Is it possible to explicitly make a cookieless request with javascript? I know you can't make a request "emulating" cookies (i.e. submitting data as a cookie value can't be done unless there is an actual cookie set with that value), but this seems to be more acceptable security-wise.
The choices I see are:
You can clear all the client-controlled cookies before making the ajax request (this won't clear server-side only cookies).
You can add an argument to your ajax requests that instructs the server to ignore any cookie values for that particular request.
You can set things up so that the ajax request goes to a server or path that doesn't have access to the cookies of interest so they won't be sent with that request.
If it is one specific cookie value and that value is client-controlled, then you could save that cookie value, clear it, send the ajax request, then restore the cookie value again. Actually, I guess you could do this with all cookie values, but it's simpler to do it with just a few.
As was mentioned in a comment to the question, this is not possible, you do not have any control over this aspect of the browser. The only way I can think to get this to work is to set the PATH of your cookies to a specific directory in your domain (e.g. host.domain.com/myApp), and then have your ajax request be to a directory that is not a child of the directory of the PATH you set for your cookies (e.g. host.domain.com/ajaxDirectory).
A common practice to reduce request size is to have resources on a different sub-domain. This way most cookies won't be sent, but obviously that isn't an option for AJAX (unless you're using JSONP).
this seems to be more acceptable security-wise
Just ignore the cookie that are unused in the server side, or first do a request to the logout service. Another alternative is to code your server so you can override the data in the cookie with, say form encoded data in post body or request header.
Related
I have the following situation:
Javascript tag with src=domain1.com in another_domain.com page
Javascript tag returns a cookie header and script content from domain1.com server
Script content collects data and send it via request to domain1.com
I want to be able to set a cookie in the point 2 and recover it in the point 3. I've been able to set the cookie by returning a Set-Cookie header like this:
set-cookie: cookieName="cookieValue";Version=1;Domain=domain1.com;Path=/;SameSite=None;Max-Age=600;Secure
But I am not able to recover it in the request in the point 3, as the cookie is not sent with the request.
So, two questions at this point:
Do I need to manually send the cookie in the second request? When tested doing redirects, the cookie header is "autoattached" to the second request and I'm able to recover it, but this is not happening with the requests from the javascript tag.
I am only able to set a cookie in https (Secure cookie) and with SameSite=None from the script? When tried without Secure and SameSite=None or in an http environment, the cookie was not set and a cross-site error was thrown by the developer console.
Thanks for reading.
There are several things to consider here. First of all we have to note that we are facing a case of cross domain communications.
If you need to send in the step 3 the Cookie set by the server in the step 2, you have to explicitly configure it when making the request. In case you are using XMLHTTPRequest you have to set up withCredentials to true, here is the docs.
If you are using fetch take a look at Request credentials.
As it's a cross domain communication, make sure your CORS headers are properly configured. When the request credentials mode is "include" you will need to set the Access-Control-Allow-Origin header to something valid and not a wildcard "*". You will also need Access-Control-Allow-Credentials to true, check it here.
With this configuration, the cookie will be "autoattached" (as per your words) in the third step. You can't set a cookie via JS on a cross-domain setting for security reasons, see this response.
Is it possible to make a request from a browser, preferably using the built-in XMLHttpRequest API, "WITHOUT" sending any cookies in the request headers?
As far as I understand setting the "allowCredentials" property to false will only disable cookies for CORS requests, where I want to make a request to the same server while not sending a "Cookie" header.
I know this sounds a bit strange, but because of current project constrains I do not have the ability to alter the Server to change the "path" in the "Set-Cookie" response header.
I'm not sure if there is a way to exclude cookies for a single request.
If you know the names of the cookies and they will not be needed by other requests later, you can delete their values like this:
document.cookie="COOKIENAME=";
The cookie names will still be there though.
If you need the values later, you can save the cookies to a variable:
var cookie = document.cookie;
// Delete the cookie values like above.
// Make a request without cookie values.
document.cookie=cookie;
But if you need to make requests with and without cookie values at the same time, this will obviously not work. And if the cookies have the HTTPOnly attribute, you will not be able to read them or change their values.
The POST and GET data are done very easily with ajax. I can't find a way to 'include' a cookie. How can I include a 'cookie'?
There is no way to explicitly add a cookie to an XMLHttpRequest request (or for any of the other techniques used for Ajax). The setRequestHeader method explicitly forbids setting cookies.
You need to add a cookie through the normal methods (i.e. via the HTTP Set-Cookie response header and the JS document.cookie API) and then make the request.
You'll also need to set xml.withCredentials = true; for a cross-origin request (and the cookie will need to belong to the host you are making the request to, not the document hosting the JS making the request).
Imagine situation, I've ajax.php file that displays specific information based on ajax request.
How can I block all requests going to ajax.php file except coming via ajax?
I'm looking for something like this in php:
if ($ajax) {
//Do soemthing
}
Will this guarantee that malicious user won't be able to see what ajax.php has to display? Since ajax has same origin policy, request must originate from the same domain, so in theory nobody will be able to call my ajax.php?
There is no way to reliably tell whether a request is an Ajax request or not, ever. Any client side information (like the referer) can be spoofed and you can not trust any of it.
You secure Ajax requests like any other request - usually through a session-based login system that checks whether the requesting client is logged in, and what they are allowed to see.
Other answers already mentioned it: there's no reliable way to determine if a script was called via an AJAX request. But I use this code to detect AJAX request:
define('IS_AJAX', isset($_SERVER['HTTP_X_REQUESTED_WITH']) && $_SERVER['HTTP_X_REQUESTED_WITH'] === 'XMLHttpRequest');
Keep in mind that it can be spoofed, so don't depend on it.
What am doing to secure our ajax requests - Whenever any user logins at that time generate a token for the user e.g get the micro time and then convert into some hash, then attach this token with that user.
I need a script to perform a POST request to a different sub-domain than the one the page loads from, e.g. load data from domain.com and perform the AJAX POST to post.domain.com.
I've read about some alternatives that work for mainly for GET or POST with simple form data, but in this case I'll be posting a file (can be quite large).
I control the server, and both the page and the target are under the same domain. Is there any way to do this with JS/Iframes or do I have to resort to Flash/Flex?
As a side question, does mod_proxy for apache redirect a POST when the HTTP request is fully read (at apache) or it starts redirecting traffic (like a TCP tunnel) as soon as the headers are read?
Maybe Why am I getting an OPTIONS request instead of a GET request? can help you.
For requesting data from another subdomain you could look at JSONP
For posting files you can definitely use iframes.
This is a good tutorial: http://www.openjs.com/articles/ajax/ajax_file_upload/