I am using js.cookie CDN to get cookie .In my browser there is a Cookie with name sessionid ,(set by django backend itself) ,having some value , but
Cookie.get('sessionid') is giving undefined
//CDN : <script src="https://cdn.jsdelivr.net/npm/js-cookie#rc/dist/js.cookie.min.js"></script>
You can not get value of that cookie (sessionid) because it has set HttpOnly to true. That means, that cookie is only received and send through http, but is not accessible by javascript. That is for security reason to prevent stealing session.
If you really need this, maybe you can change the HttpOnly setting on server side - somewhere in django, or write it on page and then access it with jquery. But that would compromise security.
in Django you can get the session_id by using => request.session.session_key . You are new to SO, check the older questions it is easier.
In Django, how can I find out the request.session sessionid and use it as a variable?
since we sending on client side ,In django we can also set a key in settings.py
SESSION_COOKIE_HTTPONLY = False
Related
I am a beginner and I am learning react js. In my project, I am using firebase. I have created a sign-in button but can't sign in with google.
I am getting this error:
Indicate whether to send a cookie in a cross-site request by specifying its SameSite attribute
How can I solve this problem?
set the header line in your server page (if in PHP) as below:
header("Set-Cookie: cross-site-cookie=whatever; SameSite=None; Secure");
Credits : https://pretagteam.com/question/indicate-whether-to-send-a-cookie-in-a-crosssite-request-by-specifying-its-samesite-attribute
I can't access any cookie from JavaScript. I need to read some value and send them via JSON for my custom checks.
I've tried to access cookies from JS, like it was described at:
http://www.w3schools.com/js/js_cookies.asp
Get cookie by name
As you can see at the code, it's seen as clear as a crystal the next:
var c_value = document.cookie;
When I'm trying to access the document.cookie value from the Chrome's web-debugger, I see only the empty string at the Watch expressions:
So I can't read cookies value, which I need.
I've checked the cookie name, which I'm sending to get an associated value IS correct.
Also, I'm using the W3Schools source code for getting cookies, if you're interested (but from the 2nd link, the technique is similar).
How can I fix my issue?
You are most likely dealing with httponly cookies. httponly is a flag you can set on cookies meaning they can not be accessed by JavaScript. This is to prevent malicious scripts stealing cookies with sensitive data or even entire sessions.
So you either have to disable the httponly flag or you need to find another way to get the data to your javascript.
By looking at your code it should be easy to disable the http only flag:
Response.AddHeader("Set-Cookie", "CookieName=CookieValue; path=/;");
Response.SetCookie(new HttpCookie("session-id") { Value = Guid.NewGuid().ToString(), HttpOnly = false });
Response.SetCookie(new HttpCookie("user-name") { Value = data.Login, HttpOnly = false });
Now you should be able to access the cookie information from JavaScript. However I don't know exactly what kind of data you are trying to get so maybe you can go for another approach instead and for example render some data attribute on the page with the information you need instead of trying to read the cookie:
<div id="example" data-info="whatever data you are trying to retrieve"></div>
console.log(document.getElementById('example').getAttribute('data-info'));
keep an eye also to the cookie's Path attribute, as the cookie is only visible to subdirectories under Path. I had your issue and I solved setting Path "/"
I would say http only is your first culprit but this can also occur by not setting the scope of your cookie.
If the site has been redirected from another domain, you will need to look into setting the scope of the cookie. Domain and Path defines the scope of the cookie, which URLs the cookie should be sent to. Depending on this, you might not see the cookie in your response.
I ran across this issue when setting a cookie on a successful SAML SSO login and couldn't retrieve the cookie from the Document because it was never send as part of the request.
I had the same problem several times. And every time, it was for a different reason.
Different reasons:
problem of httpOnly field. It was set to false and I was trying to access it from the console. Setting it to true or accessing it from the source code did the trick.
problem of secure field. It was true and I was using only http.
problem of Expires / Max-Age. The cookie was outdated and it was not visible in document.cookie.
If your cookie is set as Set-Cookie or Set-Cookie2 it's not part of the response headers collection: http://www.w3.org/TR/XMLHttpRequest/#the-getallresponseheaders%28%29-method
Returns all headers from the response, with the exception of those whose field name is Set-Cookie or Set-Cookie2.
If you are using some secure authentication then that case you could not access cookies directly because of secure. you have to change some response attribute in server side using below code .
Response.AddHeader("Set-Cookie", "CookieName=CookieValue; path=/;");
Response.SetCookie(new HttpCookie("session-id") { Value = Guid.NewGuid().ToString(), HttpOnly = false });
Response.SetCookie(new HttpCookie("user-name") { Value = data.Login, HttpOnly = false });
But you should not because it may change secure to un-secure, so you have to find out solution that be done in server side to delete cookies and allow to you do some operations.
Its possible to do changes in server side.
Javascript not reading cookies set by Laravel in the same domain and returning undefined.
It's only reading the XSRF-Token but not any other cookies whether be it encrypted or unencrypted.
The URL is: http://localhost:8000/myaccount
and here is the cookie screenshot
I'm using JS Cookie library .. It's not reading either using document.cookie or Cookies.get('user_id') only the XSRF-TOKEN is reading.
Cookie user-id has http-only flag set to true.
It is not therefore accessible by javascript.
Try and set http-only flag to false.
edit: check this other SO answer it might get you started
The cookie is HttpOnly, therefore cannot be read by Javascript. You have to set the cookie as $httpOnly = false
See the last parameter of CookieJar::make method - which is mirrored in facade Cookie::make method.
Is it possible to make a request from a browser, preferably using the built-in XMLHttpRequest API, "WITHOUT" sending any cookies in the request headers?
As far as I understand setting the "allowCredentials" property to false will only disable cookies for CORS requests, where I want to make a request to the same server while not sending a "Cookie" header.
I know this sounds a bit strange, but because of current project constrains I do not have the ability to alter the Server to change the "path" in the "Set-Cookie" response header.
I'm not sure if there is a way to exclude cookies for a single request.
If you know the names of the cookies and they will not be needed by other requests later, you can delete their values like this:
document.cookie="COOKIENAME=";
The cookie names will still be there though.
If you need the values later, you can save the cookies to a variable:
var cookie = document.cookie;
// Delete the cookie values like above.
// Make a request without cookie values.
document.cookie=cookie;
But if you need to make requests with and without cookie values at the same time, this will obviously not work. And if the cookies have the HTTPOnly attribute, you will not be able to read them or change their values.
For testing I downloaded images from the net and uploaded using valum file upload in chrome...chrome is not sending session cookie along with these request header( I dont see that in the server side/though I see it on developer tool)...does chrome know that these images are from different domain . what is happening...Is there work around for this to pass the session id (as cookie). It is also happening in IE10 which makes me belive it is some standard. and not just a chrome issue. This problem is not there with firefox/safari/opera
It is fine when uploading to localhost. only when uploading to different server with domain name there is this problem leading to creating a new session for this.
Update:
I have added xhr.withCredentials = true still no use.
Also added on the server side to the upload url...
res.setHeader 'Access-Control-Allow-Origin', '*'
res.setHeader 'Access-Control-Allow-Credentials', true
I dont know how helpful this would be, because I would have already sent the upload file and response header will not of much help.
basically the problem is I don't have access to the session variable at the server side, since the session id/sid cookie is not coming back /I am not able to save some of this upload details into the current session(because this is a new session) .
Update:
I tried creating an image in teh desktop using paint..even then chrome would not sent the cookies. Really drives me crazy...
First of all, to get the basics out of the way, this is unrelated to the origin of the image. Chrome or other browsers don't care where you get your images.
It's rather difficult to guess exactly what's going on, would have helped to see a jsfiddle or some more setup explanation, but based on what I'm guessing, you might be using different domains for the page where the upload button is hosted and the target url where you're sending your files (even using ssl for one and http for the other makes it different). Even different subdomains will not allow cookies to be passed if the cookies were not set with a base domain (yourdomain.com)
So, if sub-domains are the problem, you know what to do - set a base domain so you get your cookies to go on any sub domain.
If it's http vs. https you need to always use https (or http) because you can't switch cookies between those two.
If that's not it, or if you're using completely different domains, you can access your cookies locally via script (if they're not marked as http only) and add them to the upload request. Valum 2.0 (don't know about v1.0) lets you add parameters to the request like so:
var uploader = new qq.FileUploader({
element: document.getElementById('file-uploader'),
action: '/server-side.upload',
// additional data to send, name-value pairs
params: {
param1: 'value1',
param2: 'value2'
}
});
You can't set cookies on a domain which is not the page's domain via script so for using completely different domains your only choice is using request params.
It is possible that the uploader is using Flash under some circumstances to do the upload. There is a bug in Flash which prevents cookies being sent for these types of requests. This would explain the behaviour you are seeing. The workaround is to pass in the sessionId and transmit it in a different way eg. querystring.