Cookie dependent applications - cookies

What will be the situation if the application is dependent on cookies and user turned off cookies in browser?
Will the application fail to run?
Do developers need to handle it differently when cookies are turned off?

Depends on what your Application should do,
there is always an O-Point e.g. your are online at Facebook
and you start a new window in private mode you will not logged in.
Because the Cookie holds the session (cookie holds serveral informations)
I hope I could help you with it a bit tell me if I missed the topic

The app wont fail to run, but developers have to handle the situation differently when cookies are turned off.
For example, Facebook displays publicities related to your cookie informations. If you were looking for X product on Amazon, it will then display pubs about it.
If cookies are disabled, it would display other pubs, it wouldn't crash.

Related

Correct (technically) handling of cookie consent

I'm about to implement cookie consent for a website. As I understand it, cookie consent means that you shall not use cookies before you have received a consent from the user.
How can I know that a user have accepted cookies or not without storing this information in a cookie?
I'm assuming you mean the GDPR. Your understanding of it is incomplete: cookies that are necessary to deliver the site's functionality are allowed without consent. A cookie that merely stores consent is thus allowed, even if the user rejected other cookies.
I am not a lawyer, not legal advice, etc.
I sugest you set a cookie only if the user has accepted cookies. If this cookie is set dont ask again. Otherwise show the cookie consent banner again and again on every new site they visit as if they were new visitors.
What i find strange is that even big german sites like Stern.de, Focus.de, Spiegel,de and even the computer magazine heise.de are setting loads of cookies before they show the consent banner.
Even more strange is that while Stern.de and Focus.de also offer a complicate "Adjust" button (users usuarly dont click them because adjusting cookie preferences on every site is nerve wrecking), Spiegel.de and Heise.de dont even offer this. They just offer "Accept" or pay for a ad free version.
If you click on "Adjust" instead of "Accept" on the first sites they just close the consent banner.
So all the sites dont show a button to easily denie or delete cookies even i thought it has to be as easy to deny as to accept. Im not a lawyer too and this is no legal advice but if they all do it this way i guess this must be legal in Germany even it doesnt make any sence at all. Cookies are set no matter what the visitor does. The big question seems to be what es necessary? Are google Analytics und Adsense and others necessary to finance the server and keep the site online? Necessary cookies are allowed.
Writing this, there is an article in another big news site (that also sets loads of cookies before showing the consent banner and also just offers accept or pay buttons) saying someone had to pay €100 for not asking the visitor for his permission before even loading google fonts not even talking about analytics: https://t3n.de/news/google-fonts-illegal-urteil-dsgvo-1447698/
https://stackoverflow.com/q/70967060/12668719
Analytics Is there a setting on Google Analytics to suppress use of cookies for users who have not yet given consent
Adsense How To Make Adsense Load When Cookie Consent Given?
Check this open source solutionfor the EU cookie law compliance:
https://cookieconsent.osano.com/
The easiest and most effective way is to show a pop-up banner that explains which kind of cookies you want to store and provide an option to allow/disallow each cookie. When clicking Save, you have to handle which cookies were allowed and load them accordingly. Everything can be done in JS.

Manage session in loopback

I am creating a application using loopback.i am facing a problem to manage session.When apps login, session is created. when i reload the page session is not present on client side but it is on server side. Please tell me how to manage session on client side. And how to send response from server to client. Sorry for english but I am trouble.
Please tell me about it.
Thanks in advance.
You can inject $sessionStorage in angular and use it to preserve the session information that you get back from loopback.
But I believe that loopback already has the ability to store the access token in the browser's localStorage, so it is preserved across page reloads and browser (hybrid mobile app) restarts. So I'm not sure why it gets lost for you ... or maybe that's not what you mean by "page session"? Feel free to clarify.
You can see an example of logging in and then saving the user info to browser here: https://github.com/ShoppinPal/warehouse/blob/f03abc632ac01682e938e58db868290fb6e33083/client/app/scripts/controllers/login.js#L35-L42
If you ever find yourself in a similar situation again, try searching for code on github.com as there is some chance that you might find what you're looking for in an open-source project.
For example, you can get decent hints if you searched for user model sessionStorage path:/client/app where user model sessionStorage are keywords to look for and path:/client/app represents (more or less) the standardized directory structure for loopback (path:/client/js is another common path to try) ... it is generally worth limiting your search with it ... this helps narrow down thousands of search results into double digits. I do admit however that it doesn't always work because if you didn't know to look for the sessionStorage keyword then the search would have been quite fruitless ;)

Is there something a site can do to incorporate third party cookies

I work for an e-commerce site. Part of what we do is to offer customized items to some clients. Recently some non-technical management promised that we could incorporate our check-out process into one such client's website. The only way we've figured out how to do this is by using an iframe (I know, I don't like it either). The issue is that most customers of this site are unable to check out because we use cookies to determine which custom items to display. Browsers are recognizing our cookies as third party and almost everybody has third party cookies turned off, as they should. I'm going to be shocked if the answer is yes, but is there any workaround for this? ie can the site hosting our iframe somehow supply the necessary cookie?
Try an invisible, interstitial page.
Essentially the hosting site would issue a redirect to a site within your domain, which is then free to set cookies (because at this point is is actually the first party). Then your site immediately redirects back to the hosting site. At this point your newly-created cookies will be invisible to the hosting site but visible to your iFramed page henceforth.
Unfortunately the hosting site will have to do this every time a cookie is to be updated but the double-redirect can happen so quickly they'll hardly notice. Hopefully your system only needs the cookies to be set once.
Instead of using a cookie, pass the information in the each url request as name/value pairs.
It is a bit of a pain to add the name/value to every url...I know...oh well...it will work.
I'm going to be shocked if the answer is yes, but is there any workaround for this? ie can the site hosting our iframe somehow supply the necessary cookie?
Your iframed page itself, which is the third party in this scenario, could send a P3P Cookie Policy header – some browsers then accept third-party cookies by default, whereas others (mainly Safari) will not be convinced to do so at all if not by the user manipulating the default settings themselves.
What you could also do, is pass the session id not (only) by cookie, but as a GET or POST parameter as well – f.e. under PHP this can be done quite easily by configuring the session options. You should consider if that’s worth the slightly increased risk of session stealing.
The interstitial page solution should work but it might be a lot of trouble for your hosting site, so here's another solution that will allow you to work cookieless.
Write an HttpModule that responds to the BeginRequest event, reads the querystring, and inserts corresponding cookie headers into the Context.HttpRequest object (Note: you can't use AddCookie, you have to use AddHeader, because cookies added by a module directly are disposed of before they hit your application proper). That way the hosting site can simply issue a request (within the iFrame) that contains the necessary value in the querystring, the module will convert it into a cookie (that only exists in memory, not on the wire), and your application will be deceived into thinking that there's a cookie there. No code changes required, you just need to add the module in web.config.
This only works if you are using IIS 7.0+ in integrated pipeline mode. If you're on an earlier version of IIS or if you have to run in classic mode, you'll need an ISAPI filter instead.
Ryan , John
For the Chrome v80 update with SameSite flags, want to set the samesite=none;secure for the site hosting our iframe and somehow supply the necessary samesite=none;secure cookie. We have apache 2.2 and tomcat 6 setup, so would appreciate a solution and advice on how to make it work. Currently with flag enabled the iFrame is not punching out successfully.
Thanks

Share cookies between sessions in IE7

I'm trying to get IE7 to share its cookies between sessions. I found that if i set the expiration date, it will share the cookies. However, i can't use this method because i am trying to control login to my application (users may only login once). Is there another way to get IE7 to share?
Thanks
As far as I know cookies aren't bound to session, but to the browser i.e. different sessions can read the same cookie (on the same domain).
A better way to check if a user is allready logged in would be a flag in the database, since users who really want to log in more then once can use different browsers...

IE8 losing session cookies in popup windows

We have an ASP.NET application that uses Forms Auth. When users log in, a session ID cookie and a Forms Auth ticket (stored as a cookie) are generated. These are session cookies, not permanent cookies. It is intentional and desirable that when the browser closes, the user is effectively logged out.
Once a user logs in, a new window is popped up using window.open('location here');. The page that is opened is effectively the workspace the user works in throughout the rest of their session. From this page, other pop-ups are also used.
Lately, we've had a number of customers (all using latest versions of IE8) complaining that the when they log in, the initial pop-up takes them back to the log in screen rather than their homepage. Alternately, users can sometimes log in, get to the homepage (which again, is in a new pop up window), and it all seems fine, until any additional pop-ups are created, where it starts redirecting them to the log in screen again.
In attempting to troubleshoot the issue, I've used good old Fiddler. When the problem starts manifesting, I've noticed that the browser is not sending up the ASP.NET session ID session cookie OR the Forms Auth ticket session cookie, even though the response to the log in POST clearly pushes down those cookies.
What's more strange is if I CTRL+N to open a new window from the popped-up window that is missing the session cookies, then manually type in the URL to the home page, those cookies magically appear again. However, subsequent window.open(); calls will continue to be broken, not sending the session cookies and taking the user to the log in screen.
It's important to note that sometimes, for seemingly no good reason, those same users can suddenly log in and work normally for a while, then it goes back to broken.
Now, I've ensured that there are no browser add-ons, plug-ins, toolbars, etc. are running. I've added our site as a trusted site and dropped the security settings to Low, I've modified the Cookie Privacy policy to "accept all" and even disabled automatic policy settings, manually forcing it to accept everything and include session cookies. Nothing appears to affect it.
Also note the web application resides on a single server. There is no load balancing, web gardens, server farms, clusters, etc. The server does reside behind an ISA server, but other than that it's pretty straight forward.
I've been searching around for days and haven't found anything actionable. Heck, sometimes I can't even reproduce it reliably. I have found a few references to people having this same problem, but they seem to be referencing an issue that was allegedly fixed in a beta or RC release (example: IE8 loses cookies when opening a new window after a redirect). These are release versions of IE, with up-to-date patches.
I'm aware that I can try to set permanent cookies instead of session cookies. However, this has drastic security implications for our application.
Update
It seems that the problem automagically goes away when the user is added as a Local Administrator on the machine. Only time will tell if this change permanently (and positively) affects this problem.
Time to bust out ProcMon and see if there is a resource access problem.
Update #2
It seems there are multiple angles to what appears to be a singular problem. I reported long ago that making the user a local administrator seemed to help. And it did, for a number of users. Of course, that's not really a solution, but it did let us hobble along.
Then more users started reporting the issue, and the admin fix was not helping. The users seemed to be mostly Win7, but Vista was also affected. They also seemed to mostly be 64-bit installations.
Setting the TabProcGrowth to 0 or 1 (either worked) as suggested by some members below seems to have largely addressed the issue. So, I'm going to move my accepted answer to the first person that suggested that, as it has had significantly more impact.
This has been an incredibly frustrating issue to attempt to solve, since it is difficult to reproduce and often occurs with users that I do not have direct communication with, or by the time I get to them it doesn't appear to be working. All I can say is something is not right with the session merging feature, but I don't have much data to feed to Microsoft to find a permanent fix.
This is 'new' functionality in IE8!
Checkj out the IE8 blog below to read about it.
http://blogs.msdn.com/askie/archive/2009/03/09/opening-a-new-tab-may-launch-a-new-process-with-internet-explorer-8-0.aspx
IE8 can use multiple processes for handling an x number of IE windows. When you cross a process space, you loose your cookies (Asp.Net session ID seems to be retained over this process boundry).
I personally think it's broken or a bug. As we know, when browing to the 'same domain target' cookies should be maintained and resent. That IE8 has different processing behavior for security.. Great! that it is behaving badly and 'drops cookies even if going to the same target domain in another window' is just a bug in my view.
You can modify the number of processes IE8 uses through the internet explorer options ehh.. modifying a registry setting!!!!!! (this is what makes it a bug in my view. IE providing a UI to modify these settings would make it 'enterprise level acceptable'.
Regard,
Marvin Smit
There are multiple possibilities behind this -
UAC & Vista (Had to crop up!!). Specifically, look for protected mode behavior.
This could be an actual problem with the Session Merging feature in IE8. More so because opening a new window via the Ctrl+N shortcut causes the cookies to be magically sent in your case.
An issue with an older build of IE (I know you have stated that your customers are using the latest build). You might want to check the details available at Microsoft Connect for bug IDs 408806 and 392032.
We solved this problem by changing the "Set tab process growth" to 0.
Although, we didn't have protected mode turned on and the zone was "Intranet". Evidently this is a problem/bug with Windows 7 64Bit as others have stated.
This page (#4) lead me to the solution: http://blog.httpwatch.com/2009/04/07/seven-things-you-should-known-about-ie-8/
Near as I can tell, another change to cookies across tabs just went live in this security update from November 12, 2013 that is breaking functionality in our app in all versions of IE. We're doing OpenID auth in a popup window so as to not have to redirect the user away from the page they were browsing when they first clicked the Login link. The session cookie for the login is correctly being sent down in the request in the popup window, but it never gets seen by the main browser window, so the next request to the server doesn't have that session cookie on it like it should, and thus logging in never actually works.
Does anyone have any possible solutions to this?
We had this problem on IE6,7 and 8 .The scenario is parent window(1) opens a modal window(2),modal window has a link to a non-modal window (3). I used to get a different session Id in the 3rd window.
Workaround mentioned here fixed the issue http://support.microsoft.com/kb/831678
Since IE8 we (and our customers) are also experiencing the same issue. We have an asp service for creating forms. This application uses new windows for adding elements or managing user accounts e.g. Randomly (when opening a new window), the application doesn't get the required session id for authentication allong with other 'permanent' cookies. Hence, the session id is a temporary cookie. Most of the time it goes well, but other times the session is broken every time a new window is opened. We have to advise our customers to close all IE windows and start over again.
As a web developer I use IE extensively. Personally, I am not experiencing the above issue. But I think a related one. A few times a day IE totally hangs (does not respond anymore) when opening a new window. When I kill a certain IE process using the task manager, IE starts responding again. But in most cases it's better to start all over with a clean new instance of IE. For this reason I just kill the process with the least ram usage which causes all IE processes to quit.
Microsoft saying these issues/bugs are squashed in the final version does not give me trust of their effort solving the issue still be experienced.
I also found a workable fix for this problem. There seems to be a problem with how IE8 handles opening servlets in another window with a relative path such as /test. It seems to be opening a new session as well as a new window. Our workable fix is that instead of opening a new window with a relative path, we just used a jsp page. So when we navigate to a URL, we do not navigate to /test anymore.We navigate to a specific file. In the jsp file, we forward the request to the relative path. This seems to work, which is kind of awkward, since the only difference is that we are placing a specific file in between.
I hope this helps.
I know this problem since IE 5, so I only use session's variables in modal pop-up windows...
When I open a non-modal pop-up window, I replace all session's variables with ASP.NET cache and new object collections...
But it's very tiresome!
Other browsers (i.e. Firefox) don't have this problem...
I believe this is actually a bug in IE; I have reported it here to see what feedback I get: http://social.msdn.microsoft.com/Forums/en-US/83bb3b91-1c1f-4d51-9281-9bc5f51d3640/log-in-fails-cookie-is-not-sent-to-originating-tab?forum=iewebdevelopment
I have a similar, though not identical problem. We load a webpage that opens a popup with window.open() into an IE browser control. On machines that have either IE6 and IE8, the popup window is always assigned a new SessionID by ASP when launched from the control. However, when launched from a normal browser (IE or Firefox), the popup window gets the existing SessionID.
I can see when launching from the control that a new iexplore.exe process is spawned; thus the session loss behavior makes sense given what has been mentioned about in-memory cookies not being carried over to the new process.
I'm still trying to figure out a workaround myself ...
Update
Figured out a workable fix! It is possible to subclass SessionIDManager and specify that this class should be used instead of the default (<sessionState sessionIDManagerType="..."> in Web.config). The subclass can look for a query parameter containing the existing session id in an override of CreateSessionID(), and return it if found. This essentially allows a page to request being "merged" into an existing session it has knowledge of.
The call to window.open() then simply needs that query parameter specified in its URL.
Haw-Bin
Had a similar problem with PHP5 and IE8. When opening one certain popup window in Javascript with window.open, IE8 lost the session cookie and forced the user to login agan.
Meanwhile, other popup windows worked OK.
The culprit turned out to be an image tag. The template system generates image src = values dynamically and a missing image resulted in an image tag with an empty src clause (
I supect this has something to do with IE interpreting the empty src-tag as an insecure URL and isolating the session in the popup without informing the user.
I was running into a similar issue with using session variables to pass values to a pop-up window. I just ended up writing the values to a persistent cookie and then reading the cookie in the popup window. This may not work with the issue you were having with forms authentication, but if are just using session variables to pass some values to a window in IE8, persistent cookies seems to have worked for me.
edit: see also this thread
You Can Also Use the LocalStoprage method to reset the value in parent window.
localStorage("Key")="Value";//Javascript