How we can add 'httpOnly' to cookies using javaScript - cookies

this is my code
const expires = '; expires=' + date.toUTCString();
document.cookie = `${item} = ${value}; ${expires}; path=/; Secure; httpOnly`;
I want to httpOnly to be checked in developer tool.
httpOnly should be checked

Related

Django Cookie Prefix to pass securityheaders.com

securityheaders.com fails my configurations with the following error:
Set-Cookie There is no Cookie Prefix on this cookie.
And this is the value of the cookie:
Set-Cookie sessionid=123456789123456789123456789; expires=Thu, 12 Sep 2019 06:51:38 GMT; HttpOnly; Max-Age=1209600; Path=/; SameSite=Strict; Secure
I have tried to add the cookie prefix with in settings.py:
CSRF_COOKIE_NAME = '__Secure-csrftoken'
But it seems to be a different paramater. I have search the documentation and that is all I could find, and seems to not be applicable.
securityheaders.com on cookie prefixes states that it needs to start with __Secure- or __Host-
You used the wrong setting, this is not the CSRF_COOKIE_NAME [Django-doc], but the SESSION_COOKIE_NAME [Django-doc]:
Default: 'sessionid'
The name of the cookie to use for sessions. This can be whatever you want (as long as it’s different from the other cookie names in your application).
Note that the name of the cookie it complains about is sessionid:
Set-Cookie sessionid=123456789123456789123456789; expires=Thu, 12 Sep 2019 06:51:38 GMT; HttpOnly; Max-Age=1209600; Path=/; SameSite=Strict; Secure
So you need to specify this as:
SESSION_COOKIE_NAME = '__Secure-sessionid'
CSRF_COOKIE_NAME = '__Secure-csrftoken'

Set cookie to show div only once per session

I have a div with a Welcome message that shows up before the index page and I want that div to appear only once per session.
How would I set a cookie to show a div only once?
I never used cookies before for something like this, normally I would use Local Storage but this website is visited frequently by older browsers and that's a problem.
You may take a look at the documentation of the document.cookie and more specifically example 3:
if (document.cookie.replace(/(?:(?:^|.*;\s*)someCookieName\s*\=\s*([^;]*).*$)|^.*$/, "$1") !== "true") {
alert("Do something here!");
document.cookie = "someCookieName=true; expires=Fri, 31 Dec 9999 23:59:59 GMT; path=/";
}
In this example the cookie is created with expires flag meaning that it will be persistent and survive browser restarts. If you want to perform the action only once per browser session simply remove the expires flag when setting the cookie:
if (document.cookie.replace(/(?:(?:^|.*;\s*)someCookieName\s*\=\s*([^;]*).*$)|^.*$/, "$1") !== "true") {
alert("Do something here!");
document.cookie = "someCookieName=true; path=/";
}

Cors issues with angular dart - cookies not set

I work on a app using angular.dart at the clientside and dart in the serverside.
I have write a login rest entrypoint and want to set cookies the header was in the response but the cookies are not set.
set-cookie:app-user=533c1470a2658184a7625d7d; Expires=Tue, 8 Apr 2014 9:15:47 GMT; Domain=.ballr.eu; Path=/
set-cookie:app-tokn=530fa71b615e168787a7cb5b5c589a5601065e1e3f921d4b770c784394de3a42; Expires=Tue, 8 Apr 2014 9:15:47 GMT; Domain=.ballr.eu; Path=/
I try to check my headers or my value set in cookies, but to my mind is good
headers :
request.response..statusCode=HttpStatus.OK
..headers.set(HttpHeaders.CONTENT_TYPE, 'text/plain: charset=UTF-8')
..headers.add("Access-Control-Allow-Methods", "OPTIONS, GET, POST, PUT, DELETE")
..headers.add("Access-Control-Allow-Headers", "origin, x-requested-with, content-type, accept")
..headers.add("Access-Control-Allow-Origin", "*");
cookies :
static setCookie(HttpRequest request, String key, String value, DateTime duration) =>
request.response.cookies.add(new Cookie(key, value)..path = '/'
..expires = duration
..domain = '.app.eu');
I follow some threads on stackoverflow and google groups and I think it's a problem of "withCredientals" a value I have set in an another projet (angular/Java) but I don't find this parameter on angular.dart.
Can you help me to find it or have you somes ideas?
Thank you for your help/time
I'm not sure if I understand you question correctly but maybe this is what you are looking for:
(on the client)
var request = new HttpRequest()
..open("POST", uri.toString(), async: true)
..withCredentials = true // seems to be necessary so that cookies are sent
EDIT
I missed that this is about Angular. This needs a slightly different approach.
If you use the Angular http service you have a parameter
class MyController {
Http _http;
MyController(this._http) {
_http.getString('someurl', withCredentials: true).then((e) => ...);
// or _http.request('someurl', method: 'POST', withCredentials: true).then((e) => ...);
}
}

PCL HttpClient response ignoring cookies without a domain

I am working on a REST-based app that connects to Office365. The app will be available on multiple platforms, so I have created a portable class library to handle all the logic, including authentication. The PCL targets Windows Phone 7.1 and onwards, and includes the Microsoft HTTP Client Libraries (NuGet), which is required for Windows Phone 7.1 apps.
The last step of the authentication for Office365 is to get a FedAuth cookie from the site, and that is where I am having a problem.
The code I use to get the cookie is:
var handler = new HttpClientHandler();
handler.AllowAutoRedirect = false;
var newClient = new HttpClient(handler);
var newResponse = await newClient.PostAsync(host + "/_forms/default.aspx?wa=wsignin1.0", new StringContent(binarySecurityToken));
The 'host' variable is just the URL of the Office365 site, and the binarySecurityToken I got from previous requests. These things work equally well in all the apps: Whether I run the PCL code from the context of a Windows Phone 7.1 app, Windows Phone 8 app, Windows 8 app, or even a Console application, I am getting exactly the same response (see below), which contains the FedAuth cookie. This I have verified using Fiddler.
Then I try to get the cookie to reuse it on subsequent requests.
var cookieCollection = handler.CookieContainer.GetCookies(new Uri(host));
foreach (var cookie in cookieCollection)
{
if (cookie.Name.StartsWith("FedAuth"))
{
//TODO: Store the cookie.
return true;
}
}
This leads to the following result: On Windows Phone 7.1 the 'cookieCollection' variable only contains the cookie rtFa'. On the other platforms it contains all three cookies 'RpsContextCookie', 'rtFa', 'FedAuth'.
Windows Phone 7.1 differs from the other apps in that this is the only platform that actually uses the HttpClient from the NuGet package. The other platforms have a native HttpClient that is swapped in by the magic of PCL.
It seems likely that the problem is caused by the FedAuth cookie not having a domain. I have tried using .GetCookies(null), and different variations of .GetCookies(new Uri("something", UriKind.Relative)), which all result in an exception. I have also tried changing most of the properties of the HttpClientHandler without luck.
Has anyone encountered this problem, and perhaps solved it? Or just a suggestion on what I could try?
The response I get on the .PostAsync above is the same on all platforms, and according to Fiddler the raw response is:
HTTP/1.1 302 Found
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Location: /
Server: Microsoft-IIS/7.5
X-SharePointHealthScore: 0
X-AspNet-Version: 4.0.30319
Set-Cookie: RpsContextCookie=; path=/
Set-Cookie: rtFa=+13jGMMp0A0V+driESaO30ixYclFCRjEvS2jMSwXPfQcrefiJvLEExxYu7V+1JZHM6X5JWeuL70jb3/N/Q/hUTwoAiC/XLJZ1QfERi4aUt8AAVF4ekcNyMdWnj65foDwPkhaV5z8whNSZQigBFD/2Vc1xMTH0ukHbS4cbtJO5U28/4g66vgIZg7dGpNOZg2jDt+HF3GSQ4/W+T1oS9/F5e+Pbwd0p8mqPhkGjL+M7IptmkeHoIqVcS4Ps25dM6q1AniLiv/3NujYmrQjseaEYZ2aaCfc7ZHX7LygBZm8KsoGNyTYRPmC+hZ7tsDq6wfto+xVpX1scggsU0+Qty3DPWUiwy1bBy8JR0znFG0+eDt9uBOQzqfOSjVvd8WNIKUFIAAAAA==; domain=sharepoint.com; path=/; HttpOnly
Set-Cookie: FedAuth=77u/PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz48U1A+RmFsc2UsMGguZnxtZW1iZXJzaGlwfDEwMDMwMDAwODc5MTUwMGVAbGl2ZS5jb20sMCMuZnxtZW1iZXJzaGlwfHRtakB3aWxkY293Lm9ubWljcm9zb2Z0LmNvbSwxMzAzNDIwOTYxNDAxMTIxMzMsRmFsc2UsV2lSQjlUVTdOSTk0MUpKRWZ5d1JDNTFPYUphMVpWNkJqWWdaVGM3MU00U3lqL2VkTnF6dVJpbXdEMnpEWk9oR1lybkFsNnpWb3M4V0FBZDk1VVYrZkt5dlkwQ3dqRTlyaEhEc256bkZUeENoODU1Rm1JZmxoYVBkMTFQS2VjWnFJN0N4OUxUOHk4enZDaVNUTGNQMzR2K3NOeHk1YXBMZ2NIWDNHR3JMcG1Ic24rQzAzUkUzakNDQWhma2F3RVRQbk03R3JycVk5amJseHJmNVNhNHZxMk91NlN1cGszZnpQMUZQTzJBc1UrRXZvSDgvWTllR2Y3c2x2dStvMnVlN3hZLy9VQ1lYU1U4b3AzckZ6c2laK0wwN1NrUnZYMTZjVklUVVZJZ0x6TGIxaTJLd2lwNGp6RHgwRFdmVWF0Rk42UVFaNWhHRzMyOHRJZjI2RXo4YldnPT0saHR0cHM6Ly93aWxkY293LnNoYXJlcG9pbnQuY29tLzwvU1A+; path=/; secure; HttpOnly
SPRequestGuid: 5bb2689c-d7c5-c07c-4890-ee32437f15f5
request-id: 5bb2689c-d7c5-c07c-4890-ee32437f15f5
SPRequestDuration: 125
SPIisLatency: 2
X-Powered-By: ASP.NET
MicrosoftSharePointTeamServices: 16.0.0.2308
X-Content-Type-Options: nosniff
X-MS-InvokeApp: 1; RequireReadOnly
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Date: Thu, 09 Jan 2014 21:46:53 GMT
Content-Length: 118
<html><head><title>Object moved</title></head><body>
<h2>Object moved to here.</h2>
</body></html>
I found an answer of kind here: Accessing HTTPOnly cookies from Windows Phone 8/PCL.
Reading the post I realized that I made an error above: I was not getting the 'rtFa' cookie in the Windows Phone 7.1 app, but the 'RpsContextCookie'. The cookies I couldn't access were both marked with HttpOnly.
I also realized that I don't need to access the cookies directly. Instead, I could just reuse the handler.CookieContainer. So my code now looks like this:
var handler = new HttpClientHandler();
handler.AllowAutoRedirect = false;
var newClient = new HttpClient(handler);
var newResponse = await newClient.PostAsync(host + "/_forms/default.aspx?wa=wsignin1.0", new StringContent(binarySecurityToken));
this._cookieContainer = handler.CookieContainer;
return true;
this._cookieContainer is just a class-scoped field for storage of the cookie container. Then, once I am authenticated and I do the requests that are the actual purpose of the app, I do the following:
var handler = new HttpClientHandler(){ CookieContainer = this._cookieContainer };
var client = new HttpClient(handler);
var response = await client.GetAsync(host + "something");
So the bottom line is: I can't access the HttpOnly cookies - but I don't need to. I just reuse the cookie container, and the cookies are automatically included in the next request.
This works both in Windows Phone 7.1 apps, Windows Phone 8 apps, Console applications etc.

Owin cookie authentication set-cookie not saving in browser

I am building self-hosted web server on this stack:
OWIN
Nancy
Web Api 2
And I am using Microsoft.Owin.Security.Cookies from Katana for forms-like authentication. I got Set-Cookie header in response, but cookie don't being saved and not being included in next request. So what's the problem? What I am doing wrong?
Owin startup:
app.UseCookieAuthentication(new CookieAuthenticationOptions()
{
AuthenticationMode = AuthenticationMode.Active,
AuthenticationType = "GM",
CookieHttpOnly = true,
CookieSecure = CookieSecureOption.SameAsRequest,
CookiePath = "/",
CookieName = CookieAuthenticationDefaults.CookiePrefix + "GM",
CookieDomain = "localhost",
});
Controller code:
var context = Request.GetOwinContext();
context.Authentication.SignIn(new AuthenticationProperties()
{
IsPersistent = true
},
new ClaimsIdentity(new[] {new Claim(ClaimsIdentity.DefaultNameClaimType, user.Login)}, "GM"));
context.Response.Headers.Add("Location", new []{ "/" });
return Request.CreateResponse(HttpStatusCode.Found);
Response headers:
Cache-Control:no-cache
Content-Length:0
Date:Wed, 11 Sep 2013 11:11:23 GMT
Expires:-1
Location:/
Pragma:no-cache
Server:Microsoft-HTTPAPI/2.0
Set-Cookie:.AspNet.GM=AQAAANCMnd8BFdERjHoAwE_Cl-sBAAAABui2rBibE0yPXB0-v3C06gAAAAACAAAAAAAQZgAAAAEAACAAAAC1mQV3jGo_WAhMQ-hzsmzgkdbdCclWIAX-msbE0_12zQAAAAAOgAAAAAIAACAAAABuQjBg3EJIka151hvBgtlPGfQ2O_cwNI2VVh86dchTDXAAAAD21O9DnNk4yLU9eddVfY3bT9P1CEudNeLvwohkSTAQBP2onuIQfgl9F99Je5waPddckh2llD2kjftSMQPhzgE9vKm-_wE42hXhc9FIgfxpD5AdaeGatwpEcwDfGJJdpQnObX1pbjEFIXLVJxGm5qMUQAAAAC8AiFTaXmzrfRy4-jR6zqMmSKddzddmiBLGClAckWOy6W2YWdf50N2zhIj_MwN8-zi-B0tlv87pzAt-6RDZYZs; domain=localhost; path=/; expires=Wed, 25-Sep-2013 11:11:24 GMT; HttpOnly
I resolved the issue. It was because 'domain=localhost'. It seems to 'localhost' isn't valid value for domain parameter.
You could be encounting a similar issue to: Safari doesn't set Cookie but IE / FF does
Try setting the HttpStatusCode to HttpStatusCode.Ok
Some browsers will only accept cookies from a certain response code (like 200, 302).