I have a web application that I am working on where I create a cookie called "AuthCookie". I insert this cookie into the response as shown:
Response.Cookies.Add(authCookie);
I then redirect to another webapplication. In that webapplication, when i run the following code:
var test = Request.Cookies["AuthCookie"];
The cookie is null. I look in the list of cookies and "AuthCookie" is no longer there. In the web.config of this website, "AuthCookie" is the name of the Forms Authentication....
<authentication mode="Forms" >
<forms name="AuthCookie" loginUrl="https://localhost/Test/Authenticate" timeout="2" requireSSL="false" domain=""/>
</authentication>
When I change the name of the cookie that I created to something else like...AuthCookie2, the the issue does not occur. When I am redirected to the second website, the cookie remains in tact and "Test" is not null.
My knowledge on Cookies is a bit weak when it comes to Forms Authentication. Can someone explain to me why this is happening? I've googled left and right, but to no avail. I also need to have the names remain the way they are. Simply changing the cookie name isn't an option for me.
Related
I have an application written in ColdFusion that allows users to log in. My login page is in the root directory in a sub-directory called "login". During the login process, the system checks the username and password against my database, and assuming they are legit, it sets a Session variable of "Session.LOGIN_ID". At the bottom of my login script, I can print the login_id to the browser without any problem. However, the last part of my login script is to redirect the user to the main home page, which is located in the root directory in a sub-directory called "main", and once in awhile the page fails to load and rather directs the user back to the login screen with a message stating that their session has ended due to inactivity.
I have a Application.cfc file defined in the "main" folder, with a onRequestStart method defined that checks for the Session.LOGIN_ID being defined. If it is not, it redirects the user back to the login page and shows the message that their session has ended due to inactivity.
My question is, why does my session variable not present in the onRequestStart method? It's strange because if I clear my browser cache and login, I'm able to log in without any problem.
Does this make sense to anyone? Any suggestions as to what I could look for that could be causing this problem? I tried to dump the session vars using cfdump var=#session# from within the onRequestStart method and CF throws and error stating that SESSION is undefined.
UPDATE
In response to Adam's request, there are not multiple domains involved. Also, no switching from HTTP to HTTPS. The login page however is not bound by the Application.cfc because the login page is located in my "login" folder. The Application.cfc file is located in the "main" folder, along with the other components of my application. As far as the screen shot of the cfdump, I don't want to offend anyone but I can't really post the screen shot due to the fact that it contains information pertaining the site and I'm not authorized to post such information. I can say that when I try to do a cfdump of the session scope, it DOES show a few items in the list such as cfid, tokenid etc. However the session.login_ID is not present.
UPDATE
Okay, so taking the suggestion from Frank I have the onRequestStart method set up so that it sends me an email with a dump of the session and cgi scope. I found the following. In the Session dump, the cfid is equal to 4830, and the cftoken starts with b8e0d5... However, in the CGI dump, under HTTP_COOKIE, the value says CFID=4609; CFTOKEN=dd15bc0.... Are they supposed to match?
For me, the situation was resolved by enabling J2EE sessions variables from within CF Administrator. See related post here https://forums.adobe.com/thread/1058200
This is a formatted comment in response to, "I just noticed that the items didnt match in the dump and figured I'd mention it in case they SHOULD match".
Whether or not they should match is up to the programmer, not us on StackOverflow. However, you debug this sort of things as follows.
if(actual result == expected result)
output 'yes'
else
output 'no' and the actual result and the expected result
Let's say that I got a cookie in my browser set by a website(not mine).
I got it from browsing that website obviously.
Now, I was wondering if I could display that cookie's value in my website... I tried, but it doesnt work. Though, I can access and display cookies set by my website. Here is the code I used:
echo $_COOKIE["cookieice"];
I got the cookie's name from an addon called "Cookie Editor" which works on FireFox.
I'm trying to make integration of etherpad-lite in the CMS Plone, following Example 1 of the official documentation http://etherpad.org/doc/v1.2.7/
Portal places the cookie "sessionID" with the given value on the client and creates an iframe including the pad.
Everythings goes well except for the cookie. Reading documentation the best pratice seems to make etherpad-lite in the same domain under a specific path. This is what I have done using /pad/ path.
Plone side if no session has been created, I created on, I add a cookie and then I'm doing a redirect to the same page to be sure the cookie is in the browser.
As a results my cookie is added to the request of the main page but not ob the iframe request.
Here is the google chrome console network tab for the main page and the iframe:
http://toutpt.makina-corpus.org/en/images/cookie-in-iframe/
The code corresponding to the setCookie is at https://github.com/toutpt/collective.etherpad/blob/master/collective/etherpad/archetypes.py#L100
For posterity, here's the answer from #AskoSoukka identified and "accepted" in the comments above:
How does the actual cookie stored in you browser look like? Probably, you need to explicitly specify path="/" in setCookie kwargs to make it work for the whole domain.
I have two pages on two different domains example1.blogspot.com (a Blogspot blog) and example2.com (my own domain, static page). Both pages contain an iframe which loads the same document from a third domain, example.org. The iframe's document contains a small JS web app which calls example.org via AJAX, one of the calls is a POST request and the server sets a cookie with the response.
Upon reloading the pages, the cookie on example1.com seems gone, i.e. jQuery's $.cookie() returns null. On example2.com, everything is fine. This happens only in IE7 - IE6, Safari and Firefox all behave as expected. What's wrong with IE7?
Thanks, Simon
edit:
Oh well, stupid me ;-) It looks like I have a race condition between some event handlers and a window.setTimeout call when deciding whether to check for cookies...sorry!
So if $.cookie() returns null, What does document.cookie show? Also have you taken a look in IE7's list of cookies to see if the cookie is actually there? Also check that PATH and DOMAIN settings on the cookie are correct.
I'm seeing something mysterious with the SESSION_COOKIE_DOMAIN setting in django.
Normally, when I have this set to ".mydomain.net" it works fine. But occasionally cookies don't seem to be being set, because when I log in, I'm not remembered in the session and I become AnonymousUser when I get to the next page.
In these circumstances, if, I change my settings file so that SESSION_COOKIE_DOMAIN is now None or "", then the site behaviour returns to normal. If I change SESSION_COOKIE_DOMAIN back to mydomain, the problem returns.
Any ideas? Is this likely to be a silent failure in the settings? Or could it be something to do with my server configuration? Or the machine I'm accessing the site from?
In all likelihood, you are ending up with multiple sessionid cookies being sent. If you have a sessionid cookie with domain 'example.com' and another cookie with domain '.example.com', Django will test only one of those sessionid values. I am unsure of how Django decides which sessionid value to test for validity.
Check your cookies in your browser (in FF, Tools -> Options -> Privacy -> Something about cookies) and see if they are correctly set. Search for your domain, and see if you have the sessionid cookie is set.
It might be a browser issue as Paul suggests. However, I'd be tempted to do some HTTP analysis with Firebug or Live HTTP Headers in Firefox. Is it trying to set the cookie correctly?