My API and my frontend are hosted on render.com but at different subdomains. When I log in, my API send a cookie with SameSite=None, Secure=true and frontend domain. But Chrome refused to set the cookie and block it. How to handle this situation? What I am missing?
Related
I'll attach an image to illustrate what I'm looking to do:
Note: The above photo should say "Redirect to HTTPS"
To preface, this is the following is the technology stack
DNS: GoDaddy
Proxy: Cloudflare
Client: React app hosted on Heroku
Server: Flask API hosted on Heroku
The flow at least to my understanding is this:
User enters in domain.com in browser and GoDaddy forwards all traffic to Cloudflare so that the site is viewed securely
Cloudflare then forwards the traffic to where the client is hosted
Once client is loaded, it makes a request to the server to receive a CSRF token. The CSRF token is generated by a method within flask-wtf. A session is created in the server and in the response, the CSRF token is attached to the header
Here things gets weird
Since the response received on the client never had the CSRF token attached to the header and no cookie was set on the browser, I would assume that the response goes to Cloudflare before the response hits the client. As a result, the CSRF token is never received. Not sure why this is the case.. But after a bit of research, I've discovered that Cloudflare does this by default.
It seems that a work around would be to use Cloudflare Workers, but that seems only available if their DNS is being used. Ideally, I would like to stick with GoDaddy.
I was wondering if anyone else experienced this and found a different solution.
Because I have a backend api with http url, if I need to call api from frontend I need to send api request through http. My frontend was deployed to AWS Amplify, it runs as https. When I send api request it was blocked. console said: Mixed Content: The page at https//XXXX was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint http://XXXXX This request has been blocked; the content must be served over HTTPS.
how can I use http request here?
I am using AWS ALB for OIDC authentication, and once authenticated it lands to my backend application where i create a session save it in redis and return the session cookie back to front end.
The front end uses the cookie to commuicate with my backend.
After 10 minutes if the session is expired. Then i want to redirect the page login page.
My question is should i handle the session expiry in my code or does AWS ALB has some intelligence in it to know that my sesion is expired and redirect to logic page.
If i have to explicitly redirect form my code. DO i need to get location header and statu code as 302 as below.
/login is listener in ALB which will authenicate to OIDC
response.getHeaders().setLocation(URI.create("/login"));
response.setStatusCode(HttpStatus.FOUND);
However, when i redirect to /login. which is path route configred in ALB to authenticate via OIDC. I get 404 0r 400 not found from Oauth provider . Is it because of setting location header am not sure
Your session is handled by your backend services and ALB has no knowledge nor access to it. So, you should also handle session expiration in your code.
I have a AWS Cloudfront hosted webpage which takes static pages from S3 and makes calls to custom origin (ALB) for dynamic data. There is OIDC authentication enabled on ALB, so calls to custom origin (my API) passes via rules set at ALB.
In a particular case when my request to custom origin is unauthenticated I am redirected to IdP for login and after successful login I get the cookie in the response header, as this request was sent to IdP from ALB - the issued cookie has domain as ALB DNS. In order for my webpage to use this cookie I have to redirect the call to Cloudfront URL. Now the cookie was issued to ALB which has a different DNS and my Cloudfront URL has a different DNS therefore I am unable to use the cookie.
I tried to catch the cookie value but because it is issued for a different domain i am unable to catch hold, also as a part of design I feel that is wrong. Has some one faced similar type of issue.
AWS ALB OIDC sets session cookie for the same request host domain for which you configure the authentication action in the listener rules.
Also, they set a http only secure cookie, meaning you cannot access it via client side Javascript at all.
Considering this along with your setup, it seems you actually need a (tiny) backend for your web page, so that you can access the response cookie when you make the API call to the mentioned custom origin internally from this backend.
Having trouble setting a cookie (subdomain to parent) in a CloudFront configuration:
S3 bucket serving a static site with a CloudFront distribution. CNAME: example.com
API Gateway API with a custom domain: api.example.com
S3 bucket with a CloudFront distribution with CNAME: files.example.com
The web application on example.com contacts a lambda proxy GET method on api.example.com. This function, among other things, returns headers with values generated by AWS.CloudFront.Signer.getSignedCookies()
{
'Set-Cookie': `CloudFront-Expires=...; Domain=.example.com`,
'SEt-Cookie': `CloudFront-Signature=...; Domain=.example.com`,
'SET-Cookie': `CloudFront-Key-Pair-Id=...; Domain=.example.com`
}
These are being sent to the client with the response, but for some reason are not sent in GET requests to the S3 bucket on files.example.com.
I am not certain if the issue is with the cookies being set or being sent: By looking at the application tab in chrome dev tools it seems that the cookies aren't there. However, in the network tab the cookies are indeed being sent alongside requests to api.example.com (but not with requests to files.example.com).
As far as I can tell the configuration should work in terms of Domain cookie policy (the subdomain is attempting to set a cookie with a parent domain, under which is a different subdomain of the parent, that should receive the cookies). Any other immediate suspects for this sort of behaviour?
You want to use the cookie domain .example.com instead of example.com. The leading . allows subdomains to access the cookie as well.
You also need to ensure that the cookies are being forwarded to the origin in your CloudFront behavior.