Is there any alternative ways to secure cookies access other then domains?
in my application i am setting cookie on 1 fix domain (cookie.xyz.com) and i need to track user on any domain, basically we are SaSS company and our client will put our js code on his website(s), then we set and get cookie on our one cookie.xyz.com because client can put our js on multiple domains. (right now i am using iframe and window messaging to get/set cookies on cookie.xyz.com)
So now in my case anybody can steal cookie of end user using js and use that and he can himself became that end user.
So what could be solution this so only my code (running in context on any domain) can read and write cookie from particular domain (we do this because our client don't have one or fix domains).
Before downvote this question let me tell you.
I know its not possible, thats why i ask here to find possible or hacky solutions?
You are facing a Cross Origin use case where you want to give liberty on your origin domain BUT you want to add control on it.
Both cases are complicated to coexist.
A solution is to add on your back end webservice a control on the origin of the request such as :
header("Access-Control-Allow-Origin: http://origin.domain:port");
Access-Control-Allow-Credentials: true
And update your JS Call to add credentials to true.
Related
I'm trying to send a post request to a different site, specifically Zoho.eu, to enable me to login with one click. Effectively I want to POST to the login URL, my username, password etc etc.
I have ran into the Cross origin problem and I have looked at many different solutions such as JSONP, the iFrame method, CORS etc but all of these require me to have access to the third party backend which I don't have.
How do I get around this problem? I understand I can use a proxy somehow to enable me to avoid the cross origin problem but I'm not sure?
Thanks in advance.
If I understand you correctly then the short answer is you can't.
A proxy won't help you to create a session in the user's browser and login. When using a proxy you are doing the requests in behalf of the user from your server, and can't set the required session values to the user's cookies for the target domain.
This is intentional. The whole concept of Same-origin policy/CORS was invented so that others will not be able to do something in behalf of a users in a domain they don't own.
I would consider OAuth, it might be the right way for you to implement this kind of cross-domain login flow.
One easy solution (which is only a temporary fix, you will have to find a more permanent solution for production code) is to hard code the name of the server from where the request is coming in your server controller code and allow access from it.
CORS protection is intented.
Zoho provides cleaner way to authentication to their site with OAuth integration. That is cleaner way to integrate.
Documented clearly here on the steps,
https://www.zoho.com/crm/help/api/using-authentication-token.html
Any other mode of authentication is not allowed and may be blocked by Zoho.
Hope it helps.
I use electron 0.36.0 and I have a cookie for a page and this page has a nested frame with a different domain.
I need to somehow keep a cookie alive when going to this frame directly (different domain) and ideally, I want to avoid upgrades of electron (otherwise I would have to rewrite my code).
What's an ideal solution for my situation (it can be also a small workaround)?
Thank you!
Cookies can now be shared with different domains so you will have to find a different way of doing what your trying to do.
For cross domain cookies alcuadrado has described a work around to do this in his post like below:
centralize all cookies in a single domain, let's say cookiemaker.com
when the user makes a request to example.com you redirect him to cookiemaker.com
cookiemaker.com redirects him back to example.com with the information you need
check this answer and this.
We have a webservice that is mainly intended to be called from javascript, via jquery's $.ajax(). When we call methods from javascript, we set a security token in a request header. If it's not there, or if it doesn't validate, we return an unauthorized error.
And that's all working fine.
But now we're faced with returning image files. So instead of having javascript call $.ajax(), we're embedding an image tag in the DOM:
<img src='http://mywebservice/imagescontroller/getAnImage?imageid=123'/>
And when we do that, we don't have our security token in the request header. I can think of two "easy" fixes. 1., we simply allow anonymous access to our image URLs, or 2., we pass the security token as a URL parameter.
The first choice is, of course, not a good idea. The second is straightforward enough. But before I settle on this approach, I was wondering if there was some easy way of setting request headers on these sorts of requests, that I was missing.
Ideas?
Easy fix: Use session cookies. That is a cookie without a expiry date. It will automatically transmit with each request and go away as soon as the users closes the browser, or you delete the cookie via javascript.
You simply store your token there and get it delivered for free to your server code.
Have some demo stuff here:
How do I set/unset cookie with jQuery?
If you run the services on another domain, you will need to use CORS to make the AJAX running - otherwise your AJAX will run into the Same Origin Policy. With CORS you can even make the cookies work.
See here: CORS request - why are the cookies not sent?
If you do not want to use CORS, you could also incorporate the service domain into your own via reverse proxying. This will solve the SOP problem as well as make the use of cookies possible. Setting up a reverse proxy within Apache is pretty straight forward.
I'm preparing some diagnostic tool. It operates on the website in the iframe - only by javascript.
Now what I need is to get rid of session cookie in the website that I have in my iframe. I just need to be logged out after performing some operations.
Unfortunately I cannot just drop the session cookie from javascript because it's mark with httpOnly flag. I did not found any way to open iframe in incognito mode either.
Now the rules for achiving this are following:
I can add any file to target website server
I can run any javascript on website domain
I can force user to use specified browser (it does not have to be cross-browser solution)
I can NOT modify website code
The solution have to be server and programming language independent
Any ideas for the workaround?
You just cant manage httpOnly cookies from javascript.
But I think that you want to analyze the page, but also with js. So why use iframe ?
You can fetch content of page that is to be analyzed from outside of html or javascript:
do ajax request to your application proxy
use html5 websockets as proxy server. I assume that websocket server is your. Websockets have also cross-domain ability.
You then just need to parse fetched DOM (i saw something builtin for this). And let analyzing to begin.
As far as I understand -
Given that - You will have a website with user login/logout implemented in it.
So if you can have some way for your diagnostic app to have the logout url of target website as a config var or some setting (by putting some js or file in the server) then this job can be very simple. Just let your diagnostic app load that logout url when needed.
If you simply want to prevent cookies being used in the iframe you could try using the sandbox attribute.
Seems like a very similar question to:
Disable Cookies Inside A Frame/Iframe
Hope I am understanding your question correctly.
You have JavaScript so just AJAX request to your server and tell it to unset the session variable.
Say IFrame references url: example.com/iframe.html.
Have it refer to cookieless.example.com/iframe.html instead and have a serverside reverse proxy rule setup that picks up that request and points it back to example.com/iframe.html.
Depending on how you set cookies serverside (i.e: '.example.com') cookies will only be set on www and root-domain
I think you will need some kind of server side proxy that records the cookie header value, and then resets this header value at a later stage based on a value in the request.
This shouldn't be too hard to write in any language, on IIS / .net framework for instance it would be an implementation of an IHttpModule.
The Only way is to Disable Cookies
Please, I would like to set cookies for my browser by my script running at my domain.. but I want to set cookies from another domain.
For example, I would like to set cookies that twitter.com sends me (when I would visit by browser), but I don't want to visit their page for the first time. Only when I visit their page after running my script, I want that their cookie is already set. Is it possible at all?
I thought, that changing the domain variable for document.cookie is doing the trick, but it doesn't work.. the twitter doesn't see any cookie being set.
No you can't obviously. Being able to control cookies from domains other than the one your website/webapplication runs on, would be a tremendous security risk. Because being able to set, would also mean being able to read.
You can, but it requires some hacks and can't be done in javascript alone.
Open up firefox and grab your "auth_token" cookie from twitter.com
If you have access to a web server and can config it to accept all host headers.
Makeup a fake subdomain and add it to your hosts file like:
127.0.0.1 xxxxxxx.twitter.com
from that server set a cookie named "auth_token" with *.twitter.com as the domain.
This would work for twitter because their auth_cookie is set to expire in 20 years.