Even if I use HttpOnly cookie I noticed that I can change the cookie from the browser.
And I store the users' tokens in the cookie,
so I don't want any user copy the token of another user, then he gets user authorization and data.
So I want to remove the cookies to remove All-access, if anyone has changed cookies in the browser.
You should hash it and make it time sensitive.
There's no way you forbid user to view and manipulate cookies on their browser.
Related
I'm trying to remove the user's authentication cookie by using $cookieStore.remove('.ASPXAUTH'), but if I refresh the page afterwards, the cookie still exists and the page is still available instead of the user being redirected to the login page as I would expect.
Why is the user still able to view the page after I delete the authentication cookie and refresh the page?
I'm afraid that there isn't much you can do to a http-only cookie with javascript. The backend has to remove it if it's http-only. you can trigger a logout by using ajax.
$http.get("/logout");
The other option is to use non http cookie so you can modify it with javascript. But that would make it vulnerable and unsafe for risk of an XSS flaw grabbing your cookie and allowing your session to be hijacked.
PS: try HEAD request method if you don't want to load the page that follows (might work like an "do-and-forget-about-it")
$http.head("/logout");
I need to display a popup to the user once per session. My thought was to create a session cookie by creating a cookie with no expiration date to track if the popup has already been displayed. These cookies should be removed when the browser is closed. I have since learned that Chrome has a "feature" where session cookies are not removed (Chrome doesn't delete session cookies).
I am not asking why the cookies aren't deleted in chrome. I am asking if there is a way to force chrome to remove the cookies or some other solution to only display a popup once per session.
You can maybe use sessionStorage to store your flag? http://www.w3schools.com/html/html5_webstorage.asp
Or is this information required to be sent to the server on every request?
I'm looking to persist all cookies in localStorage. When the page is loaded the cookies should be inflated from the data in localStorage. Whenever they change, or possibly just on page close, localStorage should be updated with the cookie data.
I'm in an environment where cookies do not persist between restarts and you're expected to use localStorage. The problem is that the server framework I'm using sets all the cookies independently of my code.
Thanks for any help navigating this -- I don't know my way around cookie behavior that well.
The localStorage API operates on a simple set/get/clear set of methods that allow you to interact with a key-value store. To store all the cookies for the current page under the key "cookies" you could write:
localStorage.setItem("cookies", document.cookie);
and later recover them by:
document.cookie = localStorage.getItem("cookies");
We have a public facing website, in which the user can login using an email address.
After the user logs in, we populate the cookies of that domain with a uniquely generated session id, and the user details, like emailAddress, Name etc, based on which other calls are made to the server like getUserProfile etc.
However the problem, is any user can make changes to his hosts file, and write a simple Servlet to create the cookies of my domain, and can accordingly set any random session id and user details in the cookies, and then can get automatically logged in.
On the client side, how do I maintain that the appropriate session id is correct. If I maintain the session ids on the backend in some caching framework like memcache, then each hit on website every page will hit the server, which is not what i would want.
What is the way to get around this problem and ensure that the fraud user is not able to set my cookies after making changes in his hosts file.
On the client side, how do i maintain that the appropriate session id is correct.
You can't. The browser is controlled by the user. You control the server. You can only perform authentication on the server.
What is the best way to transfer data from page to page on a website? For instance, I'm logged into this site and stay logged in know matter how many times I switch pages and even if I close the browser. How exactly is this done? I'm thinking through the use of cookies, but I"m really not sure?
Thanks!
There are two options Cookies and Sessions
Rule of thumb: do not trust user input. Cookies are user input, session ids that are stored in cookies are user input, http headers are user input -- these things must be triple checked for every possible thing. Session data, on the other hand, is stored on your server, so it is more or less secure if not stored in /tmp.
One of the most popular setups for session authorization is this: session id is stored in cookie, and everything else including password is stored in session. After starting a session based on id from a cookie, you should get user id from session data and then check if password stored there is still valid.
If you set a session variable, the user can't directly change it unless they hijack another session cookie.
What you mainly have to watch out for is on shared hosting, your session data isn't secure (typically other sites can see it).
It's also worth noting that cookie data isn't secure either. It shouldn't be relied upon in the same way that form data shouldn't be relied upon (no matter what client validation tells you).
Your best practices with passwords are:
Store the password in the database in a hashed form, preferably SHA1 (first choice) or MD5 (second choice);
When you receive the user's password, encrypt it and check it against what's stored in the database;
Set the logged in username in the user session;
Expire the cookie after some period (even if its days) rather than having it last forever; and
Use a secure connection (HTTPS not HTTP) where possible. SSL certificates are cheap.
Yes, you stay logged in typically because there is a cookie which stores your session ID.