The situation is as follows:
I am logged into a web application and there is an HTTPOnly-Cookie stored with a JSESSIONID. The backend I am sending requests to is running on the same website/url as the frontend application. Now while I am logged in as User A (identified by the cookie with the JSESSIONID), I need to do a single request to the same backend but without this cookie! Whenever I send a request to the backend, this cookie is automatically sent too though.
So how can I tell an AJAX request to NOT automatically send this certain HTTPOnly cookie - or even any cookie at all. I know that this can be achieved for Cross-Origin calls (see "withCredentials" flag). But this does not help since it is no Cross-Origin call...
Can anyone help me with this one?
Thanks and best regards
Related
I have created an Open Layers 3 Map which loads its tiles from my server, i dont transmit the user id, it's recognized server side, so the map does not work if there is not user logged in.
So far so good, everything working. If someone clicks on a feature in the map i would like to send some request to the server as well, also without sending the user id, cause there should be a session anyway. But if i send an AJAX request to the server, then the JSESSIONID will be missing from the request and i get a new session id every time i send a request.
I know this is due to HttpOnly flag, but what bugs me is, how can Open Layers have the JSESSIONID in its requests, but i dont get it for my own Ajax requests.
See also the picture for the difference:
-- GetTile is a request generated by Open Layers
-- GetStarMapData is a request generated by own written Ajax call
Both requests just access a servlet on the Server
Cross-origin XHR requests (the Origin in your screenshot indicates you are making one) only include cookies if you explicitly turn credentials support on.
xhr.withCredentials = true;
This will make it a preflighted request so you will have to configure the server to correctly respond to OPTIONS.
Storing client session data as a cookie seems more secure than anything else, but I am not sure how to send/include the front-end cookie in a CORS AJAX request. I know I should set withCredentials to true on XmlHttpRequest, but other than that, I am not sure how the cookie actually gets sent to the server?
So on the Node.js server, I would send the cookie to the browser with
function(req,res,next){
res.cookie('lectal-cookie', someEncryptedToken, {maxAge:'12h'});
}
on the client (browser), I assume that cookie is automatically stored somewhere-
but how do I include the cookie in a cross-origin AJAX request? Do I send it as a header or can I send it as a cookie or both?
Will using withCredentials=true automatically include all the browser cookies in the AJAX request?
I am developing a Chrome extension which will be sending data via an AJAX request using jQuery. I need to ensure though that only the logged in user has send the request. This might not be the right approach trying to secure the AJAX request itself so any advice is appriciated.
you cannot secure Ajax requests on client side as every one can request to your APIs if it's included in your JS.
but there are some workarounds which you can choose to have more secure interact with your server:
you can send encrypted data
you can also obfuscate your code to make it much harder to read
use SSL to protect data from snoopers
EDIT:
as you mentioned if you want to make sure a user is logged in to do something you can use encrypted cookie and a token as mentioned in another answer. but if you want to prevent requests and not rejecting them maybe above solutions will help you.
To make this work, when the user logs in, you need to set a cookie that contains some sort of authentication token or session ID (usually some unpredictable string of characters) that is also stored on your server.
Your Ajax request can then include that authentication token from the current browser's cookie as a parameter of the ajax call and your server can then authenticate that the token belongs to a legitimate user.
If the user is not logged in, there will be no cookie and thus no token.
I have a PHP application which has some jQuery and Ajax features in it. I would like to know, how is it possible to regenerate the Session Token - which I'm sending to validate the Ajax request - upon each Ajax request (without loading the page)?
I have more elements on the page which are running multiple Ajax queries, however at this moment they all get the same token. So if someone has the tokey, they can submit a forged request from another form I guess.
Generating token on client side makes no sense. You can't trust anything coming from client side, as you don't know if it's your client software which sends the request, or a malicious one.
You must create as many tokens as you have ajax possible requests, and return a new token with each response.
You should generate a CSRF token on server side for each user or each session. You can store it in your database, or in your session. You should send that token to your client, and wait it back with the ajax requests. It will work until your site is not XSS vulnerable...
Btw the first step to secure your application is using the HTTPS protocol...
I have some questions about XMLHttpRequest using $.Post $.Ajax:
1- How the server side verifies if the request was sent from same browser?
2- How the server side verifies if session user who sent the request has been changed on same browser? (ex: user logout and another user login on same browser)
3- Do I need any special settings or PHP code at server side for #1 and #2?
Also please give me a link to good documentation about any security issues related to XMLHttpRequest.
Thanks
Browsers and servers use cookies to check whether request was sent from same browser. Every request will have cookies attached.
The basic idea about the sessions is simple. Whenever you send a request to the server, the session variable (if present) will be sent along with the request to your server.
Again, if you modify anything in session or clear the session, the response will contain the modified session. Since both request and response contain sessions, they can operate independently.
By using $_SESSION in PHP, you will be able to retrieve sessions in server. Just use $_SESSION['userid'] == to check whether it's the same user.
I understand you are a PHP person but take a look at node.js request and response objects for a better clarity about sessions.
Also you can encrypt session variables in server for security. Code Igniter session library is an excellent example for this.
It doesn't
By whatever mechanism it uses to track who is logged in for any other kind of request (presumably the data your server side application stores in the session will change)
No