then share it using XSS technics
When dom1.foo.com logs in then you register a cookie on cookie.foo.com using an Ajax XSS call then when you go on dom2.foo.com you have to query cookie.foo.com with your XSS api
I' ve played with it some time ago
https://github.com/quazardous/mudoco/blob/master/mudoco/README.txt
It's just some sort of POC..
I'm developing a web app using Express on Node. I'm trying to implement a proxy login functionality where an user is directly logged in and redirected to another site after he logs into to my site.
In my routing function I'm writing the following code
res.cookie('fanws', 'value' );
res.redirect('http://hostname/path'); // another site
I used the debugger in chrome and saw that the cookie is not getting added in the redirected page.
I'm running the app on localhost and the site which i'm redirecting to is hosted on another server on local network.
What should I do to add the cookie on the redirected path?
In a nutshell, you can't set a cookie in a browser or read a cookie for a site that you do not control the server for or have your own client code in that page. The cookie system is designed that way on purpose for security reasons. So, from a page or server for http://www.domain1.com, you cannot read or set cookies for some other domain.
If you have code in the pages of both domains, then you can pass some info to the second page (most likely as a query parameter) that tells the code in the redirected page to take some action (like set a cookie), but you must control the Javascript or server in that second page in order to be able to do that.
The cookie in your nodejs code goes on the current request/response which means it is associated with that domain in the browser when the response from the current request is processed by the browser.
res.redirect(...) returns a 302 response with a new URL as the response to the current request. The browser then sees this response code and makes a new web request to the new page. You cannot set cookies from the server for that new domain unless you have the server for that domain also. This is a fundamental aspect of cookie security. Cookies can only be accessed via Javascript in the browser from the page in the same origin as the cookie belongs and servers can only set cookies for the particular origin in the particular request that they are processing.
#jfriend00 nice explanation.
#Kiran G you can pass in query param in the same redirect, no need to set cookies in express just sent in query param as below.
i.e.
res.redirect(`http://hostname/path?fanws=${value}`);
If I have a SITEA writing a cookie to my browser, can SITEB write code to access the cookie or are cookies hidden from websites that didn't create them ?
My answer to that was that YES, SITEB can read the document.cookie and if he knows what's the cookie name, it can access it. Was I right ?
Regarding the second questions, I don't think there are Server Side cookies other than SESSIONS. Am I right?
Cookies are usable by both the server and the client. Cookies can only be read by the website the domain that creates them; you can use sub-domains domains, url paths. Cookies are generally considered insecure if used from the client side, and should not be used to hold sensitive data if accessed from the client side. The server can encrypt information and store it in the cookie as long as the encryption is done on safe manner on the server. Using cookies are a good way of avoiding the use of a session server, and if you do not save sensitive data they are a good way to store state in a web application. Although they can be more challenging than other session mechanisms, the do work on both the client and the server.
Advertising products like double click use cookies to track a monitor user activity, which is how ads follow you from site to site.
Third-party and first-party cookies
Cookies are categorized as third-party or first-party depending on whether they are associated with the domain of the site a user visits. Note that this doesn’t change the name or content of the actual cookie. The difference between a third-party cookie and a first-party cookie is only a matter of which domain a browser is pointed toward. The exact same kind of cookie might be sent in either scenario.
https://support.google.com/adsense/answer/2839090
Cookies are accessible on the basis of domain. This is the basic inherent feature of any browser otherwise it would have been very easy for companies to snoop on each other's users.
If Site A has domain .xyz.com then any website having the same domain can access the cookies. But if any site has domain xyz.com (dot missing) it cant access any other domain's cookies.
Also the http request send to server will contain cookies of the domain from which it is sent.