Hey guys i am using PhantomJS (1.10.0) and Node-phantom-simple (https://github.com/baudehlo/node-phantom-simple) in order to control phantom through a node script. There seems to be an issue when trying to add/set cookies in phantom for a domain other than the one phantom is currently on. It seems that phantom simple ignores the cross domain cookies and doesnt add them. Has anyone else experience this problem/ have any ideas of how to fix it?
Cookie To Add
"test_cookie=CheckForPermission; path=/; domain=.doubleclick.net;"
What I Have Tried:
I first tried using phantoms add and set cookie methods to add the cross domain cookie but phantom did not add the cookie. I then tried using the injectJs method to inject a javascript file with the bellow contents
document.cookie = "test_cookie=CheckForPermission; path=/; domain=.doubleclick.net;";
but phantom still did not add the cookie to its cookie jar. However if i remove the domain part of the above statement the cookie is added with domain equal to phantoms current domain. How can i fix this and have the domain be set to ".doubleclick.net"
Related
When I visit a sub-domain website ex: https://sub2.example.com, from a browser console I can set a cookie for parent domain.
document.cookie = "nameCookie=HelloWorld; domain=.example.com;"
as per Cookie RFC this works! and this cookie should be available to all sub-domains.
ex:
https://example.com
https://sub2.example.com
https://xxx.example.com
But my problem, this concept is not working on some websites.
for ex:
Go to https://square.github.io/
open browser console
document.cookie = "nameCookie=HelloWorld; domain=.github.io;"
console.log(document.cookie)
check that nameCookie is not available.
Why it is not working here? any Http header/rule setup on those websites?
Because github.io is on the list of effective top-level domains (eTLDs) (raw list here), so each github.io subdomain is treated like a subdomain of a top-level domain (that is, _______.github.io is treated just like _______.com or _______.co.uk).
I have a problem with Set-Cookie not working in Chrome (I didn't check other browsers). It worked in the past but it stopped working recently. I have two websites with two domain names, and I need to set the cookie in both websites. I'm calling a URL in each of the domain names to set the cookie. But it doesn't set the cookie on the other website (the website I'm not browsing now).
The users login or logout or sign up to one website, and I want them to login or logout from the other website too, automatically. Currently if they login or logout to one website, it doesn't affect the other website.
The Django view code is:
#csrf_exempt
def set_session(request):
"""
Cross-domain authentication.
"""
response = HttpResponse('')
origin = request.META.get('HTTP_ORIGIN')
if isinstance(origin, bytes):
origin = origin.decode()
netloc = urlparse(origin).netloc
if isinstance(netloc, bytes):
netloc = netloc.decode()
valid_origin = any(netloc.endswith('.' + site.domain) for site in Site.objects.all().order_by("pk"))
if (not (valid_origin)):
return response
if (request.method == 'POST'):
session_key = request.POST.get('key')
SessionStore = import_module(django_settings.SESSION_ENGINE).SessionStore
if ((session_key) and (SessionStore().exists(session_key))):
# Set session cookie
request.session = SessionStore(session_key)
request.session.modified = True
else:
# Delete session cookie
request.session.flush()
response['Access-Control-Allow-Origin'] = origin
response['Access-Control-Allow-Credentials'] = 'true'
return response
And the JavaScript code is:
window.speedy = {};
window.speedy.setSession = function (domain, key) {
$.ajax({
url: '//' + domain + '/set-session/',
method: 'post',
data: {
key: key
},
xhrFields: {
withCredentials: true
}
});
};
Then there is a JavaScript code that calls this function twice:
speedy.setSession('speedy.net', 'session_key');
speedy.setSession('speedymatch.com', 'session_key');
Where 'session_key' is replaced by the session key of the user.
Is there any solution to this problem? I think this is due to recent changes in Chrome.
Update: We have a staging server where both the websites domains are subdomains of the same registered domain name. And there, Set-Cookie works fine. But in the production websites, I think the other site's cookies are blocked by Chrome because the other site's domain is different from the domain the user is currently browsing.
I checked and the cookies from the other website also don't work with Firefox and Dolphin. It might be related to the upgrade to Django 2.1 which we upgraded recently.
The same origin policy for cookies being triggered here; from a domain you can set cookies for:
own domain
parent domain (unless the parent domain is a (g)TLD)
So as the two domains in question do not share the parent-child relationship and the only common parent of them could be the TLD (assuming same TLD), you can't do this.
From MDN doc:
Cookies use a separate definition of origins. A page can set a cookie for its own domain or any parent domain, as long as the parent domain is not a public suffix. Firefox and Chrome use the Public Suffix List to determine if a domain is a public suffix. Internet Explorer uses its own internal method to determine if a domain is a public suffix. The browser will make a cookie available to the given domain including any sub-domains, no matter which protocol (HTTP/HTTPS) or port is used. When you set a cookie, you can limit its availability using the Domain, Path, Secure and Http-Only flags. When you read a cookie, you cannot see from where it was set. Even if you use only secure https connections, any cookie you see may have been set using an insecure connection.
Thanks to #aaron I found out the problem. This problem started only recently, after I upgraded Django to 2.1. Django 2.1 introduced the SESSION_COOKIE_SAMESITE setting, which must be set to None for our websites to work properly with session cookies. On the other hand, CSRF_COOKIE_SAMESITE for our websites can be set to 'Strict', since we use separate CSRF cookies for each website. Therefore, I added the following lines to our base settings:
SESSION_COOKIE_SECURE = True
SESSION_COOKIE_SAMESITE = None
CSRF_COOKIE_SECURE = True
CSRF_COOKIE_SAMESITE = 'Strict'
From those lines, only SESSION_COOKIE_SAMESITE = None is necessary to fix the problem I mentioned in this question. I relied on the default setting of Django 2.1 to the value of SESSION_COOKIE_SAMESITE, which was not working for us in this case.
Currently the login and logout works in Chrome on my desktop and in one mobile phone. But I checked another mobile phone I have, and there it doesn't work - the problem persists as it was before. I'm not sure if this is due to a personal settings in this mobile phone or in the Chrome app? But login and logout to both websites simultaneously doesn't work there. If I login to one website, I'm still logged out from the other website, and vice versa.
Currently the login and logout works in Chrome. The problem was cookies settings - check your settings at chrome://settings/cookies (desktop) or settings > site settings > cookies (mobile).
(August 2020) Update: It is now required to use the following settings for Chrome. Please see this question and answer.
SESSION_COOKIE_SECURE = True
SESSION_COOKIE_SAMESITE = 'None'
I got a peculiar situation and spent lots of time in investigating but could not success.
I have a domain like www.A where on home page I'm running a Javascript to access a PHP script from another subdomain dev.A. This PHP script needs to set a cookie and then I want to access same cookie in another script which I'm accessing again under www.A.
Kindly help in achieving this.
Regards
Mohtashim
If you want to set the cookie in a domain and make sure it's available on every sub-domain you should use the domain (without the www subdomain) in the setcookie function:
setcookie('cookie_name', 'cookie_value' , 0 , "" , 'yourdomain.com');
// ^ This is the expiring time of the cookie
// ^ This is the path of the cookie
This will allow your subdmains (both www.A and dev.A) to access that cookie.
Read more here about all the parameters of the setcookie function.
Finally I got a solution where I needed to fix my Ajax call to add the following:
crossDomain: true,
xhrFields: {
withCredentials: true
},
But then it started giving me issue related to Access-Control-Allow-Origin because in my httpd.conf it was set to *, so I commented that out but still it did not resolve the issue, then I added following two lines in my PHP scripts which were setting session and reading sessions:
header("Access-Control-Allow-Origin: https://www.example.com");
header("Access-Control-Allow-Credentials : true");
Finally, after spending whole night now I'm able to use my session in a sub-domain. Hope this will help someone.
For one of my projects I had the following paths available in a web application:
/one
/one/two
/one/two/three
Each of the different paths are variable and used cookies as part of their variability, I had created the following cookies:
one=1; Max-Age=9600; Domain=.test.test.com; Path=/one; Expires=Wed, 30 Jul 2014 20:26:09 GMT
two=2; Max-Age=9600; Domain=.test.test.com; Path=/one/two; Expires=Wed, 30 Jul 2014 20:26:09 GMT
three=3; Max-Age=9600; Domain=.test.test.com; Path=/one/two/three; Expires=Wed, 30 Jul 2014 20:26:09 GMT
When accessing the URL (I was running my test on http://test.test.com setup in my hosts file) at the following locations I received the following results:
Visit http://test.test.com/one the correct cookie (one=1) was sent to the server, but document.cookie was empty.
Visit http://test.test.com/one/ the correct cookie (one=1) was sent to the server and document.cookie also had the correct cookie (one=1).
Visit http://test.test.com/one/two the correct cookies (one=1 and two=2) were sent to the server, but document.cookie only contained the first cookie (one=1).
Visit http://test.test.com/one/two/ the correct cookies (one=1 and two=2) were sent to the server and document.cookie also had the correct cookies (one=1 and two=2).
Visit http://test.test.com/one/two/three the correct cookies (one=1, two=2, and three=3) were sent to the server, but document.cookie only contained the first two cookies (one=1, two=2).
Visit http://test.test.com/one/two/three/ the correct cookies (one=1, two=2, and three=3) were sent to the server and document.cookie also had the correct cookies (one=1, two=2, and three=3).
This utterly confounded me, and through a bunch of testing I was only able to find Internet Explorer being impacted by this issue, please see the answer for additional details.
Due to the constraints of my project I needed to have the ability to keep cookie names the same at each of these paths and also vary them by path, so I wasn't able to come up with any solution for my situation where I could use cookies without requiring a trailing slash at the end (which due to my constraints I cannot do).
If you are running into a similar issue there's a couple things that I can think of doing:
If the name of your cookies can vary, you could use different names for each of the paths and keep the path either at the root (path=/)
If the name of your cookies cannot vary but it doesn't matter if they go up a level in the path you could do that (in my case the cookie three=3 could be placed up one directory at path=/one/two if my constraints didn't prohibit me from doing that.
If your constraints don't prohibit you from requiring trailing slashes you could simply have your webserver enforce trailing slashes and redirect to a path with them when they aren't present.
If you run into the same issue with similar constraints to mine you could just move to another storage device instead of cookies. There's other modern pieces such as localStorage and sessionStorage which would allow you to store your data in a more structured way so that you can handle the logic. Note: This only works when you don't need the data from the cookie server side.
In the end what I ended up doing was moving the cookie that I didn't need server side (three=3) to use a convention instead of configuration via cookie within the project and kept the other ones as is since the other two cookies (one=1 and two=2) are only used when visiting the path http://test.test.com/one/two/three and so they are still available through document.cookie in Internet Explorer.
I have www.mysite.com and static-cookieless.mysite.com. My www site seems to be setting cookies on mysite.com thus my static site is no longer cookieless. How do i set cookies to only my www site?
I am using plain javascript (well, jquery.cookie but i know how to edit that easily)
document.cookie = 'cookie_name=' + cookie_value+ ',path=/,domain=mydomain.com';
May be the link below will be useful
http://javascript.about.com/library/blwcookie.htm