I have a GAE application that uses a session to store something. There is an Android app that works with it, sending requests, the GAE uses the session when responding. Now I'm trying to make a JavaScript client that does the same thing as the Android does. It uses XMLHttpRequest to send Ajax requests (with CORS enabled) to the GAE app. The first request goes through fine, but the second one - where it needs to retrieve an object from thes ession - crashes with a NullPointerException when trying to read from the session.
These two requests were sent by the same page, one on load and one when a button is clicked by the user.
Anyone have any idea what's going wrong?
The problem was that as it was a cross-domain Ajax request the cookie with the session ID wasn't saved. To allow that to happen (in Chrome at least) the request needs to have withCredentials set to true. That means that on the server side no wildcard is allowed for Access-Control, and the Access-Control must be set to allow credentials.
Related
I'm using Javascript and XmlHttpRequest to POST to another URL on the same site. Users must be authenticated to access the page where the Javascript runs, but I need to submit the POST to the second URL as a non-authenticated user (to prevent the server from running code which is always run for authenticated users). Is there any way to submit the POST so that it appears to come from a non-authenticated user (so the server doesn't pull the user's authentication information from their session and treat them as authenticated for the POST)?
For example, is there a way to open a new session just for the POST, or to change the session ID just for the POST?
Note:
I tried to explicitly perform authorization using credentials for a non-existent user, but that didn't make any difference.
If this can be done using ajax instead of XmlHttpRequest, that's an acceptable solution.
Unfortunately this can not be achieved only in JavaScript, so you will have to make some changes on your server. You have two options:
Either you mark your session cookie as HttpOnly, so it won't be sent together with your request. But this will mean, that all your requests are sent as unauthenticated user.
Second option is use of a subdomain for this endpoint. Cookies are sent with XmlHttpRequests only on the same domain to prevent cross-site scripting. So if you move the server endpoint from www.example.com/myresource to api.example.com/myresource, the cookie will not be sent.
I'm developing a web app using Express on Node. I'm trying to implement a proxy login functionality where an user is directly logged in and redirected to another site after he logs into to my site.
In my routing function I'm writing the following code
res.cookie('fanws', 'value' );
res.redirect('http://hostname/path'); // another site
I used the debugger in chrome and saw that the cookie is not getting added in the redirected page.
I'm running the app on localhost and the site which i'm redirecting to is hosted on another server on local network.
What should I do to add the cookie on the redirected path?
In a nutshell, you can't set a cookie in a browser or read a cookie for a site that you do not control the server for or have your own client code in that page. The cookie system is designed that way on purpose for security reasons. So, from a page or server for http://www.domain1.com, you cannot read or set cookies for some other domain.
If you have code in the pages of both domains, then you can pass some info to the second page (most likely as a query parameter) that tells the code in the redirected page to take some action (like set a cookie), but you must control the Javascript or server in that second page in order to be able to do that.
The cookie in your nodejs code goes on the current request/response which means it is associated with that domain in the browser when the response from the current request is processed by the browser.
res.redirect(...) returns a 302 response with a new URL as the response to the current request. The browser then sees this response code and makes a new web request to the new page. You cannot set cookies from the server for that new domain unless you have the server for that domain also. This is a fundamental aspect of cookie security. Cookies can only be accessed via Javascript in the browser from the page in the same origin as the cookie belongs and servers can only set cookies for the particular origin in the particular request that they are processing.
#jfriend00 nice explanation.
#Kiran G you can pass in query param in the same redirect, no need to set cookies in express just sent in query param as below.
i.e.
res.redirect(`http://hostname/path?fanws=${value}`);
I am writing a single-page application with CanJS. For one of models, every time I save a new item, the application sends the normal POST request. However, there is a specific cookie that is returned in the HTTP response that I would like to send back to the server on GET requests when fetching an item.
All cookies specific to an application are passed automatically to server in request header. Make sure that the cookie which you want to send is of the same application.
This you can check by looking into the cookies of your browser. Make sure that the cookie which you want to send has Domain as your application name. Like all stackoverflow cookie will have domain value as .stackoverflow.com
You can refer to this tutorial which talks about creation and setting of cookie in JavaScript : http://www.w3schools.com/js/js_cookies.asp
I am trying to login to a web service using xmlHttpRequest.
The web service in question seems to authenticate using cookies. After analyzing communication with IE browser, I concluded that the sequence is basically the following:
(1) server sends a form requesting username and password.
(2) client sends a POST request containing username and password typed.
(3) server sends a redirect message (HTTP 302) to the same URL with a "Set-Cookie" header containing the session ID
(4) client re-sends the same URL containing the cookie received from the server in redirect message.
(5) server receives session ID and concludes authentication.
I tried to emulate the same sequence using xmlHttpRequest in JavaScript. However, I found a problem.
It seems that xmlHttpRequest does not redirects cookies. I other words, (4) is not happening and authentication is not completed.
To make the problem worse, xmlHttpRequest does not seem to detect redirect events (it this was possible, I could at least set Cookie header before re-sending request). The onreadystatechange() function is called only after all re-direction process is completed.
So, I don't have any solution in mind to resolve this problem and complete authentication.
Also, as it is related a "public" web service, I am not able to change anything in the server side.
Any idea?
As far as I know you can't use xmlHttpRequest to query a url of a server different to the server you are connected to. ¿Could you do it?
In explanation if the page with the javascript code is in yourdomain.com you can't use xmlHttpRequest to call a web service in example.com.
With the previous comments I understood better the situation.
Steps (4) and (5) are only to redirect you to the main page, the real autentication ends in (3), once you get the cookies (using getheaders for example) you are logged in.
Then for every new request you do with the correct cookies the website will see you as the logged in user.
Are you trying to automate a query to the site? Or just automate the login process?
I have a ColdFusion application that's behind an ISA Server. Part of the application is protected by Basic Authentication and part is not. ISA Server sets a cookie when the user logs in, but the cookie is only available for reading when I bypass ISA. So, the cookie cannot be read from the server where the application is running.
I'm trying to test whether the user's ISA session has timed out or not. I can't make any HTTP calls on the application server without affecting the session expiration time.
I thought I could read the cookie from the back-end server through a cross domain AJAX call. Unfortunately, on the back-end server the cookie is only available in a directory that is protected by Basic Authentication. Because of the Basic Authentication requirement, I can't use JSONP to check for the existence of the cookie. I also can't use a proxy script on the application server because that will change the expiration time of the cookie, which is what I'm trying to avoid.
I tried using an iFrame in my application to load a page on the back-end server, but I can't get it working with Basic Authentication. I always get the login pop-up box.
Any ideas how I can test for the existence of the cookie on the back-end server without triggering an update of the cookie expiration time on the application server?
It turns out I can access the cookie on the backend server in a directory that's not protected by Basic Authentication, so I just used JSONP and everything worked well.