Is there a way of setting a request cookie httpOnly? If not why can't we set it? I've set the response cookies to httpOnly using weblogx.xml/weblogic server.
Not possible.
Cookies are set in a HTTP response, and are read from a HTTP request. You can only set flags when cookies are created, so they can only be set in the response when using HTTP so it would not make sense to set HttpOnly on a request cookie.
Related
I have been working on a uni project and I'm getting really stuck on why the cross site authentication cookie from our backend isn't set when I do a CORS request to it from our backend.
Our setup is as follows:
A frontend on https://frontend-domain.com sends a CORS request to https://backend-domain.com with credentials in the post body, expecting a Set-Cookie: auth-token header in the response, if credentials are correct.
The fetch to the backend has credentials: 'include' set.
The backend response includes Access-Control-Allow-Credentials: true and explicitly states Access-Control-Allow-Origin: https://frontend-domain.com. The Allowed Methods header is also correct.
The token cookie in the Set-Cookie header has the attributes SameSite=Noneand Secure, it's domain attribute is Domain=backend-domain.com.
As far as I could find on the mozilla docs or here on stack overflow, these are all the requirements for cross site cookies to work. I expected the Set-Cookie header would make the browser set the cookie, which would then be sent along with all further requests to https://backend-domain.com, given credentials: 'include' is set.
However, the cookie is never set.
Can anyone help me? I am absolutely clueless by now.
Thank you very much for reading and helping!
Edit
I am using Firefox right now.
Here is a screenshot of the request:
And here is the response:
All of the Set-Cookie headers you can see in the response dont result in an actual cookie.
The SameSite attribute of a cookie controls whether this cookie is included in
subrequests (such as the ones made by an <img> or <iframe> element or a Javascript fetch command) to a different origin
top-level navigation requests (which load a new page into the current or a new browser tab).
Details are given here. Note especially the subtly different treatment of navigation with GET and POST ("Lax-Allowing-Unsafe").
Cookies in subrequests (but not top-level navigation requests) may be additionally restricted based on browser settings if they are third-party cookies, that is, if the top-level domains of their origin and the sending web page differ. In other words: Cookies from backend-domain.com count as third-party cookies when a request is made by an HTML page from frontend-domain.com, and this is what caused the issue in your case.
Here I created signed cookies(3 cookies) to access the cloudfront,but I wanted to know, how to send these cookies in the https request header to access the content in cloudfront in nodejs
You can use curl to send cookies to your CloudFront distribution. Here is how to pass a cookie with your request:
curl -b 'session=session_id' -b 'another=cookie' https://yourdistribution.cloudfront.net
The full header that curl sets for this request looks like this Cookie: session=session_id; another=cookie
Best, Stefan
HTTPonly or Secure flag header works on HTTP request or HTTP response?
Most of the time I see it on response.
According to the Microsoft Developer Network, HttpOnly is an additional flag included in a Set-Cookie HTTP response header. Please check https://www.owasp.org/index.php/HttpOnly
If the HttpOnly flag (optional) is included in the HTTP response header, the cookie cannot be accessed through client side script (again if the browser supports this flag).
And It's mitigating the most common XSS attack using HttpOnly
XSS like alert(document.cookie) can be executed if HTTPonly or Secure flag not available in response header, you can set these headers from web application server configuration. Once you set headers user's browser will get these headers in response and browser will deny any java script to get cookie data. So these headers are response.
I'm trying to proxy an PHP api service, but I need to authenticated based on a session token.
Does node-http-proxy has options to forward the cookies to the target ?
Issue is most likely you're accessing the service via http when the proxy is requesting https and the cookie is set to secure. So your browser won't send it when making a http call.
I remember having a problem like this once. In my case what happened was that though the original cookie was sent with the request, the response from the proxy did not have that cookie.
What I ended up doing was saving the cookie before making the proxy request and the adding it to the response coming back from the proxy. You can write to the response vookies doing something like this:
var setCookie = res._headers['set-cookie'].concat(testGroup);
res.setHeader('set-cookie', setCookie);
My site is using https to transport data,and I scan it by appscan ,it told me that Set-cookie not secure ,but cookie is secure.
so what is the difference between Set-Cookie and cookie .
Your server controls the Set-Cookie header, so if a browser does not provide the Cookie header, the server can decide to send a Set-Cookie.
Then your browser decides to accept the cookie by sending back a Cookie header for the server to use. For example, if you have cookies disabled on the browser, it will not send back the Cookie header to the server.
The "Set-Cookie" header is sent from the web server and the browser sends the cookie back to the server in an HTTP header called "Cookie"