Say for example I had an application sending the following HTTP headers to set to cookie named "key1":
Set-cookie: key1=111; Domain=cc.net
Set-cookie: key1=222; Domain=bb.cc.net
Set-cookie: key1=222; Domain=aa.bb.cc.net
If I access aa.bb.cc.net on the server, so I have three cookies named "key1",but How are these three cookies arranged? Is cookie with longer domain are listed before cookie with shorter domain?
What is the specification of rfc?
Related
A customer will link to one of our webpages on their site: customer.site/links.html
A person clicks that link and gets sent to our.site/webapp/handlerequest.aspx?someparam=somevalue
The value of someparam is set in a cookie with SameSite=Strict and then uses a 302 redirect to another page on the same domain:
Request URL: https://our.site/webapp/handlerequest.aspx?someparam=somevalue
Request Method: GET
Status Code: 302
Remote Address: ...
Referrer Policy: strict-origin-when-cross-origin
cache-control: private
content-length: ...
content-type: text/html; charset=utf-8
date: ...
location: /webapp/someotheraction
server: Microsoft-IIS/10.0
set-cookie: someparam=somevalue; expires=Thu, 17-Mar-2022 14:41:13 GMT; path=/; secure; HttpOnly; SameSite=Strict
strict-transport-security: max-age=31536000
x-frame-options: SAMEORIGIN
The browser does NOT include this cookie on the 302 redirect to /webapp/someotheraction.
This only starting happening when we specifically change our code to set this cookie to SameSite=Strict.
This occurs in Chrome, Firefox, Edge, and IE (old IE)
Is this on purpose? Why? Since we are going from one request on the domain to another request in the same domain, shouldn't the SameSite=Strict cookies be included? Does this have anything to do with the referer policy defaulting to strict-origin-when-cross-origin? https://www.w3.org/TR/referrer-policy/ doesn't say anything about cookies
This is a cross-site request because the initial navigation was cross-site (from customer.site to our.site). Strict cookies are never sent on cross-site requests. It doesn't matter that the request gets redirected (in this case, to another URL on our.site), just the fact that the user clicked on a cross-site link means the request is cross-site.
As for why this is the case, it's because the origin responsible for initiating the navigation is important in preventing cross-site request forgery (CSRF). Imagine if https://evil.site had a link to https://bank.site/transfer-funds which redirects to https://bank.site/transact. We wouldn't want Strict cookies to be send to the /transact endpoint after the redirect, even if it was redirected to by the same site, because the initiating origin is cross-site.
I have a domain (say cookiebaker.com) that provides files using GET requests. Whenever a request is made the cookiebaker server adds a set-cookie header to the file response.
Here is an example header (Max-Age is set for 1 month in the future):
set-cookie: cookie_name=cookie_value; Max-Age=2592000; secure; HttpOnly; SameSite=Lax
Now when I call cookiebaker.com from a different domain (say munchies.com) I can see the set-cookie header in the GET response, but munchies.com does not store the cookie. I don't see the cookie in dev tools, and it is not uploaded in subsequent requests.
I am aware that I have to set the "withCredentials" flag to true when performing the GET request, but this didn't help in my case.
Here's my stripped down munchies.com code:
let request = new XMLHttpRequest();
request.open('GET', "https://cookieBaker.com?param=value");
request.withCredentials = true; // Tell the browser to receive cookies
request.send();
Is there anything else that could block the cookie from being stored in the browser? These are all my access Control headers included in the GET response (localhost is the "real" name of munchies.com for my testing):
access-control-allow-credentials: true
access-control-allow-headers: Authorization, Content-Type
access-control-allow-methods: OPTIONS, GET, POST, PUT, PATCH, DELETE
access-control-allow-origin: http://localhost
access-control-expose-headers: X-WP-Total, X-WP-TotalPages
You have explicitly set SameSite=Lax on the cookiebaker.com cookie, which will restrict it from being sent in a cross-site context, e.g. a fetch() originating from munchies.com.
For an explicit cross-site cookie, you should use SameSite=None;Secure. For more in-depth implementation detail, see https://web.dev/samesite-cookie-recipes
securityheaders.com fails my configurations with the following error:
Set-Cookie There is no Cookie Prefix on this cookie.
And this is the value of the cookie:
Set-Cookie sessionid=123456789123456789123456789; expires=Thu, 12 Sep 2019 06:51:38 GMT; HttpOnly; Max-Age=1209600; Path=/; SameSite=Strict; Secure
I have tried to add the cookie prefix with in settings.py:
CSRF_COOKIE_NAME = '__Secure-csrftoken'
But it seems to be a different paramater. I have search the documentation and that is all I could find, and seems to not be applicable.
securityheaders.com on cookie prefixes states that it needs to start with __Secure- or __Host-
You used the wrong setting, this is not the CSRF_COOKIE_NAME [Django-doc], but the SESSION_COOKIE_NAME [Django-doc]:
Default: 'sessionid'
The name of the cookie to use for sessions. This can be whatever you want (as long as it’s different from the other cookie names in your application).
Note that the name of the cookie it complains about is sessionid:
Set-Cookie sessionid=123456789123456789123456789; expires=Thu, 12 Sep 2019 06:51:38 GMT; HttpOnly; Max-Age=1209600; Path=/; SameSite=Strict; Secure
So you need to specify this as:
SESSION_COOKIE_NAME = '__Secure-sessionid'
CSRF_COOKIE_NAME = '__Secure-csrftoken'
Test Plan:
HTTP Cookie manager
1. Open Login Page (get) - (send cookie with with JSESSIONID)
2. Log in (post) - (send cookie with with LtpaToken2, receive cookie with JSESSIONID)
3. Create new app (post)
Path contains ;jsessionid=${jsessionid} in Log in (post)
I have strange behavior. I get login page in response in post methods, thus request sent without exceptions but didn`t log in.
Also I noticed there are different JSESSIONID for every operation.
For example
step1: Request - no cookies, Sampler result - Set-Cookie: JSESSIONID=00005VALCRoQLgAgEsC_CIOVc5x:-1; Path=/
step2: Request - Cookie Data:JSESSIONID=00005VALCRoQLgAgEsC_CIOVc5x:-1, Sampler result - Set-Cookie: JSESSIONID=0000OnEiWZdVvxMa8n0Sew2_4Pl:-1; Path=/
Step3: Request - Cookie Data:JSESSIONID=0000OnEiWZdVvxMa8n0Sew2_4Pl:-1 , Sampler result - Set-Cookie: JSESSIONID=0000xbnlZFrZuYSdaY12--sdgg1:-1; Path=/
What is wrong with my script? I need to log in portal.
Thanks in advance.
Not actual anymore. HTTP Cookie Manager manage all session cookies by default (Jsession and ldap). I set following parameters:
Clear cookie each iteration =Yes
Cookie Policy = Compatible
Implementation = HC4CookieHandler
how do I interpret domain in this cookie:
portal-referer=http%3A%2F%2Fservice.mail.com%2Fmcstarter%2Fmail.html%3F; Domain=".hostimpl[name=www.mail.com,domain=mail.com]"; Path=/
?
Maybe I have to add this cookie to CookieContainer (C#) assigned to uri "www.mail.com" and another copy of this cookie to uri "mail.com"?
Thanks