I am writing a single-page application with CanJS. For one of models, every time I save a new item, the application sends the normal POST request. However, there is a specific cookie that is returned in the HTTP response that I would like to send back to the server on GET requests when fetching an item.
All cookies specific to an application are passed automatically to server in request header. Make sure that the cookie which you want to send is of the same application.
This you can check by looking into the cookies of your browser. Make sure that the cookie which you want to send has Domain as your application name. Like all stackoverflow cookie will have domain value as .stackoverflow.com
You can refer to this tutorial which talks about creation and setting of cookie in JavaScript : http://www.w3schools.com/js/js_cookies.asp
Related
I'm using Javascript and XmlHttpRequest to POST to another URL on the same site. Users must be authenticated to access the page where the Javascript runs, but I need to submit the POST to the second URL as a non-authenticated user (to prevent the server from running code which is always run for authenticated users). Is there any way to submit the POST so that it appears to come from a non-authenticated user (so the server doesn't pull the user's authentication information from their session and treat them as authenticated for the POST)?
For example, is there a way to open a new session just for the POST, or to change the session ID just for the POST?
Note:
I tried to explicitly perform authorization using credentials for a non-existent user, but that didn't make any difference.
If this can be done using ajax instead of XmlHttpRequest, that's an acceptable solution.
Unfortunately this can not be achieved only in JavaScript, so you will have to make some changes on your server. You have two options:
Either you mark your session cookie as HttpOnly, so it won't be sent together with your request. But this will mean, that all your requests are sent as unauthenticated user.
Second option is use of a subdomain for this endpoint. Cookies are sent with XmlHttpRequests only on the same domain to prevent cross-site scripting. So if you move the server endpoint from www.example.com/myresource to api.example.com/myresource, the cookie will not be sent.
I'm developing a web app using Express on Node. I'm trying to implement a proxy login functionality where an user is directly logged in and redirected to another site after he logs into to my site.
In my routing function I'm writing the following code
res.cookie('fanws', 'value' );
res.redirect('http://hostname/path'); // another site
I used the debugger in chrome and saw that the cookie is not getting added in the redirected page.
I'm running the app on localhost and the site which i'm redirecting to is hosted on another server on local network.
What should I do to add the cookie on the redirected path?
In a nutshell, you can't set a cookie in a browser or read a cookie for a site that you do not control the server for or have your own client code in that page. The cookie system is designed that way on purpose for security reasons. So, from a page or server for http://www.domain1.com, you cannot read or set cookies for some other domain.
If you have code in the pages of both domains, then you can pass some info to the second page (most likely as a query parameter) that tells the code in the redirected page to take some action (like set a cookie), but you must control the Javascript or server in that second page in order to be able to do that.
The cookie in your nodejs code goes on the current request/response which means it is associated with that domain in the browser when the response from the current request is processed by the browser.
res.redirect(...) returns a 302 response with a new URL as the response to the current request. The browser then sees this response code and makes a new web request to the new page. You cannot set cookies from the server for that new domain unless you have the server for that domain also. This is a fundamental aspect of cookie security. Cookies can only be accessed via Javascript in the browser from the page in the same origin as the cookie belongs and servers can only set cookies for the particular origin in the particular request that they are processing.
#jfriend00 nice explanation.
#Kiran G you can pass in query param in the same redirect, no need to set cookies in express just sent in query param as below.
i.e.
res.redirect(`http://hostname/path?fanws=${value}`);
I found this link
But at the bottom it says This information is likely no longer up to date.
So my question is, will http_only cookies be sent with AJAX? Can the response via AJAX set http_only cookies?
Edit 1: Let's say an user logged in to the system. His session started and http_only cookie is set. He tries to fetch list of his friends via AJAX and sends JSON. When making the AJAX request, do I need to make anything special to say to send cookies or not? Will each request send the cookies to the server by default? Will the response send back cookies (let's say I am updating users' time for last activity)?
Yes, they will.
The HttpOnly makes cookies not appear in document.cookie and XMLHTTPRequest.getAllResponseHeaders. It doesn't prevent them from being sent with HTTP requests, with the exception of cross-domain HTTP requests (which it doesn't sound like you're using here).
I have a GAE application that uses a session to store something. There is an Android app that works with it, sending requests, the GAE uses the session when responding. Now I'm trying to make a JavaScript client that does the same thing as the Android does. It uses XMLHttpRequest to send Ajax requests (with CORS enabled) to the GAE app. The first request goes through fine, but the second one - where it needs to retrieve an object from thes ession - crashes with a NullPointerException when trying to read from the session.
These two requests were sent by the same page, one on load and one when a button is clicked by the user.
Anyone have any idea what's going wrong?
The problem was that as it was a cross-domain Ajax request the cookie with the session ID wasn't saved. To allow that to happen (in Chrome at least) the request needs to have withCredentials set to true. That means that on the server side no wildcard is allowed for Access-Control, and the Access-Control must be set to allow credentials.
I have a ColdFusion application that's behind an ISA Server. Part of the application is protected by Basic Authentication and part is not. ISA Server sets a cookie when the user logs in, but the cookie is only available for reading when I bypass ISA. So, the cookie cannot be read from the server where the application is running.
I'm trying to test whether the user's ISA session has timed out or not. I can't make any HTTP calls on the application server without affecting the session expiration time.
I thought I could read the cookie from the back-end server through a cross domain AJAX call. Unfortunately, on the back-end server the cookie is only available in a directory that is protected by Basic Authentication. Because of the Basic Authentication requirement, I can't use JSONP to check for the existence of the cookie. I also can't use a proxy script on the application server because that will change the expiration time of the cookie, which is what I'm trying to avoid.
I tried using an iFrame in my application to load a page on the back-end server, but I can't get it working with Basic Authentication. I always get the login pop-up box.
Any ideas how I can test for the existence of the cookie on the back-end server without triggering an update of the cookie expiration time on the application server?
It turns out I can access the cookie on the backend server in a directory that's not protected by Basic Authentication, so I just used JSONP and everything worked well.