Problems with xmlHttpRequest + cookies + redirect - javascript

I am trying to login to a web service using xmlHttpRequest.
The web service in question seems to authenticate using cookies. After analyzing communication with IE browser, I concluded that the sequence is basically the following:
(1) server sends a form requesting username and password.
(2) client sends a POST request containing username and password typed.
(3) server sends a redirect message (HTTP 302) to the same URL with a "Set-Cookie" header containing the session ID
(4) client re-sends the same URL containing the cookie received from the server in redirect message.
(5) server receives session ID and concludes authentication.
I tried to emulate the same sequence using xmlHttpRequest in JavaScript. However, I found a problem.
It seems that xmlHttpRequest does not redirects cookies. I other words, (4) is not happening and authentication is not completed.
To make the problem worse, xmlHttpRequest does not seem to detect redirect events (it this was possible, I could at least set Cookie header before re-sending request). The onreadystatechange() function is called only after all re-direction process is completed.
So, I don't have any solution in mind to resolve this problem and complete authentication.
Also, as it is related a "public" web service, I am not able to change anything in the server side.
Any idea?

As far as I know you can't use xmlHttpRequest to query a url of a server different to the server you are connected to. ¿Could you do it?
In explanation if the page with the javascript code is in yourdomain.com you can't use xmlHttpRequest to call a web service in example.com.

With the previous comments I understood better the situation.
Steps (4) and (5) are only to redirect you to the main page, the real autentication ends in (3), once you get the cookies (using getheaders for example) you are logged in.
Then for every new request you do with the correct cookies the website will see you as the logged in user.
Are you trying to automate a query to the site? Or just automate the login process?

Related

Fetch request to localhost with basic auth

Is it possible for a webpage, like https://example.com perform an http request to localhost?
This is an uncommon situation. Let me explain:
My visitors have a local server running. They can access their server in a request to http://localhost:12039/wallet, which returns a json.
When the visitor opens my page (at example.com) could the JS in that page perform a request to their local server?
To make it even more complicated: the server don't add CORS header and the it also required an Basic Auth.
From postman, everything work as expected. But not from the browser (if not called from localhost)
I did some tests, but it's not working yet.
I'm not able to send the Authorization. When I run this code, there's a prompt from the browser, asking for username and password:
It's really hard to Google this terms. Most of the results are related to localhost calls for your own api during the development.

Javascript: How can I force a POST request to treat the user as not authenticated

I'm using Javascript and XmlHttpRequest to POST to another URL on the same site. Users must be authenticated to access the page where the Javascript runs, but I need to submit the POST to the second URL as a non-authenticated user (to prevent the server from running code which is always run for authenticated users). Is there any way to submit the POST so that it appears to come from a non-authenticated user (so the server doesn't pull the user's authentication information from their session and treat them as authenticated for the POST)?
For example, is there a way to open a new session just for the POST, or to change the session ID just for the POST?
Note:
I tried to explicitly perform authorization using credentials for a non-existent user, but that didn't make any difference.
If this can be done using ajax instead of XmlHttpRequest, that's an acceptable solution.
Unfortunately this can not be achieved only in JavaScript, so you will have to make some changes on your server. You have two options:
Either you mark your session cookie as HttpOnly, so it won't be sent together with your request. But this will mean, that all your requests are sent as unauthenticated user.
Second option is use of a subdomain for this endpoint. Cookies are sent with XmlHttpRequests only on the same domain to prevent cross-site scripting. So if you move the server endpoint from www.example.com/myresource to api.example.com/myresource, the cookie will not be sent.

OAuth2 Implicit Grant with Ajax

I'm implementing OAuth's implicit grant type in a Javascript application using Angular. I would like to request a token using an AJAX request. When I make the request to my OAuth server, it responds with a 302 and a location header. As per the spec, the location is my configured redirect URL with a hash fragment containing the access token.
My problem is I have no way to read the hash fragments if it is an ajax request, since XmlHttpRequest automatically follows the location header. I can't seem to get any information about the initial response (the one whose status is 302, and has the location header.) If there were some way to intercept that response and read out the location header, I would be set.
I would like requesting a token to happen behind the scenes, without the user knowing it is even happening. (That is, without the browser's URL jumping all around.) I should also mention that I am working within an environment where SSO is available, and the user will most likely have already authenticated via SSO. As long as my OAuth server detects an SSO cookie, it will know the user has been previously authenticated and to just issue a token for this application, without needing to redirect to a login page.
Is there any way to read either the location header of the first response, or to read the URL that is redirected to? It seems that xhr itself goes to great lengths to prevent this, so I'm also wondering what is the reason for that?
oauth Implicit Grant usually opens the service login window so the user can accept the service integrator then provide their login credentials. Using JavaScript you can read the hash by implementing code similar to:
var browserRef = window.open(add your URL here, '_blank','location=yes,clearsessioncache=yes,clearcache=yes');
browserRef.addEventListener ('loadstart', function(event) { add code to read the hash)}

How to redirect to different domain with a cookie in Express js

I'm developing a web app using Express on Node. I'm trying to implement a proxy login functionality where an user is directly logged in and redirected to another site after he logs into to my site.
In my routing function I'm writing the following code
res.cookie('fanws', 'value' );
res.redirect('http://hostname/path'); // another site
I used the debugger in chrome and saw that the cookie is not getting added in the redirected page.
I'm running the app on localhost and the site which i'm redirecting to is hosted on another server on local network.
What should I do to add the cookie on the redirected path?
In a nutshell, you can't set a cookie in a browser or read a cookie for a site that you do not control the server for or have your own client code in that page. The cookie system is designed that way on purpose for security reasons. So, from a page or server for http://www.domain1.com, you cannot read or set cookies for some other domain.
If you have code in the pages of both domains, then you can pass some info to the second page (most likely as a query parameter) that tells the code in the redirected page to take some action (like set a cookie), but you must control the Javascript or server in that second page in order to be able to do that.
The cookie in your nodejs code goes on the current request/response which means it is associated with that domain in the browser when the response from the current request is processed by the browser.
res.redirect(...) returns a 302 response with a new URL as the response to the current request. The browser then sees this response code and makes a new web request to the new page. You cannot set cookies from the server for that new domain unless you have the server for that domain also. This is a fundamental aspect of cookie security. Cookies can only be accessed via Javascript in the browser from the page in the same origin as the cookie belongs and servers can only set cookies for the particular origin in the particular request that they are processing.
#jfriend00 nice explanation.
#Kiran G you can pass in query param in the same redirect, no need to set cookies in express just sent in query param as below.
i.e.
res.redirect(`http://hostname/path?fanws=${value}`);

GAE sessions disappearing after POST request from JavaScript

I have a GAE application that uses a session to store something. There is an Android app that works with it, sending requests, the GAE uses the session when responding. Now I'm trying to make a JavaScript client that does the same thing as the Android does. It uses XMLHttpRequest to send Ajax requests (with CORS enabled) to the GAE app. The first request goes through fine, but the second one - where it needs to retrieve an object from thes ession - crashes with a NullPointerException when trying to read from the session.
These two requests were sent by the same page, one on load and one when a button is clicked by the user.
Anyone have any idea what's going wrong?
The problem was that as it was a cross-domain Ajax request the cookie with the session ID wasn't saved. To allow that to happen (in Chrome at least) the request needs to have withCredentials set to true. That means that on the server side no wildcard is allowed for Access-Control, and the Access-Control must be set to allow credentials.

Categories

Resources