I am using npm request module to send multiple requests in a session. One of these requests uses the sites mobile domain, m.example.com, rather than www.example.com
At the start of the code, I set cookie jar variable
this.cookieJar = request.jar()
No problem. I make a series of requests on www.example.com and they work fine.
Each request has
jar: this.cookieJar in the options.
But when I make a request to the mobile domain, m.example.com, all of the cookies from www.example.com disappear. I've tried setting the jar idx to mobile endpoint and that's not working either, i.e.
this.cookieJar._jar.store.idx['m.example.com'] = this.cookieJar._jar.store.idx['www.example.com'];
When I run the requests through Charles, all of the cookies are passed as they should up to the mobile request, where they disappear. When I try to make a request to httpbin.org/get, they don't show up. When I log to console before making the request, they show they are still in the jar.
Why is switching to the mobile endpoint not passing the cookies? What's a solution? Again I'm using npm request module + storing the cookies in a variable cookieJar.
Related
Let's say I have a C# app that sends HTTPS requests to a webserver.
https://www.webserver.com/checkid=anything
And the web server checks the Id of the request and returns a string response such as Not Active back to the app.
This response will lock some features inside the app.
Is there any way I can redirect that request to another server that I controll and send fake responses such as Active back to my client app through node js proxy or something?
Note: I dont have access to the app source.
OK i found another better solution, I just used Fiddler Everywhere to change the server response to a custom one.
My URL is not working while fetching the data from Server. What I have done is as follows:
Created the Node JS application using Bcrypt and JWT tokens in IIS server.
I am using the access token in URL to get the data from server after validating the User.
While using the accesstoken it is displaying the data correctly with http request but not with https request.
Suppose, we have a URL whose data is http://example.com/Users/Accesstoken(length:350).
So this url will work but if we are replacing the http with https then it is showing the error
Bad Request - Invalid URL
HTTP Error 400. The request URL is invalid.
What I have tried are as follows:
I have tried using the maxURLlength in IIS to get the data, But it has not worked.
I have tried maxquerystring in IIS, this also not worked.
I have tried the port which I have used in nodejs application, this does work in http but not in https.
Now on increasing the limit of Maximum URL length under Feature Settings inside the IIS configuration request filtering settings also it is showing the ssl not secured.
Please help me out in knowing how this can be solved as I need the node js application for calling api and then I need those api's to be used in different applications like asp.net, reactjs, android, ios, etc.
I have found the answer to my own question. It is the issue of SSL not linked with my nodejs application. So in this situation, I have used the SSL configuration while creating the HTTPS server and it has solved my issue. This is the link to the answer https://www.youtube.com/watch?v=USrMdBF0zcg
Introduction
I have a problem with sending cross domain session cookie and after searching I got even more confused.
Originally I had a client (Next app) on foo.vercel.com and the api (Express) on bar.heroku.com.
Sending and saving cookies was working correctly on localhost, but after deployment I got a problem with the sameSite set to lex by default. So I changed it to none. But I found that the sameSite none requires secure flag on the cookie set, so I also changed that.
The problem
After setting secure to true the cookie is no longer being sent.
If secure is set, and you access your site over HTTP, the cookie will not be set.
Both my server and client are hosted on HTTPS. I checked the logs on the heroku and the request protocol is HTTPS... however when I console.log a request.protocol from a GraphQL resolver the protocol is HTTP:
After seeing this
There's no such thing as cross domain cookies. You could share a cookie between foo.example.com and bar.example.com but never between example.com and example2.com
I moved the client to baz.heroku.com but the problem remains.
In order to check if everything still works I disabled the Cookies without SameSite must be secure in chrome://flags and it works correctly.
Questions
Is it even possible to set cookie cross domain?
Why does the POST method have different protocol than request I get in express server.
(I get the request from express and pass it through context to GraphQL resolvers)
And of course how can I send cookie to the client on different domain.
I would appreciate any help.
The problem was Heroku's proxy. I had to add the following to the express server:
app.set("trust proxy", 1);
I have a project, It's a web application that requires Windows Authentication.
I've setup an Active Directory at home using my NAS virtualization. Then I've created a VMWare Server for IIS which is a member of that domain on my desktop which I also use for development. I've created the Web API and installed it into that VMWare server. When I call a routine directly, it works and return results but when I use the Web API routine from my javascript web application I keep on getting 401 error. I then put the code on the IIS server and the web application works.
I've seen a lot of solutions like changing the sequence of the Provider in IIS Authentication. Added Everyone read/write permission on the folders. I've also added entry on the web.config. But none of them work.
*****Update as per request on the comment *****
Below is when I run directly from Web API
Calling the Web API from Javascript
Here's the error I'm getting
Just FYI, I tried running the web api from Visual Studio on the same machine but also with 401 error
Is there anything I could add to AD to make my development machine as trusted?
********************A new issue after the code change **********
****************Another Update******
This is definitely weird, so I installed Fiddler 4 to see what's going on. But still no luck.
Then I made changes on the IIS HTTP Response Header
The weird thing is when I run Fiddler the error is gone but when I close it it comes back.
There are two things going on here:
A 401 response is a normal first step to Windows Authentication. The client is then expected to resend the request with credentials. AJAX requests don't do this automatically unless you tell it to.
To tell it to send credentials in a cross-domain request (more on that later), you need to set the withCredentials option when you make the request in JavaScript.
With jQuery, that looks like this:
$.ajax({
url: url,
xhrFields: {
withCredentials: true
}
}).then(callback);
These problems pop up when the URL in the address bar of the browser is different than the URL of the API you are trying to connect to in the JavaScript. Browsers are very picky about when this is allowed. These are called "cross-domain requests", or "Cross-Origin Resource Sharing" (CORS).
It looks at the protocol, domain name and port. So if the website is http://localhost:8000, and it's making an AJAX request to http://localhost:8001, that is still considered a cross-domain request.
When a cross-domain AJAX request is made, the browser first sends an OPTIONS request to the URL, which contains the URL of the website that's making the request (e.g. http://localhost:8000). The API is expected to return a response with an Access-Control-Allow-Origin header that says whether the website making the request is allowed to.
If you are not planning on sending credentials, then the Access-Control-Allow-Origin header can be *, meaning that the API allows anyone to call it.
However, if you need to send credentials, like you do, you cannot use *. The Access-Control-Allow-Origin header must specifically contain the domain (and port) of your webpage, and the Access-Control-Allow-Credentials must be set to true. For example:
Access-Control-Allow-Origin: http://localhost:8000
Access-Control-Allow-Credentials: true
It's a bit of a pain in the butt, yes. But it's necessary for security.
You can read more about CORS here: Cross-Origin Resource Sharing (CORS)
I have deployed my angular application on a server using apache2 . This application communicates with a node application which is deployed on the same server which again communicate to a java application deployed to the same server. All the applications are running on different ports .
Now If I make a "http request like http::/path" I am able to get the response.
Now I have purchased a ssl certificate for my domain. From this i am able to access the front end but the api calls are failing.
I am making calls like "https:domainname.com:port/path" which doesnt work but If i do it like "http:ipaddr:port/path it works" from a rested client but on UI it throws error saying "he page at 'https://domain.in/' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint http:ip:port" This request has been blocked; the content must be served over HTTPS.
not able to resolve this . Please suggest a solution.
you need to add proper CORS Header.
Take an look at https://developer.mozilla.org/de/docs/Web/HTTP/CORS
The error
"he page at 'https://domain.in/' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint http:ip:port" This request has been blocked; the content must be served over HTTPS
is just a result of being on an https site and trying to make an XHR to a non-https site. So this error should disappear once you correctly set up https for all of your servers and configure your site to use the https://... url when making xhr.