Is it possible to get a session from a server and pass that session cookie to another ip so that one can use it to communicate with the server that issued that session?
session server -> my backend server 1: getting session cookie
my backend server 1 -> my backend server 2: passing session cookie
session server <-> my backend server 2: communicating directly with session server without the middle man.
I'm using CouchDB and Node.js/Javascript.
I tried to send the set-cookie header received from session server (couchdb) to backend server 2 and it did set the session cookie in the browser. But when making requests to couchdb it didn't send that cookie along. I think it's because of it has to be the same ip that it got the session from, in this case, the server 1.
How do I make it work?
Cookies are based on domains, so the browser will only send the cookie back to the domain it was set on.
You get the client to send a request to the second server with data allowing the server to create a new cookie. Not sure what kind of security you need.
Related
I am working with an MVC server with IIS express on port x.
I run my client code using express server on port y, and send my requests for data to the server on localhost:x
The issue here is that the SessionId cookie is not sent back to the server on every request due to CORS.
I read that the cookie will not be sent to a different domain in case the cookie is not set to SameSite->none but in order to set it to None you also need to set it as Secure as i read from here https://web.dev/samesite-cookies-explained/
Is there an alternative in case I want to work with HTTP and i want the client to send the cookies to the server
Well there are 2 possible solutions for this matter:
You can set the cookie as secure + SameSite->None to make the browser automatically send the cookies for every request
You can tell the browser to send the cookies yourself on each request via:
Ajax
Fetch API
The story is, I have 2 potocol in my sails.js server, this sails server is only for API access, and some API are MUST logged-in to access, the websocket is also running on this server.
In the sails when I login then put the user data in req.session.me, this will save the user data in session, next time I through http to access then I can get save data from req.session.me.
Reference: http://sailsjs.com/documentation/concepts/sessions
The question is saving data in user session req.session.me through http to access the server then cannot get back req.session.me through websocket to access the server.
Many Thanks!
I create a simple login/password html5 application. Login/password I send via websocket to server to control and set in server side some permissions etc.
How can I connect to this socket in next pages and server can sending correct data which permissions available etc.
Or this login password have I sending always when I connect to socket in every page?
You can store token/session id in cookie.
On following navigation pages you can send that token to websocket to authenticate. Upon successful authentication you can response.
P.S. you need to create new websocket on every page load.
You can use regular web authentication using cookies.
WebSocket HTTP negotiation will carry cookies over. So you can return a cookie when the user connects with an generated UID if there is no any in the request, and then when the user authenticates, consider that UID as authenticated and associated with a User. Each time you get a connection with that UID you know it is that User.
I'm using JQuery.post in order to login into an API, the POST request works but the cookie that is being sent back from the server isn't being set on my computer.
Does anyone knows a way to set the cookie that was retrieved from the server?
With javascript you can set a cookie this way:
document.cookie="name=value";
So you can parse the response from the server and set the cookie.
I'm building a web/mobile app using Node.js(Express) server on the backend and Angular.js for the frontend. I'm using passport for sessions and I have some problems with a client side authorization validations.
On user login the server responses with a json cookie containing some session information like username and role. I want to make angular.js route authorization to limit the user access based on hit role. On every redirection I first check the cookie. If the cookie is there and the user's role matches the path's access requirement everything is ok and the redirection is done. If some request from the client side to the server side fails with a Not authorized response the session cookie is deleted and so on...
What is the problem... There are a lot of session validations on the server side but checking the cookie on the client side isn't very secure. Every one can see the cookie format (it's a simple json) and change it. For example everyone can change the role property of the cookie to 'admin' and only with cookie validation the client side will give access for example to the admin's panel view. Access only to the view! A further requests to the backend with this cookie will fail but it's not good to give them access to the views...
The server uses the SSL protocol but this encrypts only the communication, the stored cookie on the client side isn't encrypted.
I was thinking the sent cookie to be encrypted and the client side to decrypt it for authorization validation. But the user can open the clients js files and find out the decrypting key if it's stored in a plane text. If the server sends the key to the client side and the client side stores it in a variable the key will be not visible to the user but it will be lost on a page refresh. It will be not very smart to keep it in cookie :D
Of course the client side can send authorization request to the server for every authorization validation but this can be a lot of request.
Can you propose my some solutions?
Thank you very much and have a nice day :)