I have 2 pages, a static html page and a python script - hosted on [local] google app engine.
/html/hello.html
define as login: required
/broadcast
which is a python script
when I access hello.html for the first time I am redirected to login page, I sign in, and then redirected back to hello.html.
inside hello.html - an AJAX call with jQuery is executed to load data from '/broadcast', this call errors saying 'you're not logged in'!
BUT - the same call to '/broadcast' through the browser address field succeeds as if I AM signed in!
as if the ajax and the browser callers have different cookies!??
HELP, am I going bananas?
Stupid me...
The ajax call was to localhost/broadcast
and the browser address field was 127.0.0.1/broadcast
...
the cookies for "different" domains ('127.0.0.1' != 'localhost') are not shared ofcourse...
Then I haven't gone mad...
Related
So I am trying to grab a code that that appears in the URL when I redirect to a certain page. So I use something like window.location.href = URL. The issue is I have to do 2 redirects but the last one is the most important one because it routes to the page I want after I get the code from the first URL. So how do I grab the code from the first URL that it gives me without having to redirect?
When I redirect to a new page (AWS) what happens you can't run the rest of your javascript. The thing is I need to do 2 redirects. One to get the code in the the URL string that AWS gives me when I complete the redirect and another to take that code and generate a token using that code and redirect to the correct URL. But I can't do 2 redirects in a javascript function.
Login page --> need code from aws url after redirect --> redirect into my app after getting code from aws url
The first request should be an AJAX request
You posted no code or extra details about the server, however it's plain to see you need to be using AJAX concepts here and not rely on the browser bar and redirects.
Make an AJAX request (the page does not redirect or reload)
When the request completes, perform the logic you need to
Finally redirect the user somewhere if it's still pertinent to do so
Welcome to the world of apps, because this is essentially what you're making: an app.
Read about AJAX:
https://developer.mozilla.org/en-US/docs/Web/Guide/AJAX/Getting_Started
You can do it natively with vanilla JS, or many people prefer to use a 3rd-party library to manage this stuff... like Axios: https://axios-http.com
I have two different apps hosted under two different domains.
Once the user is logged in app 1 (hosted on aws) and click on the "my profile" button, he/she is redirected to a html page that contains an ajax form.
This ajax form makes a request to app 1's backend and the backend responds with a html form already filled with the infos needed to send the user logged to app 2 (hosted on IIS). This html response also contains a <script> tag with a .submit() function to automaticaly submit the form.
The ajax then place this html form inside a given <div> and the form is submited to app 2.
The problem is that the submition of the form is being blocked... I doesn't say why, but in the browser's Network tab, the status appears as "canceled".
I can imagine that the issue might be related to CORS, but I'm not sure since it doesn't give the cors error explicitly.
Also, it works when running app 1 in localhost.
Edit:
It seems that is not the form submition that is being blocked, but maybe the ajax request to the api asking for the form or the api response containing the form... I'm not sure.
At first, when the ajax request POST to the api, the Network tab shows this (image 1).
Then, when I get the canceled/blocked error, it shows this (image 2)
I'm trying to understand non-persistent XSS attack. I learnt that one of the non-persistent XSS form is adding executable along with js in the URL like below
http://www.myxsssite.com/default.aspx?requesturl=<script>alert(hello)</script>
I'm on IIS and if I try the above example, IIS itself throws-up exception saying "A potentially dangerous Request.Path value was detected from the client (<)."
But when I try the below URL I get to see an alert dialog with whatever I've added in that
http://www.myxsssite.com/default.aspx?requesturl=docs/help-files/main.htm'==alert(hello)=='
The second case occurs when an unauthenticated user tries to access the help files directly wherein the above URL gets constructed followed by redirecting to Login page. Once logged in the requesturl param will be used to redirect back to where the user started.
If the same process is replayed with a tab already having valid session it won't show the alert dialog.
The question I've here is what is the significance of '== ==', without which I don't see alert dialog
EDIT:
While redirecting to Login page this is the Response body
<html><head><script>window.top.location='http://www.myxsssite.com/default.aspx?requesturl=docs/help-files/main.htm'==alert(hello)=='';</script></head><body></body></html>
The key thing I've noticed is, If I take the URL from the response and paste it in the Browser it does not shows the alert dialog.
Now it boils down to why the alert in the URL gets fired when location is set through Javascript and why not when copied directly into the browser.
I am using html, javascript, and php. My login.htm page lets the user enter the login details. It then submits through the javascript to a php page checkinglogin.php which checks the login details against a database. The call from the javascript to php is asynchronous. So it waits for the response from php page.
The checkinglogin.php page checks against the database and then responds to the javascript
If successful it starts the session and sets a session variable with the user id.
Sends back a message to the javascript either Error or "Success"
The javascript inturn (depending on the response from php) displays the error OR redirects the user to a new page listing.htm
All is working fine.
Now I want to be able to display the listing.htm page only if the session has been started and the user has successfully logged in. Currently, listing.htm is accessible if dont log in and just type in the url in the browser.
My idea is that somehow if we can check on listing.htm page that if the session variable is not set then redirect the user to the login.htm page.
Not sure what can be done here to achieve the required functionality.
I know its a basic question and it is been asked for several times but i was not able to understand it.
I was using a html webpage with some input fields and submit button when the submit button is pressed the post is done through XMLHttpRequest and CGI script is called. In cgi script the authentication is checked with the value in the file of server.
The problem is that if the authenication is false i want to redirect the browser to the xmltest.shtml for this i have written in the CGI:
if($isauthenticated == 0)
{
print "Location: http://xmltest.shtml\n\n";
}
But when this cgi is called in return the get is called with the xmltest.shtml page but the browser is not redirected.
It means that if I check in the Firebug console the get request is seen by me for the xmltest.shtml but the browser page is not redirected to the xmltest.shtml it remains to the same page.
You can't cause the page to redirect that way. When you use XMLHttpRequest, you are sending the redirect header to the XMLHttpRequest client, which runs in the background. You will successfully redirect that client, but it will not affect the page on the screen.
If you want to redirect the actual browser page in response to an XMLHttpRequest session, you will need to write some JavaScript to capture the error condition and redirect the browser by updating the value of document.location.href.
If you're using an AJAX framework like jQuery, there is an error callback available in the ajax method which will get executed if your failed request returns an HTTP 403 or similar.