I'm trying to get cookies via document.cookies (session id) in the console after receiving them here:
As you see no HttpOnly is present. But cookies still are not accessible for some reason.
I'm using whatwg-fetch in react app for queries. Chrome browser, Version 80.0.3987.149 (Official Build) (64-bit), but tested with others and no luck as well
okay, the thing was that I cannot use cookies while working with wildcard allow access origin requests.
Related
We have a site that uses first party and third party cookies. Security has pointed out that several of our cookies are not httponly and not secure. After looking the web.config file I see this:
<httpCookies httpOnlyCookies="true" requireSSL="true"/>
Hitting the site and using Google Dev Tools shows the cookies are still not marked as httpOnly or secure.
Shouldnt this setting force all first party cookies to be rendered as httpOnly and Secure? Or am I missing something? Any reason these cookies would not be httpOnly/secure? I also set this via IIS at the server level, but no change in the cookie's status.
Is there a way to somehow get the values of httpOnly cookies in electron?
The site I'm pre-loading before my main app loads, sends an httpOnly cookie that has a key inside.
I need this key for my http request headers.
I tried with webContents.session.cookies without luck.
I was able to to get an httpOnly cookie using Nightmare.js, which uses Electron. Therefore, I think you should be able to achieve that by looking at the source.
Below, Chrome shows a cookie on current page by viewing Inspect->Resources->Cookies, but why is there nothing by reading "document.cookie".
#EDIT
The cookie is firstly returned from the server via Set-Cookie: JSESSIONID=01E9...; Path=/myUrl/.
It's intended to remove the cookie on the client but fails. Probably the trailing "/" of the cookie path has caused this nasty issue.
#EDIT 2
The "problematic" cookie is set to HttpOnly by the server, so client scripting can neither change, remove nor read it. This resource protecting your cookies explains the reasons. BTW, Chrome devtools can do nothing more than either view or clear it.
I am trying to mark the ASP session ID cookie as HttpOnly but can't seem to find a way to tell if it is working. The environment I am trying this in is as follows:
OS: Windows Server 2003
IIS: 6
ASP Version: ASP 3 (Classic ASP)
In order to mark the cookie as http only, I followed MS KB
As per our architect's suggestion, to test whether this works, a javascript document.cookie should not be able to read the ASPSESSIONID* cookie. My issue is that javascript:alert(document.cookie) still echoes the ASPSESSIONID* cookie, albeit it appears to be encrypted(?)
I also tried to do this via Response.AddHeader "Set-Cookie" but can't determine what value to give for this header to mark all the cookies OR AT LEAST the ASP Session ID cookie as HttpOnly.
Help!!!
Just came across this issue because of a "new" PCI compliance item. It's a bit clumsy but this seems to work:
<%
Dim AspSessionCookie
AspSessionCookie = Request.ServerVariables("HTTP_COOKIE")
If len(AspSessionCookie) > 0 Then
AspSessionCookie = "ASPSESSIONID" & Split(AspSessionCookie,"ASPSESSIONID")(1)
If InStr(1,AspSessionCookie,";") then
AspSessionCookie = Split(AspSessionCookie,";")(0)
End If
Response.AddHeader "Set-Cookie", AspSessionCookie & ";HttpOnly"
Else
Response.redirect(Request.ServerVariables("URL"))
End If
%>
You seem to be confused between SECURE and HTTPONLY
These are different. The MS KB article you refer to is for SECURE.
Setting a cookie SECURE will stop IIS/Browser sending the ASP Session ID over HTTP.
Setting a cookie HTTPONLY will stop script (javascript) from accessing the value in most browsers.
There is a very GOOD reason to set HTTPONLY on a sessionID cookie. It help prevent theft of the users sessionID cookie, which could lead to session hijacking. That is why major browsers have implemented it.
I don't think your architect is correct regarding accessing the cookie in javascript.
There is no reason to stop javascript running in your page from accessing the cookie any more than javascript accessing the rest of your data in the HTML.
The purpose of adding the secure qualifier to a cookie is to prevent it from being sent in an unsecure request.
Oridinarily cookies set when the client is connected using https will still be sent when requests are made to the same server using plain http. The marking a cookie with the secure qualifier when its Set indicates to the client that it should only be sent in subsequent requests if those requests are using https.
Hence to test your setting get yourself a copy of fiddler, with that running hit the server over https then in the same browser session hit the same location with just http. Fiddler should show the second request going to the server and there should not be an ASPSESSION cookie present.
Searching for possible ways to get cookie with httpOnly enabled, I cannot find any. But then again, how do browser addons like Firebug, Add 'N Edit Cookie, etc. can get the cookies? Can't an attacker do the same?
So my question is, is it really, really impossible to get cookie of httpOnly enabled requests, using javascript?
p/s: Yes I'm aware httpOnly doesn't stop XSS attacks. I'm also aware it's futile against sniffers. Let's just focus on javascript, sort of alert(document.cookie) type / pre httpOnly era.
how do browser addons like Firebug,
Add 'N Edit Cookie, etc. can get the
cookies?
They are browser extensions, and the browser has access to the cookies ; extensions have a higher level of privileges than you JS code.
is it really, really impossible to get
cookie of httpOnly enabled requests,
using javascript?
Provided you are using a browser (ie, a quite recent browser) that support httpOnly and doesn't have a security bug about it, it should be impossible -- that's the goal of httpOnly.
Quoting wikipedia :
When the browser receives such a
cookie, it is supposed to use it as
usual in the following HTTP exchanges,
but not to make it visible to
client-side scripts.
Firebug and other addons can do that because they are not running under security restrictions imposed to the JavaScripts of the web pages.