I have a chrome extension which use Oauth to authenticate users. This authentication create cookies which are shared to detect authentication on my other applications.
So when i'm authenticated by oAuth on my extension, i can go on another app and then if i refresh i'm connected without getting login process. This because cookies created by my OAuth process are shared and detected on others app.
This works fine on browser like Mozilla or Opera but don't works on Chrome cause cookies are filtered out with that info message :
this cookie was blocked because its path was not an exact match for or a super directory of the request url's path.(shown on screen by cookies with question mark (AUTH and KEYCLOAK prefixes)
Cookies with AUTH and KEYCLOAK on yellow are filtered out
How could i manage Chrome to accept those cookies ? But more, how could i manage this programmatically on request which have created cookies cause i can't tell my users to modify their Chrome configuration ?
Related
I'm Developing a Oauth Authentication based Web Application Where the user is logged in chrome, Edge and Firefox browsers. I get the list of active sessions(chrome,edge and firefox using agent parser) in Active session API response. But my requirement here is i want to display the current session in my web application as chrome only if the user's current session is in chrome and simultaneously i have to display current session as edge only if the user has logged in Edge and same for firefox. how will i be able to differentiate between the user's current browser session in the response. Any help would be highly Appreciated.
If i got you correctly, you want to obtain users browser name right? if yes, you can get it from the user-agent header.
We have implemented a custom sign-up flow (with a custom domain) for our SPA application. It works well on Chrome, but we keep having issues with Safari.
Here is how I currently see the process and where I think we’re experiencing the issue:
We send a request to Auth0 API using our custom form from our SPA
We get redirected to our custom subdomain. Auth0 handles authentication using our subdomain. The user successfully passes Auth0 authentication
The user is getting a cookie from Auth0
After receiving a cookie, Auth0 forwards the user to the app
The issue starts here. We can not see ANY cookies at all on Safari only. If we manually refresh the page, we start seeing ALL cookies including Auth0 cookie with the token
What am I doing wrong? I sit some Safari bug I've never seen before?
I have a server side application that uses cookies for session management. The browser has some script that sends an ajax request to add information to the session. This is working well and in production.
The business wants to be able to insert this application in other companies' websites via iframes. ie myapp.com is in an iframe in otherbusiness.com and when the user clicks a button in the application in the iframe launched from myapp.com, it sends a request with a cookie that contains the session id to update the user's session on the myapp.com server.
For the browser to be able to send a cookie, 3rd party cookies needs to be enabled by setting the cookie options of SameSite=None and Secure. This works for all browsers except Safari.
Safari no longer accepts 3rd party cookies.
The only solution I can come up with is to use session ids in the URL but this is a little cumbersome.
Can anyone suggest a better option or perhaps a good implementation of session ids in the url?
I used hidden html fields to pass the session id and expiration.
My server side code checks for a cookie if it cannot find it, looks for the session id and expiration in the hidden fields.
This avoids security issues with passing the id in the url. It is a little clumsy to implement but it works.
I am building a django app which requires user authentication for users to surf the web site. I read through many docs and tutorials which say to use set_test_cookie(), test_cookie_worked() and delete_test_cookie() functionality to test whether client's browser supports cookie management.
However this approach requires two requests and views to verify if cookie management is supported in client's browser or not. My question is how to implement Facebook like functionality in cookie management here. Here's how FB handles cookie check -
1) If I am not logged in and I have disabled cookie support then I am not allowed to log in prompting that I must enable cookie support to access my page.
2) Suppose I was logged in before and cookie was set up but I now disable cookie support then if I access facebook.com then it logs me out in just one request and asking me log in again. But if I log in again then it is same as the first case.
3) If I am on my timeline and browsing facebook then without closing that tab if I disable cookie support in browser, I get automatically logged out prompting that cookie support should be enabled.
How does Facebook (same as gmail) know without my sending request that cookie support is disabled in the mid and I get logged out? Does it continuously make Ajax calls to the server? How do I implement this functionality in my django app?
While developing a phonegap application, I can see the SetCookie header in responses from XHR login requests to an API I am using. As expected, when I inspect subsequent requests, I see the cookie being sent. I can also see that it is an httpOnly cookie, so I can't store it using scripts.
However, in the Chrome dev tools "Resources" I have no trouble deleting the cookie if I want to.
Yet, when I am running the application on an external iOS or Android device, using the Safari or Chrome Web Inspectors for each respective device, I can't see the cookies in the "Resources" panel. I don't see the cookie headers in requests or responses, either, yet somehow my requests are fine.
Is this a security measure, or is there an bug in my app/API to do with cookies?