I have a Koa API which is setting a cookie accessToken which is used by a react front end, running on a different domain.
Because the cookie is set by the API on a different domain, it is considered a third party cookie by the browser which causes issues. Particularly in Safari where it doesn't get saved in the browser by default.
Is there a way I can tell the server to set a cookie with the domain name of the front end so that the front end thinks it's a first party cookie?
I am setting my cookie like so:
ctx.cookies.set("accessToken", accessToken, {
httpOnly: true,
domain: "example.com"
})
If example.com is the front ends domain, should the cookie be interpreted as a first party cookie?
Is this even possible to set a cookie for a different domain?
Thanks
The user agent will reject cookies unless the Domain attribute specifies a scope for the cookie that would include the origin server. For example, the user agent will accept a cookie with a Domain attribute of "example.com" or of "foo.example.com" from foo.example.com, but the user agent will not accept a cookie with a Domain attribute of "bar.example.com" or of "baz.foo.example.com".
NOTE: For security reasons, many user agents are configured to reject Domain attributes that correspond to "public suffixes". For example, some user agents will reject Domain attributes of "com" or "co.uk". (See Section 5.3 for more information.)
But the above mentioned workaround with image/iframe works, though it's not recommended due to its insecurity.
See RFC6265
Related
I am able to access cookies created locally by using req.cookies or grabbing something specific (req.cookies['myvar']).
Hoever, say a cookie was stored on a top-level domain (domain.com) and then in my subdomain app (my.domain.com) -- how would I grab a cookie value from a certain domain?
The Domain and Path directives define the scope of the cookie: what URLs the cookies should be sent to.
Domain specifies allowed hosts to receive the cookie. If unspecified, it defaults to the host of the current document location, excluding subdomains. If Domain is specified, then subdomains are always included.
For example, if Domain=mozilla.org is set, then cookies are included on subdomains like developer.mozilla.org.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#Scope_of_cookies
If an application issues an authenticated user a session and gives them a cookie that should only be valid for a certain subdomain (say, because there are other customers located on other subdomains but all the subdomains resolve to the same running application) then should the server verify this cookie's intended subdomain against the host header before setting the session at the beginning of a request?
e.g.
User successfully authenticates to client.example.com
Server creates a new session for them and adds a property to the session about the originating domain
{user: "fred#gmail.com", domain: "client.example.com"}
Server sends a Set-Cookie header in the response with the session id
Set-Cookie: secure-session-id=1234-5678; Secure
The browser won't send that cookie if the user navigates to otherclient.example.com due to the implicit same-domain behavior of Set-Cookie
There's nothing stopping the user from constructing a curl command with that cookie but pointed at otherclient.example.com.
If the server doesn't validate that the host header of an incoming request matches the originating domain of the session for the provided session id in the cookie, then it's possible that a user with a valid account could masquerade as another customer (if the app bases any logic off of the subdomain instead of purely off of information gathered from the authentication). Prior to setting the user's session and continuing with the request I would expect the server to take the session id submitted, look up the session, see if the request host header matches the "originating domain" that was put on the stored session and if not then either return a 401 or redirect the user to the appropriate subdomain.
This seems like a generic enough scenario that I'd expect most server authentication frameworks to do this out of box unless you turn it off (ultimately it boils down to enforcing on the server side the same behavior that browsers are relied upon to do by default (not send session cookies for one subdomain to another subdomain). Are you aware of any that do this? Is there a better way of preventing this scenario? Am I misunderstanding anything?
Are you aware of any that do this?
ASP.NET has a different Application Domain per IIS application. Therefore, a session cookie from one application won't be valid on another. The only exception is if you've written a multi-tenant application that resides in the same Application Domain and you're not doing any validation on the received session cookie to ensure that the host matches the one where it was set.
PHP on the other hand will store all sessions in the session.save_path (e.g. /var/lib/php/session) and therefore a session cookie from one application would set session variables if used for another, which, as you've rightly pointed out is a security concern.
This can be remedied by overriding the session.save_path local value for each application or access host for the application.
Is there a better way of preventing this scenario?
As an additional security measure you could set the host when starting a session.
Session["host"] = HttpContext.Current.Request.ServerVariables["HTTP_HOST"];
Then validate this before any session values are used in the request. i.e. what you said in your question:
I would expect the server to take the session id submitted, look up
the session, see if the request host header matches the "originating
domain" that was put on the stored session and if not then either
return a 401 or redirect the user to the appropriate subdomain.
If these measures aren't being done then it would be an interesting attack vector in substituting a set of session variables from one application into another that reside on the same server. Of course, if the applications are the same (e.g. multi tenanted scenario) then there would be exploits such as leveraging admin access on one host to gain admin access on another. If not, then there still may be attack paths there depending on which variables are set and how they are used.
I am using express-session module for maintain session. i have two app. i want to share cookies with this apps, parent app run in example.com , and child app run in child.example.com. i set httponly cookie using express-session it sets in the child app.i can verified that cookie in resource tab in chrome debugger.
Network tab:
When the first call to sub-domain:
it load like "http://www.child.example.com" cookie set in the request. while the url is redirect to server IP . cookie not available after that.
like http://13.25.230.2/index cookie not avaliable on that
When you send the Set-Cookie HTTP header, you can specify the domain it is for.
Set-Cookie: name=value; domain=example.com
The domain must be a suffix of the domain hosting the page.
i.e. foo.example.com, bar.baz.example.com and www.example.com can all share a cookie belonging to example.com.
A URL using an IP address has no hostname in it at all and cannot match that rule.
There is no way to share your cookie between example.com and 13.25.230.2. Give the site a hostname instead.
There is no way you can set cookie using setcookie header from one host to another. For example from example.com to foobar.com.
If you have to do it. Then do it by passing the cookie value to server side script for example foobar.com\set-my-cookie.php and use to to save the cookie.
Httponly cookies cannot be set or read from client side code.
Should I set a domain on cookies and if so why? -
The cookie is used for a shopping basket, the platform is .NET
No, you don't need to. If the cookie header field does not have a domain attribute, the effective domain is the domain of the request.
You will want to set the domain in specific scenarios, if you want to make your www.website.com cookie to be avaliable at api.website.com you will need to set the domain to .website.com.
Also, there is no way to make the www.website.com cookie be avaliable at a different domain by setting its domain (security issue).
Is it possible to set an auth cookie that would be valid on:
sub1.domain.com
sub2.domain.com
Or will each subdomain always require it's own cookie?
You can use cookies across sub domains if you specify the cookie to be attached to the domain:
.domain.com
note the dot in front.
See here for reference:
http://www.jotlab.com/2008/04/08/howto-get-cookies-across-subdomains-php/