Is there anyway Varnish can be used on a Zope website that authenticates every request from the browser ? The docs mention that cookies if present Varnish will not cache anything. But Zope won't render response for any request without cookie authentication.
Related
I have been working on a uni project and I'm getting really stuck on why the cross site authentication cookie from our backend isn't set when I do a CORS request to it from our backend.
Our setup is as follows:
A frontend on https://frontend-domain.com sends a CORS request to https://backend-domain.com with credentials in the post body, expecting a Set-Cookie: auth-token header in the response, if credentials are correct.
The fetch to the backend has credentials: 'include' set.
The backend response includes Access-Control-Allow-Credentials: true and explicitly states Access-Control-Allow-Origin: https://frontend-domain.com. The Allowed Methods header is also correct.
The token cookie in the Set-Cookie header has the attributes SameSite=Noneand Secure, it's domain attribute is Domain=backend-domain.com.
As far as I could find on the mozilla docs or here on stack overflow, these are all the requirements for cross site cookies to work. I expected the Set-Cookie header would make the browser set the cookie, which would then be sent along with all further requests to https://backend-domain.com, given credentials: 'include' is set.
However, the cookie is never set.
Can anyone help me? I am absolutely clueless by now.
Thank you very much for reading and helping!
Edit
I am using Firefox right now.
Here is a screenshot of the request:
And here is the response:
All of the Set-Cookie headers you can see in the response dont result in an actual cookie.
The SameSite attribute of a cookie controls whether this cookie is included in
subrequests (such as the ones made by an <img> or <iframe> element or a Javascript fetch command) to a different origin
top-level navigation requests (which load a new page into the current or a new browser tab).
Details are given here. Note especially the subtly different treatment of navigation with GET and POST ("Lax-Allowing-Unsafe").
Cookies in subrequests (but not top-level navigation requests) may be additionally restricted based on browser settings if they are third-party cookies, that is, if the top-level domains of their origin and the sending web page differ. In other words: Cookies from backend-domain.com count as third-party cookies when a request is made by an HTML page from frontend-domain.com, and this is what caused the issue in your case.
I noticed that when Prevent cross-site tracking is checked in Safari, I am unable to set the secure cookies. I described this issue in great detail in this question.
Then how do you set the secure cookies in Express with that setting enabled?
From MDN:
Values
The SameSite attribute accepts three values:
Lax
Cookies are allowed to be sent with top-level navigations and will be sent along with GET request initiated by third party website. This is the default value in modern browsers.
Strict
Cookies will only be sent in a first-party context and not be sent along with requests initiated by third party websites.
None
Cookies will be sent in all contexts, i.e sending cross-origin is allowed.
None used to be the default value, but recent browser versions made Lax the default value to have reasonably robust defense against some classes of cross-site request forgery (CSRF) attacks.
None requires the Secure attribute in latest browser versions. See below for more information.
It says in this article that Apple is phasing out third party cookies with Safari. I'm reading online that third party cookies are generated by a different domain than the one user is visiting, for cross-site tracking, retargeting, and ad-serving.
I am working on a project where the frontend is served on Netlify and the backend is from Heroku. Since the backend has a different domain than the front-end, the cookies generated from the node express backend are considered Third-party cookies?
Does that mean that I should have both frontend and backend on the same server going forward following this security practice?
Netlify allows you to proxy requests to your backend on a different hostname.
https://docs.netlify.com/routing/redirects/rewrites-proxies/#proxy-to-another-service
I'm not sure if it will let you set the cookies that way, Netlify might strip all headers, you should try.
If for some reason that does not work for you then you should either serve frontend and backend from the same hostname or set the cookie with JS on the client-side (which I don't recommend), also you can't set HttpOnly cookie from JS side.
HTTPonly or Secure flag header works on HTTP request or HTTP response?
Most of the time I see it on response.
According to the Microsoft Developer Network, HttpOnly is an additional flag included in a Set-Cookie HTTP response header. Please check https://www.owasp.org/index.php/HttpOnly
If the HttpOnly flag (optional) is included in the HTTP response header, the cookie cannot be accessed through client side script (again if the browser supports this flag).
And It's mitigating the most common XSS attack using HttpOnly
XSS like alert(document.cookie) can be executed if HTTPonly or Secure flag not available in response header, you can set these headers from web application server configuration. Once you set headers user's browser will get these headers in response and browser will deny any java script to get cookie data. So these headers are response.
I am using npm request module to send multiple requests in a session. One of these requests uses the sites mobile domain, m.example.com, rather than www.example.com
At the start of the code, I set cookie jar variable
this.cookieJar = request.jar()
No problem. I make a series of requests on www.example.com and they work fine.
Each request has
jar: this.cookieJar in the options.
But when I make a request to the mobile domain, m.example.com, all of the cookies from www.example.com disappear. I've tried setting the jar idx to mobile endpoint and that's not working either, i.e.
this.cookieJar._jar.store.idx['m.example.com'] = this.cookieJar._jar.store.idx['www.example.com'];
When I run the requests through Charles, all of the cookies are passed as they should up to the mobile request, where they disappear. When I try to make a request to httpbin.org/get, they don't show up. When I log to console before making the request, they show they are still in the jar.
Why is switching to the mobile endpoint not passing the cookies? What's a solution? Again I'm using npm request module + storing the cookies in a variable cookieJar.
I'm trying to proxy an PHP api service, but I need to authenticated based on a session token.
Does node-http-proxy has options to forward the cookies to the target ?
Issue is most likely you're accessing the service via http when the proxy is requesting https and the cookie is set to secure. So your browser won't send it when making a http call.
I remember having a problem like this once. In my case what happened was that though the original cookie was sent with the request, the response from the proxy did not have that cookie.
What I ended up doing was saving the cookie before making the proxy request and the adding it to the response coming back from the proxy. You can write to the response vookies doing something like this:
var setCookie = res._headers['set-cookie'].concat(testGroup);
res.setHeader('set-cookie', setCookie);