Response Header has 2 set-cookie (AWSALB and AWSALBCORS) - amazon-web-services

In my application, I added secure cookies and I deployed it to the remote server. However, when I do a request, I can see that there are 2 identical cookies (1 is AWSALB unsecure, 2 is AWSALBCORS secure):
set-cookie
AWSALB=J8Hw07Jy8ein8Hei2SOME_NUMBERSMiRhCvCtL+1psSOME_NUMBERS84qI2vb/lmSOME_NUMBERS61i/LWSOME_NUMBERSLK2/itJs7pSOME_NUMBERSqcE8Y2/D3C55sSOME_NUMBERSGQUzxBh; Expires=Fri, 15 Jan 2021 07:19:43 GMT; Path=/
set-cookie
AWSALBCORS=J8Hw07Jy8ein8Hei2SOME_NUMBERSMiRhCvCtL+1psSOME_NUMBERS84qI2vb/lmSOME_NUMBERS61i/LWSOME_NUMBERSLK2/itJs7pSOME_NUMBERSqcE8Y2/D3C55sSOME_NUMBERSGQUzxBh; Expires=Fri, 15 Jan 2021 07:19:43 GMT; Path=/; SameSite=None; Secure
I investigated it and found out that it is related to AWS Load balancer, but I am unable to further investigate. I do not want to see unsecure cookie in response header. How can I remove it? Where should I look into?

Related

how to get some of the cookies from the response header's Set-Cookie

need to get some cookie out from the Set-Cookie and pass the cookie in next request header's cookie. The sample Set-Cookie is like:
Set-Cookie:
AWSALB=8KRpAv...hpOJQm; Expires=Thu, 29 Dec 2022 13:45:03 GMT; Path=/
AWSALBCORS=8KRpAv...pOJQm; Expires=Thu, 29 Dec 2022 13:45:03 GMT; Path=/; SameSite=None; Secure
OTHER_BROWSER=1qpa...5a4jn; Domain=google.com; Path=/; Secure; SameSite=None
When trying to get the Set-Cookie
HttpURLConnection connection = url..openConnection();
... ...
String response_header_setCookie = connection.getHeaderField("Set-Cookie");
// the response_header_setCookie has only OTHER_BROWSER=1qpa...5a4jn; Domain=google.com; Path=/; Secure; SameSite=None
It returns "the latest" added one only.
Question:
How to selectively extract some of the cookies from "Set-Cookie" (i.e. by the cookie name AWSALB)?
How get the cookie part only (cut off the Domain/path etc.)? Is it safe to use the first ";"? theSingleCookieValue.substring( 0, theSingleCookieValue.indexOf(";")+1);

Find all cookies used in a website, not on single page

Are there any ways like online tools or browser extensions to find all the cookies used on a website? I already know we can get all the cookies on each page but I want to know if I can get this done for the whole website. What I am basically looking for is to get the list of all the cookies used and give the customer the ability to choose which cookies can be stored.
You'll only get to know about cookies on each page you visit - every page will see a cookie with a / path, but cookies using other paths won't show up until you visit the pages they correspond to. e.g. say you have an editor that saves preferences in a cookie when you visit /edit, you can't tell that cookie exists until you visit that path. So that means you do indeed need to scan every page.
One way to do that is to use a tool like nikto. By default, nikto performs a very thorough and invasive scan of a server (so you should only use it on your own servers or with explicit permission in that mode), but you can limit what it does, which also makes it much faster and less aggressive:
nikto -Display 2 -Plugins cookies -host stackoverflow.com
-Display 2 means "only display cookies", -Plugins cookies means "only perform a cookie scan". This produces a list of cookies set on every path that nikto finds:
- Nikto v2.1.6
---------------------------------------------------------------------------
+ / sent cookie: prov=3968c6ce-2180-aff2-8e0e-ed7591b64a77; domain=.stackoverflow.com; expires=Fri, 01-Jan-2055 00:00:00 GMT; path=/; HttpOnly
+ / sent cookie: prov=9c9ba76f-6571-425b-1199-393f2f5f88fd; domain=.stackoverflow.com; expires=Fri, 01-Jan-2055 00:00:00 GMT; path=/; HttpOnly
+ Target IP: 151.101.193.69
+ Target Hostname: stackoverflow.com
+ Target Port: 80
+ Start Time: 2020-01-28 09:11:57 (GMT1)
---------------------------------------------------------------------------
+ Server: No banner retrieved
+ / sent cookie: prov=8408954e-060f-bf74-174b-6f2c5f400da8; domain=.stackoverflow.com; expires=Fri, 01-Jan-2055 00:00:00 GMT; path=/; HttpOnly
+ Root page / redirects to: https://stackoverflow.com/
+ /bWqYtKqo.htm sent cookie: prov=dd9d867b-000c-c538-dd61-6c2dac87137c; domain=.stackoverflow.com; expires=Fri, 01-Jan-2055 00:00:00 GMT; path=/; HttpOnly
+ /bWqYtKqo.mediawiki sent cookie: prov=4ca68e7b-fbfd-1513-0ba0-46bf8ff7859e; domain=.stackoverflow.com; expires=Fri, 01-Jan-2055 00:00:00 GMT; path=/; HttpOnly
+ /bWqYtKqo.csp sent cookie: prov=87cf9cdf-ee98-8092-0f6f-5839f6c8208a; domain=.stackoverflow.com; expires=Fri, 01-Jan-2055 00:00:00 GMT; path=/; HttpOnly
+ /bWqYtKqo.pl sent cookie: prov=c61a9f98-1bed-e4c1-4f17-09d0ecded9fd; domain=.stackoverflow.com; expires=Fri, 01-Jan-2055 00:00:00 GMT; path=/; HttpOnly
+ /bWqYtKqo.asp sent cookie: prov=43daff48-2158-85c2-2871-d60d787d8c33; domain=.stackoverflow.com; expires=Fri, 01-Jan-2055 00:00:00 GMT; path=/; HttpOnly
...
You can choose different output formats via the -Format option, including machine-readable ones suitable for scripting, like CSV.

Cookies not being saved

I have two subdomains, local-api.domain.com and local-web.domain.com
local-web.domain.com has a page (local-web.domain.com/test/authtest) that calls out via AJAX to a login service (local-api.domain.com/authentication/login) on local-api.domain.com. The login checks the user's posted credentials, and if they're valid then logs the user in via ASP.Net forms auth. Here is a sample raw response that comes back from the service:
HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: application/json; charset=utf-8
Expires: -1
Set-Cookie: token=dsaaflkdaflkxEfrLEUH2Bsfdsjfdksfjdsklfj; expires=Sat, 11 Jan 2014 00:16:04 GMT; domain=.domain.com; path=/; httponly
Access-Control-Allow-Origin: http://local-web.domain.com
Access-Control-Allow-Credentials: true
Set-Cookie: .ASPXAUTH=E18F1521FFF70FDFD60444F6EA791D28DDF1010F907D35DD13CDA7E2698CE9DCFB50A25853A5BCFEA0E21820A0760D8412D517548F59344EDDA052DD6D7BD7DDB1D47D011F2EFE3B58B6B2690B370D54C560FC6FA3B0990190E0CB8A8B4CC80BEA925CA928256C78C502E74444566785C95EDC399777B3CB0D2AAFFD219B3ED5; domain=.domain.com; path=/; HttpOnly
Set-Cookie: Visitor=acfbc21b-6259-4000-809d-7dbc72db8309; domain=.domain.com; expires=Sat, 10-Jan-2015 00:16:04 GMT; path=/; HttpOnly
Set-Cookie: Visit=78406825-adf1-4224-af57-0350136a5fc6; domain=.domain.com; path=/; HttpOnly
Set-Cookie: Culture=en; domain=.domain.com; expires=Sat, 10-Jan-2015 00:16:04 GMT; path=/; HttpOnly
Date: Fri, 10 Jan 2014 00:16:04 GMT
Content-Length: 122
{"token":"dsaaflkdaflkxEfrLEUH2Bsfdsjfdksfjdsklfj","firstName":"Steve","lastName":"Smith"}
However, when I reload the page; I find that the cookie that was set in the response is not there. Further investigation with Chrome Developer Tools finds that the cookie doesn't even get saved after the login response; even though there is a Set-Cookie header.
I'm not sure what I'm doing wrong here. Going by similar questions on the site and their responses; I believe I have everything set up properly for the cookie to be saved and resent across my subdomains. Been Googling for last hour but haven't found anything. Any ideas?
As reproduced on Charles Proxy application,
Replacing httponly with HttpOnly on the conflict cookie did work fine.
I think that's the issue.

CORS - cookie doesn't get sent or even set

I have set withCredentials = true, and I get the following headers from the server
Access-Control-Allow-Credentials:true
Access-Control-Allow-Headers:DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Accept,Origin,Referer
Access-Control-Allow-Methods:GET, POST, OPTIONS
Access-Control-Allow-Origin:.mydomain.com
Connection:keep-alive
Content-Type:application/json
Date:Tue, 06 Aug 2013 12:37:47 GMT
Server:nginx/1.1.19
Set-Cookie:sessionid=zjn8naedymjj6mm0aqjgxljbs3u1njzf; expires=Tue, 20-Aug-2013 12:37:47 GMT; httponly; Max-Age=1209600; Path=/
Transfer-Encoding:chunked
Vary:Cookie
but the cookie doesn't get set or transmitted on next request.
It turned out that I can't just use .domain.com (wildcard) with Access-Control-Allow-Origin, and I have to use `http://exact.subdomain.example.com'

Safari not accepting Cookies while FF and IE does

i have a problem with the safari browser and our set-cookie.
Safari is ignoring our set-cookies completely while FF and IE accept and send the cookies.
The Cookie setting page is not a redirection, direct HTTP 200 with set-cookie.
Is there a special character or malformed set-cookie that causes Safari to ignore the cookies completely?
The following Cookies are sent:
CURL output:
Set-Cookie: ASP.NET_SessionId=rdmpn1b4eckozzjns0voon33; path=/
Set-Cookie: SHOPPERID=jZlotLr6HESiqoB/3F0brg==; expires=Wed, 28-Jul-2060 01:09:04 GMT;path=/
Set-Cookie: FVISIT=2010?N7??28??; expires=Wed, 28-Jul-2060 01:09:04 GMT; path=/
Set-Cookie: STOCKMCD=Direct=2010/07/28 10:09:04; expires=Tue, 26-Oct-2010 01:09:04 GMT; path=/
Safari Developer Tools:
Set-Cookie:ASP.NET_SessionId=xqf3eui1r2fce4e30ogh2145; path=/, SHOPPERID=C/lG3XGVPEa7QgGcsqt3yg==; expires=Wed, 28-Jul-2060 01:15:26 GMT; path=/, FVISIT=2010N728รบ; expires=Wed, 28-Jul-2060 01:15:26 GMT; path=/, STOCKMCD=Direct=2010/07/28 10:15:26; expires=Tue, 26-Oct-2010 01:15:26 GMT; path=/
With default privacy settings Safari rejects cookies from domains other than user visited. For example, if page from example.com contains resources from example.net, example.net is not allowed to set cookies.
Take a look at the answers to HTTP headers encoding/decoding in Java. It looks as if the Set-Cookie header being sent has an character without a valid encoding. It seems that IE and Firefox are less strict than Safari.