I am using express-session module for maintain session. i have two app. i want to share cookies with this apps, parent app run in example.com , and child app run in child.example.com. i set httponly cookie using express-session it sets in the child app.i can verified that cookie in resource tab in chrome debugger.
Network tab:
When the first call to sub-domain:
it load like "http://www.child.example.com" cookie set in the request. while the url is redirect to server IP . cookie not available after that.
like http://13.25.230.2/index cookie not avaliable on that
When you send the Set-Cookie HTTP header, you can specify the domain it is for.
Set-Cookie: name=value; domain=example.com
The domain must be a suffix of the domain hosting the page.
i.e. foo.example.com, bar.baz.example.com and www.example.com can all share a cookie belonging to example.com.
A URL using an IP address has no hostname in it at all and cannot match that rule.
There is no way to share your cookie between example.com and 13.25.230.2. Give the site a hostname instead.
There is no way you can set cookie using setcookie header from one host to another. For example from example.com to foobar.com.
If you have to do it. Then do it by passing the cookie value to server side script for example foobar.com\set-my-cookie.php and use to to save the cookie.
Httponly cookies cannot be set or read from client side code.
Related
I am able to access cookies created locally by using req.cookies or grabbing something specific (req.cookies['myvar']).
Hoever, say a cookie was stored on a top-level domain (domain.com) and then in my subdomain app (my.domain.com) -- how would I grab a cookie value from a certain domain?
The Domain and Path directives define the scope of the cookie: what URLs the cookies should be sent to.
Domain specifies allowed hosts to receive the cookie. If unspecified, it defaults to the host of the current document location, excluding subdomains. If Domain is specified, then subdomains are always included.
For example, if Domain=mozilla.org is set, then cookies are included on subdomains like developer.mozilla.org.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#Scope_of_cookies
I have a Koa API which is setting a cookie accessToken which is used by a react front end, running on a different domain.
Because the cookie is set by the API on a different domain, it is considered a third party cookie by the browser which causes issues. Particularly in Safari where it doesn't get saved in the browser by default.
Is there a way I can tell the server to set a cookie with the domain name of the front end so that the front end thinks it's a first party cookie?
I am setting my cookie like so:
ctx.cookies.set("accessToken", accessToken, {
httpOnly: true,
domain: "example.com"
})
If example.com is the front ends domain, should the cookie be interpreted as a first party cookie?
Is this even possible to set a cookie for a different domain?
Thanks
The user agent will reject cookies unless the Domain attribute specifies a scope for the cookie that would include the origin server. For example, the user agent will accept a cookie with a Domain attribute of "example.com" or of "foo.example.com" from foo.example.com, but the user agent will not accept a cookie with a Domain attribute of "bar.example.com" or of "baz.foo.example.com".
NOTE: For security reasons, many user agents are configured to reject Domain attributes that correspond to "public suffixes". For example, some user agents will reject Domain attributes of "com" or "co.uk". (See Section 5.3 for more information.)
But the above mentioned workaround with image/iframe works, though it's not recommended due to its insecurity.
See RFC6265
If an application issues an authenticated user a session and gives them a cookie that should only be valid for a certain subdomain (say, because there are other customers located on other subdomains but all the subdomains resolve to the same running application) then should the server verify this cookie's intended subdomain against the host header before setting the session at the beginning of a request?
e.g.
User successfully authenticates to client.example.com
Server creates a new session for them and adds a property to the session about the originating domain
{user: "fred#gmail.com", domain: "client.example.com"}
Server sends a Set-Cookie header in the response with the session id
Set-Cookie: secure-session-id=1234-5678; Secure
The browser won't send that cookie if the user navigates to otherclient.example.com due to the implicit same-domain behavior of Set-Cookie
There's nothing stopping the user from constructing a curl command with that cookie but pointed at otherclient.example.com.
If the server doesn't validate that the host header of an incoming request matches the originating domain of the session for the provided session id in the cookie, then it's possible that a user with a valid account could masquerade as another customer (if the app bases any logic off of the subdomain instead of purely off of information gathered from the authentication). Prior to setting the user's session and continuing with the request I would expect the server to take the session id submitted, look up the session, see if the request host header matches the "originating domain" that was put on the stored session and if not then either return a 401 or redirect the user to the appropriate subdomain.
This seems like a generic enough scenario that I'd expect most server authentication frameworks to do this out of box unless you turn it off (ultimately it boils down to enforcing on the server side the same behavior that browsers are relied upon to do by default (not send session cookies for one subdomain to another subdomain). Are you aware of any that do this? Is there a better way of preventing this scenario? Am I misunderstanding anything?
Are you aware of any that do this?
ASP.NET has a different Application Domain per IIS application. Therefore, a session cookie from one application won't be valid on another. The only exception is if you've written a multi-tenant application that resides in the same Application Domain and you're not doing any validation on the received session cookie to ensure that the host matches the one where it was set.
PHP on the other hand will store all sessions in the session.save_path (e.g. /var/lib/php/session) and therefore a session cookie from one application would set session variables if used for another, which, as you've rightly pointed out is a security concern.
This can be remedied by overriding the session.save_path local value for each application or access host for the application.
Is there a better way of preventing this scenario?
As an additional security measure you could set the host when starting a session.
Session["host"] = HttpContext.Current.Request.ServerVariables["HTTP_HOST"];
Then validate this before any session values are used in the request. i.e. what you said in your question:
I would expect the server to take the session id submitted, look up
the session, see if the request host header matches the "originating
domain" that was put on the stored session and if not then either
return a 401 or redirect the user to the appropriate subdomain.
If these measures aren't being done then it would be an interesting attack vector in substituting a set of session variables from one application into another that reside on the same server. Of course, if the applications are the same (e.g. multi tenanted scenario) then there would be exploits such as leveraging admin access on one host to gain admin access on another. If not, then there still may be attack paths there depending on which variables are set and how they are used.
I have server, running some number of sites.
For example: example.com a.example.com b.example.com
All sites are routed via nginx to unix domain-sockets.
Each of sites is gunicorn instance.
Can applications from subdomains read/write cookie data from example.com or from other subdomains?
If yes, how to disable it?
Sure, you can use separate cookies for the subdomain. The Cookie standards allow you to set a domain, which will be the only domain that browsers will send the cookie back to. You can set "a.example.com" as the domain, and browsers will only send cookies from that domain back to that domain.
From my reading of RFC 2965 for cookies, "a.example.com" cannot set a cookie for "b.example.com", only "example.com".
I think the bottom line is to be sure that you are are using the "domain" property of cookies to set cookies for the subdomain, and not just "example.com", which all subdomains could read and write to.
Is it possible to set an auth cookie that would be valid on:
sub1.domain.com
sub2.domain.com
Or will each subdomain always require it's own cookie?
You can use cookies across sub domains if you specify the cookie to be attached to the domain:
.domain.com
note the dot in front.
See here for reference:
http://www.jotlab.com/2008/04/08/howto-get-cookies-across-subdomains-php/