Firefox extension/addon does not store cookies - cookies

I'm working on an browser extension that authenticates with a remote server via XMLHttpRequests. In Firefox (59.0.2) I have the problem that the session cookie send by the server is not stored in the browser. When looking at the network traffic I get a Set-Cookie response from the server for every request:
Set-Cookie JSESSIONID=node01abks2u96hf84wt0i1uqwsb9879.node0;Path=/
but it seems that the cookie is never accepted or stored in the extension.
When looking at Chrome (where the extension is working) my extension includes this cookie in the request:
Cookie: io=jCX1X9rlaOhCqE0nAAAB JSESSIONID=node01abks2u96hf84wt0i1uqwsb9879.node0
However, this is not the case in Firefox. Why is Firefox is not including the cookie in the request? and why is it not storing the cookie?
UPDATE: as suggested I filed a bug report:
https://bugzilla.mozilla.org/show_bug.cgi?id=1454806
Furthermore, I created a very minimal example addon that fails:
https://gitlab.com/czeidler/firefox-cookie-problem
Could somebody please let me know if that addon really should work? or am I doing something wrong? To trigger the problem open the debug view of the addon and select the network view. Then click the addon popup icon. This will trigger two requests to my server. The first reply contains a Set-Cookie header that is not reused in the second request.

I found the reason why it is not working. Firefox handles a request from the popup as a cross domain request and does not set the cookie for this reason. Not sure if Chrome and Firefox should behave the same here or which approach is the better one. Here is how I fixed this issue to make it work in both browsers:
On the server:
response.addHeader("Access-Control-Allow-Origin", request.getHeader("Origin"))
response.addHeader("Access-Control-Allow-Credentials", "true")
In the popup:
connection.withCredentials = true;

Related

Postman cookies not set for subdomain (Postman Inceptor, Postman Native App)

i am playing around with Postman to get some insight on how things work behind the curtain and ran into, what I believe, is an issue but wanted to ask before I create a new issue on GitHub.
I am intercepting the request from my browser to the same site using the Postman Interceptor to use the request values in the native app. I have cookies enabled and the site (the whole domain) whitelisted.
When I use the history to resend the same request that was captured I get an auth error that is caused by the fact that the cookies are not included in the request (found that out by checking the cURL code snippet). I believe the reason for that is, that the cookies are set under another sub domain than that the request is send to.
I will try to include some pictures to clarify. My question here is:
Am I missing something/did I set something up in the wrong way
or is this an issue and I should create an issue in the official Postman Github page
cURL request
Cookies in Postman Native App
you should see if cookie is being send not using code snippet but the console :
its indeed sending cookies ,

Why cookies appear in request header but not response header when visiting a new website?

This is a incognito window in chrome visiting oracle. Please notice that the request header already has cookie in the very request.
I also tried to use GuzzleHttp in php and postman. I can't get the cookie from anywhere.
Actually I am trying to crawl some other website, and that website has the same problem. I can't get the cookie so I got rejected.
Isn't cookie something that the server returns to the browser? Why in this case it is like the browse know the cookie in the first?
Http cookies are set once in a response by the server (with a Set-Cookie header), then they are included by the browser in each applicable subsequent request.
So it is perfectly normal that cookies your browser already obtained are present in the request but not in the response.
Cookies may also be set on browser side by Javascript, but that also can't happen before the first request (to at least retrieve that Javascript).

How to Inspect Cookies in Safari 11 Developer Requests & Responses?

This must have been answered somewhere but I just cannot find the answer - how can I inspect the cookies set in http RESPONSE and REQUEST in Safari 11?
I am looking for something similar to Chrome DevTools Network tab inspector where you can see any cookies sent, per http request/response, and what they contained.
I've tried inspecting the cookies via Storage but even here some cookies are present, others not. What is weird is that I can see cookies set by third parties like Stripe or Intercom, but not the cookies associated with the actual domain I am on. All these cookies are present and being set in Chrome & Firefox.
Thank you!

Where do HTTP request cookies originate?

I have a VB.NET app that sends a POST request to a script on my server that is running Cloudflare. I always get an error when sending the request from the app, however using a Firefox extension to simulate the request works fine. With the use of Fiddler I think I have found the cause of the problem:
When sending the request with the Firefox addon an extra header is attached to the request:
Cookie: __cfduidxxxxxxxxxxxx
This cookie is from Cloudflare, but where does it come from, ie. how can I get this cookie value and send it with my requests from the VB app? I tried copying and pasting the cookie into the app and it worked fine, so this leads me to conclude that I need this cookie, however this value is unique for each user so I cannot simply hardcode it into the app.
Quick side-note: Not sure if this helps, but if I send a GET request from the VB app it works fine without the __cfduid cookie.
Look for a Set-Cookie header coming back from the server on it's response. It will expect to get that value back on subsequent requests in a Cookie: header. This value is usually an opaque string that is classified by a path, although not always.

Coldfusion cookie issue

I'm having issues deleting client cookies with the cfcookie tag, I'm setting the value to "" AND changing the expiration date to now.
But I think it's resetting the cookie in the same page that it deletes it.
Is there a application (or addon for chrome,firefox) that can tell me where it's giving me cookies?
There's Fiddler, an application that logs all HTTP(S) traffic between your computer and the Internet.
1) Run Fiddler.
2) Open your site on the browser you use.
3) Look at the request and response headers on Fiddler. Any cookie set or delete will be there.
Other references:
Fiddler Can Make Debugging Easy. [September 12, 2006]
Fiddler Proxy and HTTP Debugging Tool [December 17, 2010]
As tiangoinu said, use Fiddler for Windows, or if you're on a mac, check out Charles Proxy.
As to your specific question, verify that you're not doing a redirect after you delete the cookie. In order for the cookie to be deleted on the client, the necessary HTTP headers need to be passed to the browser, and sometimes a cflocation will prevent those headers from being sent.
Yes, look at HTTPLive Headers for FireFox. Or some other type of intercept proxy to put between the browser and the server. You can then see the HTTP headers and try to determine where the cookies are being set (or at least how often).