In my application i’m getting the users IP address and then timezone on the server in getserversideprops in order to display user specific content and keep the SEO benefits of server side rendering.
On every page of the site my serversideprops looks like:
// check if timezone cookie exists
// if not, get ip and timezone
// set timezone cookie
// use cookie to retrieve user specific data and return in props
It works fine but it doesn’t feel right writing duplicate code like that and having it on every page.
Is there a way to set/retrieve the cookies in _app.js or something similar to context but for the server?
Related
I have a server side application that uses cookies for session management. The browser has some script that sends an ajax request to add information to the session. This is working well and in production.
The business wants to be able to insert this application in other companies' websites via iframes. ie myapp.com is in an iframe in otherbusiness.com and when the user clicks a button in the application in the iframe launched from myapp.com, it sends a request with a cookie that contains the session id to update the user's session on the myapp.com server.
For the browser to be able to send a cookie, 3rd party cookies needs to be enabled by setting the cookie options of SameSite=None and Secure. This works for all browsers except Safari.
Safari no longer accepts 3rd party cookies.
The only solution I can come up with is to use session ids in the URL but this is a little cumbersome.
Can anyone suggest a better option or perhaps a good implementation of session ids in the url?
I used hidden html fields to pass the session id and expiration.
My server side code checks for a cookie if it cannot find it, looks for the session id and expiration in the hidden fields.
This avoids security issues with passing the id in the url. It is a little clumsy to implement but it works.
Each time I execute home page of ecommerce website, some cookies appear in request header some of them have unique values each time we hit Home request which is ai_user & ai_session. I want to know how do I get those unique values in JMeter for each time I hit home request.
I recorded test script by blaze meter and it automatically recorded all cookies in HTTP CookieManager as a user defined cookies but those values are hard coded I want them dynamic as it works in browser.
I already Change the property CookieManager.save.cookies=true in jmeter properties file.Jmeter.properties file is located in JMeter’s bin folder and use variable ${COOKIE_ai_user} in script to use cookie value.
But issue is its value is static I want to make it dynamic, how can I do that?
Each time I execute home page of ecommerce website, some cookies appear in request header
No, it doesn't work that way.
When you open the page first time the browser gets cookies from Set-Cookie header
When you open the page next time the browser sends cookies as Cookie header
So the situation when you're sending cookies at the very first request is highly unlikely to happen (unless you're simulating a returning user)
It's sufficient to add HTTP Cookie Manager which simulates browser's cookie storage and automatically handles incoming cookies.
My app loads a list/connection on startup and I'm using FB login. For auth with Relay I'm setting a cookie but the cookie is removed in case the app is removed from running in the background.
To avoid that the user has to login again I'm caching (AsyncStorage) the user info, if the user exists in there I'm auto login the user at the server so I get my Cookie back. The problem is that I need to reset/reload the connection, I tried a mutation with Field_Change returning the parent (which should include all it's children but it doesn't load the connection which is a child of a child).
I also tried to reset/recreate the store, also without success.
The list is loaded on my start page so I'm not changing pages.
My connection does have multiple params for paging as well as others and an #include.
The only way I could get it to work is to use forceUpdate in the component that also defines the connection, is there a better way?
Update:
Here's the fat query:
fragment on AuthorizationChangePayload #relay(pattern: true) {
viewer {
user
}
}
And the config for the mutation:
return [{
type: 'FIELDS_CHANGE',
fieldIDs: {
viewer: this.props.viewer.id
}
}];
Within user there's the connection which doesn't get updated, I didn't specify it as it has parameters and really I want to update the whole user and it's children objects.
I don't really understand when session is created and per what entity it is created (per ip, per browser, per logged in user). I see in documentation that sessions by default is created per visitor - but what is visitor (browser or ip)?
What are HTTP sessions?
To display a webpage your browser sends an HTTP request to the server, the server sends back an HTTP response. Each time you click a link on website a new HTTP transacation takes place, i.e. it is not a connection that is persistant over time (like a phone call). Your communication with a website consists of many monolitic HTTP transactions (tens or hundres of phonecalls, each phonecall being a few words).
So how can the server remember information about a user, for instance that a user is logged in (ip addresses are not reliable)? The first time you visit a website, the server creates a random string, and in the HTTP response it asks the browser to create a so called HTTP cookie with that value. A cookie is really just a name (of the cookie) and a value. If you go to a simple session-enabled Django site, the server will ask your browser to set a cookie named 'sessionid' with such a random generated value.
The subsequent times your browser will make HTTP requests to that domain, it will include the cookie in the HTTP request.
The server saves these session ids (for django the default is to save in the database) and it saves them together with so called session variables. So based on the session id sent along with an HTTP request it can dig out previously set session variables as well as modify or add session variables. If you delete your cookies (ctrl+shift+delete in Firefox), you will realize that no website remembers you anymore (Gmail, Facebook, Django sites, etc.) and you have to log in again. Most browsers will allow you to disable cookies in general or for specific sites (for privacy reasons) but this means that you can not log into those websites.
Per browser, per window, per tab, per ip?
It is not possible to log into different GMail accounts within the same browser, not even from different windows. But it is possible to log in to one account with Firefox and another with Chrome. So the answer is: per browser. However, it is not always that simple. You can use different profiles in Firefox, and each can keep different cookies and thus you can log into different accounts simultaneously. There are also Firefox plugins for keeping multiple sessions, e.g. MultiFox.
The session all depends on which session cookie your browser sends in it's HTTP request.
Play around
To get the full understanding of what is going on, I recommend installing the FireBug and FireCookie plugins for Firefox. The above screenshots are taken from FireBug's net panel. FireCookie will give you an overview of when and which cookies are set when you visit a site, and will let you regulate which cookies are allowed.
If there is a server side error, and you have DEBUG=True, then the Django error message will show you information about the HTTP request, including the cookies sent
It's browser (not IP). A session is basically data stored on your server that is identified by a session id sent as a cookie to the browser. The browser will send the cookie back containing the session id on all subsequent requests either until the browser is closed or the cookie expires (depending on the expires value that is sent with the cookie header, which you can control from Django with set_expiry).
The server can also expire sessions by basically ignoring the (unexpired) cookie that the browser sends and requiring a new session to be started.
There is a great description on how sessions work here.
I have this one question in mind that in login sessions does client have to maintain anything so that server uniquely identify client and in multiple client requests response to correct client. I don't understand this sessions and cookies. I asked many about this some say that its server job to maintain sessions and client just send normal request.
Yes, the client must keep track of something, called a session ID. Most commonly, it is a cookie. However, a less used approach is to rewrite all links to pass the session ID in the URL.
Example ID names are ASP.NET_SessionId and PHPSESSID.
Matthew's answer is correct.
It is the server's job to keep track of login sessions, and it's the client web browser's job to keep track of cookies. When you provide username & password on a site, a cookie is provided by the web server to your browser, which will automatically be provided along with subsequent requests to the web server. This cookie uniquely identifies a session which belongs to a particular user on the site (even the "guest" user). So, the server keeps track of all client sessions, and each client remembers its session cookie & provides it along with all its requests. It's a simple scheme. Using Firebug for example, you can see what the web requests look like when you log into a site. You might find that interesting to look at.
It is the server which will maintain the sessions. And it is the server responsibilty to allow session tracking happen. Clients need not bother about sending any information explicitly. As Cliens also sends Cookies saved on the client along with every request, server might use Cookies for sesssion tracking.
Note: Cookies are just one of the way to implement Session Tracking. It is also the best way
So server Cookies as one of the ways to handle session tracking.
It can also be done in other ways:
URL rewriting - the application/server should append the session id in all URL's/Links. When those are invoked from the client the session comes to the server along with the URL.
Hidden Form Fields - The forms may contain hidden input type with session id as field value. When the form is posted, the session id comes along with the form data.