I have a ColdFusion application that's behind an ISA Server. Part of the application is protected by Basic Authentication and part is not. ISA Server sets a cookie when the user logs in, but the cookie is only available for reading when I bypass ISA. So, the cookie cannot be read from the server where the application is running.
I'm trying to test whether the user's ISA session has timed out or not. I can't make any HTTP calls on the application server without affecting the session expiration time.
I thought I could read the cookie from the back-end server through a cross domain AJAX call. Unfortunately, on the back-end server the cookie is only available in a directory that is protected by Basic Authentication. Because of the Basic Authentication requirement, I can't use JSONP to check for the existence of the cookie. I also can't use a proxy script on the application server because that will change the expiration time of the cookie, which is what I'm trying to avoid.
I tried using an iFrame in my application to load a page on the back-end server, but I can't get it working with Basic Authentication. I always get the login pop-up box.
Any ideas how I can test for the existence of the cookie on the back-end server without triggering an update of the cookie expiration time on the application server?
It turns out I can access the cookie on the backend server in a directory that's not protected by Basic Authentication, so I just used JSONP and everything worked well.
Related
I'm developing a web app using Express on Node. I'm trying to implement a proxy login functionality where an user is directly logged in and redirected to another site after he logs into to my site.
In my routing function I'm writing the following code
res.cookie('fanws', 'value' );
res.redirect('http://hostname/path'); // another site
I used the debugger in chrome and saw that the cookie is not getting added in the redirected page.
I'm running the app on localhost and the site which i'm redirecting to is hosted on another server on local network.
What should I do to add the cookie on the redirected path?
In a nutshell, you can't set a cookie in a browser or read a cookie for a site that you do not control the server for or have your own client code in that page. The cookie system is designed that way on purpose for security reasons. So, from a page or server for http://www.domain1.com, you cannot read or set cookies for some other domain.
If you have code in the pages of both domains, then you can pass some info to the second page (most likely as a query parameter) that tells the code in the redirected page to take some action (like set a cookie), but you must control the Javascript or server in that second page in order to be able to do that.
The cookie in your nodejs code goes on the current request/response which means it is associated with that domain in the browser when the response from the current request is processed by the browser.
res.redirect(...) returns a 302 response with a new URL as the response to the current request. The browser then sees this response code and makes a new web request to the new page. You cannot set cookies from the server for that new domain unless you have the server for that domain also. This is a fundamental aspect of cookie security. Cookies can only be accessed via Javascript in the browser from the page in the same origin as the cookie belongs and servers can only set cookies for the particular origin in the particular request that they are processing.
#jfriend00 nice explanation.
#Kiran G you can pass in query param in the same redirect, no need to set cookies in express just sent in query param as below.
i.e.
res.redirect(`http://hostname/path?fanws=${value}`);
I have a GAE application that uses a session to store something. There is an Android app that works with it, sending requests, the GAE uses the session when responding. Now I'm trying to make a JavaScript client that does the same thing as the Android does. It uses XMLHttpRequest to send Ajax requests (with CORS enabled) to the GAE app. The first request goes through fine, but the second one - where it needs to retrieve an object from thes ession - crashes with a NullPointerException when trying to read from the session.
These two requests were sent by the same page, one on load and one when a button is clicked by the user.
Anyone have any idea what's going wrong?
The problem was that as it was a cross-domain Ajax request the cookie with the session ID wasn't saved. To allow that to happen (in Chrome at least) the request needs to have withCredentials set to true. That means that on the server side no wildcard is allowed for Access-Control, and the Access-Control must be set to allow credentials.
I'm developing a backend service in Grails that should serve both a web application and a mobile application.
The frontend is being developed using AngularJS and the mobile app will use the same AngularJS codebase to go native with PhoneGap.
Now, I'm looking for a proper way to implement the authentication with the Grails backend that works both for the web app and mobile app.
Three ideas:
1) Store username and password in LocalStorage and authenticate the user on the backend at every request
2) Use cookie based authentication (it's tricky to enable cookies in PhoneGap, I should
extract from the AJAX response and attach in the AJAX request)
3) Develop a custom protocol that generates a token for every session in the backend and stores that in LocalStorage. The session token will be sent in every request to the backend.
4) Sign every request using a private/public key mechanism (similar to Amazon AWS). Even in this case, the backend has to verify the correctness of the signature for every request (there is not a session concept).
I don't trust the LocalStorage so much but I have no other ideas and I can't find any example (an example with other backend and frontend technologies would help the same).
You can assume that the backend will run on HTTPS.
I would go for the third one, with some additions:
The first time the device is connected, you authenticate the user in some way (user/password or whatever). Then you send a persistence token to the device which saves that to the LocalStorage.
For each following session, upon opening the client exchanges the persistence token for a short lived session token (how much short lived is up to you, depending on the context).
This is similar for what you provide but reduces risks of man-in-the-middle and replay attacks.
Hope this help!
The Problem:
Serving a secure API to a client side app using only a local authentication strategy. The red arrows are part of the knowledge gap.
Context:
That is --- client.example.com is making a POST to api.example.com/login where on success client.example.com can gain access to a GET service like api.example.com/secret.
An idea!
Implimentation of OAuth 2.0 with hybrid grant type sitting in front of API.
Why hybrid?
It wouldn't be an Implicit Grant Flow aka Client-Side Web Applications Flow because there is no redirection to API server too grant access token. (i.e.) "Is it ok for so-and-so to access your data?"
It wouldn't be a Resource Owner Password Flow because a Client ID and Client Secret are passed along with the request so it's assumed the client app is server-side.
OK... so what about a little bit of both?
What if we used a CRSF token on page load of client-side app, and POST it with user credentials too OAuth 2.0 authentication endpoint to exchange for access token? You would authenticate each subsequent request with the access token and CRSF token after a successful login.
A good Node.js OAuth 2.0 library I found:
https://github.com/ammmir/node-oauth2-provider
Help Me!
I can not find a working example of an authentication measure that solves this problem! Point me in the right direction?
Ultimately, the goal here is too authenticate a client side app to a REST api using CORS with a local strategy --- i.e. username & password --- even if the convention above isn't possible.
To Accommodate Bounty:
This is a client side app, so let's stay trendy.
I'm looking for a working example using the Node.js OAuth 2.0 seed above for the API/Auth server and a front end framework like Angular.js or Backbone.js to make requests.
The example should match the context described above.
I'm working on an app with a pretty similar architecture though the services are .NET Web API rather than Node and we're using DotNetOpenAuth for the OAuth provider. Rather than the hybrid approach you're suggesting we're doing the following:
x.com serves up a login page
login page POSTs back credentials to x.com
server side logic at x.com combines client_id and client_secret with the credentials to submit a token request (resource owner password credentials grant that you've
mentioned above) receiving back both a temporary access token and a
refresh token
the refresh token is encrypted into a cookie issued by x.com
both the cookie (with encrypted refresh token) and the temporary access token are then sent to the browser
the client app (angular in my case) can now use the access token to hit api.x.com for services (It appears you're well aware of the limitations of CORS... we hacked a version of angular's $resource to facilitate this but it wasn't pretty since we wanted to use all HTTP verbs and support IE9)
when the access token expires, the client side app can request a new access token from x.com
server-side, x.com decrypts the cookie to get at the refresh token and issues another oauth call for a new access token
This is fairly high-level but hopefully gives you a sense for how to tackle your situation. In my case, and it appears in yours, we didn't want to use session state or a database to store the refresh token but obviously exposing that to the browser introduces security concerns so the encryption of the refresh token is important (among other security considerations) and the use of the cookie eliminates the need for session state or other persistent storage on x.com.
Not an answer running for the prize. Just my 2 cents :)
On my web server,
I do my authentication through a rest call with login/password with basic authentication over https. This call delivers a key to the client (a one page web app).
Then every subsequent REST call is signed with the key. The server checks that the signature is correct and everything still happen in https.
This mechanism is quite used I believe.
I don't see the issue with cross domain. I have a single source anf if I need something from another source, I'd use JSONP.
I use nginx as an https->http forwarder.
Not sure how it competes with an OAuth2 solution.
I've built this example using Node and PassportJS to show how to authenticate the users with Facebook or Local Strategy. Both sides are on different domains as you described and it requires CORS enabled.
GitHub: https://github.com/pablodenadai/Corsnection
Live demo: http://corsnection-client.herokuapp.com/
I can't promise that I have time to write working example but I can show you 2 paths :)
The biggest deal is CORS. After you solve that problem it is easy to use $http service. So, first and probably easiest may be to configure reverse proxy in x.com webserver which points to api.x.com. I wrote article here
Second approach is better, and created for exactly this purpose, to authorise specific domain to use your resource. It involves a bit of coding in api.x.com so you don't have to change anything in new web applications served in other domains. You simply need to authorise CORS requests in api.x.com service.
Create table in database where you can manage list of authorised domains
Add in that table record "x.com"
in api.x.com add request filter/interceptor what ever tech term you use for method which should be invoked after request is handled and add in response Access-Control-Allow-Origin: x.com if request comes from x.com (in other words check in request header refer value match to any value in table above and put that value in Access-Control-Allow-Origin response header).
That is all :) After this if you know how to use $http or jQuey.ajax you will be able to POST/PUT/DELETE/... any request to api.x.com from any authorised domain in just few minutes.
I very similar idea using vinilla js web app and cross domain authentication to GAE backend or OpenID connect.
The web app is run on CDN. When click login link, it goes to respective login server and redirect back to the web app (with XSRF security token and HTTPS only cookie). Login server accept cross domain request with credentials. XSRF token has to be set (in header) with every request. cookie is set by the browser. Since it is HTTP only cookie, JS cannot read it. The technique is very secure.
Once login, you can get secure assess from login server.
For detail description, you can find here and open source repo here.
I am writing a single-page application with CanJS. For one of models, every time I save a new item, the application sends the normal POST request. However, there is a specific cookie that is returned in the HTTP response that I would like to send back to the server on GET requests when fetching an item.
All cookies specific to an application are passed automatically to server in request header. Make sure that the cookie which you want to send is of the same application.
This you can check by looking into the cookies of your browser. Make sure that the cookie which you want to send has Domain as your application name. Like all stackoverflow cookie will have domain value as .stackoverflow.com
You can refer to this tutorial which talks about creation and setting of cookie in JavaScript : http://www.w3schools.com/js/js_cookies.asp