Will http_only cookies be sent with AJAX? - javascript

I found this link
But at the bottom it says This information is likely no longer up to date.
So my question is, will http_only cookies be sent with AJAX? Can the response via AJAX set http_only cookies?
Edit 1: Let's say an user logged in to the system. His session started and http_only cookie is set. He tries to fetch list of his friends via AJAX and sends JSON. When making the AJAX request, do I need to make anything special to say to send cookies or not? Will each request send the cookies to the server by default? Will the response send back cookies (let's say I am updating users' time for last activity)?

Yes, they will.
The HttpOnly makes cookies not appear in document.cookie and XMLHTTPRequest.getAllResponseHeaders. It doesn't prevent them from being sent with HTTP requests, with the exception of cross-domain HTTP requests (which it doesn't sound like you're using here).

Related

Can this be a strategy to defend csrf? (double submit cookie)

used framework: nuxt.js + spring boot(api)
Invoke once api to generate random values and set httpOnly cookie(e.g. key=csrfToken) when the page is first accessed.
The api response is also stored in vuex.
(the response also has token body. with Set-Cookie header.)
When request using axios, If there is the "csrfToken" cookie, add custom header(e.g. key=CSRF_TOKEN_HEADER) to the request.
In the server, if csrfToken cookies are delivered, look up the custom header values to compare them to see if they are the same.
I know that $store is not secure in itself. However, I think CSRF is defensible because $store is not accessible from outside sites.
Please let me know if there is anything wrong with me.
When request using axios, If there is the "csrfToken" cookie, add custom header(e.g. key=CSRF_TOKEN_HEADER) to the request.
Since the cookie is httpOnly, you wouldn't be able to tell if there was or not.
A CSRF attack works by tricking the user into making a request that they didn't intend to make.
The traditional way to do this is to have a form on an attacking website which has the action sent to the website being attacked. When that form is submitted, the request comes from the user's browser and has all the user's cookies for the target website included.
The defence against this is to require that the request includes information that the attacking site cannot know. The CSRF token.
Since the attacking site can't read that token from the user's cookies or the site's session store (depending on where it was stored) or from anywhere else, they can't include it in the form data.
But you aren't using a regular form submission. You are using JavaScript to make the request.
This comes with a built-in defence: The Same Origin Policy and Preflight Requests.
All you need do is force the request to be preflighted (e.g. by setting the Content-Type request header to application/json and including a JSON payload in the body).
This will force a request from the attacking site to make a preflight request. Your server won't have the attacker whitelisted. The browser will therefore never make the attacking request.
If the attacker tries to make a non-preflighted request, it won't have the JSON payload, so your server can reject it as malformed.

Javascript: How can I force a POST request to treat the user as not authenticated

I'm using Javascript and XmlHttpRequest to POST to another URL on the same site. Users must be authenticated to access the page where the Javascript runs, but I need to submit the POST to the second URL as a non-authenticated user (to prevent the server from running code which is always run for authenticated users). Is there any way to submit the POST so that it appears to come from a non-authenticated user (so the server doesn't pull the user's authentication information from their session and treat them as authenticated for the POST)?
For example, is there a way to open a new session just for the POST, or to change the session ID just for the POST?
Note:
I tried to explicitly perform authorization using credentials for a non-existent user, but that didn't make any difference.
If this can be done using ajax instead of XmlHttpRequest, that's an acceptable solution.
Unfortunately this can not be achieved only in JavaScript, so you will have to make some changes on your server. You have two options:
Either you mark your session cookie as HttpOnly, so it won't be sent together with your request. But this will mean, that all your requests are sent as unauthenticated user.
Second option is use of a subdomain for this endpoint. Cookies are sent with XmlHttpRequests only on the same domain to prevent cross-site scripting. So if you move the server endpoint from www.example.com/myresource to api.example.com/myresource, the cookie will not be sent.

GAE sessions disappearing after POST request from JavaScript

I have a GAE application that uses a session to store something. There is an Android app that works with it, sending requests, the GAE uses the session when responding. Now I'm trying to make a JavaScript client that does the same thing as the Android does. It uses XMLHttpRequest to send Ajax requests (with CORS enabled) to the GAE app. The first request goes through fine, but the second one - where it needs to retrieve an object from thes ession - crashes with a NullPointerException when trying to read from the session.
These two requests were sent by the same page, one on load and one when a button is clicked by the user.
Anyone have any idea what's going wrong?
The problem was that as it was a cross-domain Ajax request the cookie with the session ID wasn't saved. To allow that to happen (in Chrome at least) the request needs to have withCredentials set to true. That means that on the server side no wildcard is allowed for Access-Control, and the Access-Control must be set to allow credentials.

Pass cookie back to the server

I am writing a single-page application with CanJS. For one of models, every time I save a new item, the application sends the normal POST request. However, there is a specific cookie that is returned in the HTTP response that I would like to send back to the server on GET requests when fetching an item.
All cookies specific to an application are passed automatically to server in request header. Make sure that the cookie which you want to send is of the same application.
This you can check by looking into the cookies of your browser. Make sure that the cookie which you want to send has Domain as your application name. Like all stackoverflow cookie will have domain value as .stackoverflow.com
You can refer to this tutorial which talks about creation and setting of cookie in JavaScript : http://www.w3schools.com/js/js_cookies.asp

Javascript: Ajax $.post Cookie File Issue

I'm logging into a website using PHP cURL -- it generates a cookie file once logged in succesfully.
$cookieFile = tempnam("/tmp", "curl-cookie"); // Cookie file to login.
The php script is being executed by an ajax $.get request to the php file.
Now since I'm logged in, i want to navigate (not really 'navigate', just directly make a $.post request) to another page, but i wanna do this in Javascript/Ajax; however the only way to stay authenticated for the page to load successfully is for the cookies to be read. I'm trying to figure out how i can set all the cookies in the cookie file into the header of the $.post request so i get the appropriate response and not a "you need to login" response.
I'm sure it seems a bit odd. But that's what I'm trying to do. Any ideas?
Also keep in mind, i'm trying to send cookies to another domain, not my own. Not sure if that is an issue...
If you are doing the authentication server side, gathering a cookie, that you would like to replay for further access, those access need to be done also server side.
From the client point of view, cookies are strored in the browser. For obvious security reasons, a webpage cannot modify the cookie storage of a client, hence you cannot "add" the cookie copied from your server, to any client, that you would like to be authentified.
The target website should expose a cross site js API, like Facebook, gmail or other such API, in order to identify your clients against it.

Categories

Resources