Is there anyway to make the ColdFusion application to maintain its session, even if the browser cookie has been disabled ?
NOTE : I don't want to use addtoken="true" in <cflocation/> tags. I mean I don't want to use the session token in the URL.
Related
I'm testing a website that requires cookies for access tokens. I have valid tokens that I'm setting in Chrome's "Application" tab in developer's tools. However, I can't always add cookies because the page is programmed to redirect if there are no cookies available. Thus, I need to be able to set a cookie with my token for this domain while on another domain's webpage. Is there a way to do this or do I have to be on the same page that I want to set cookies for?
I have a server side application that uses cookies for session management. The browser has some script that sends an ajax request to add information to the session. This is working well and in production.
The business wants to be able to insert this application in other companies' websites via iframes. ie myapp.com is in an iframe in otherbusiness.com and when the user clicks a button in the application in the iframe launched from myapp.com, it sends a request with a cookie that contains the session id to update the user's session on the myapp.com server.
For the browser to be able to send a cookie, 3rd party cookies needs to be enabled by setting the cookie options of SameSite=None and Secure. This works for all browsers except Safari.
Safari no longer accepts 3rd party cookies.
The only solution I can come up with is to use session ids in the URL but this is a little cumbersome.
Can anyone suggest a better option or perhaps a good implementation of session ids in the url?
I used hidden html fields to pass the session id and expiration.
My server side code checks for a cookie if it cannot find it, looks for the session id and expiration in the hidden fields.
This avoids security issues with passing the id in the url. It is a little clumsy to implement but it works.
My SPA uses React as front end and laravel API as backend.
When the user logs in (via axios and api), the api returns an access (Bearer token) as response. I use the react-cookie framework to store the access token as cookie in the Browser. This cookie will be read and used for any future request.
Is this the right way to do?
Isn't cookie data just something in the Browser that can be easily obtained by any attacker? Since it is just a file one the computer somewhere.
What is stopping an attacker from grabbing that cookie, impersonate as that user and start performing actions that requires authentication?
The token has a life span of lets say 1 year. It will only be refreshed every time the user logs in. I understand that if I set the life span shorter it will be more secure. However that will mean the user would have to log in constantly?
-----Update-----
Im not sure if any of the provided solution answered my question. A SPA app is front end based and the request can be from anywhere such as Postman, Mobile app, or any third party device that wish to talk to my backed server. So those device needs a way to store some access token locally to be used for any future request.
The only way I know this could happen is for my server to send some auth token to the requester and have it store it somewhere to be used for next request.
In this case, Im not sure if CSRF token or any other means would help my concern?
Just like facebook, if I clear my cache, I will have to re-login. That means facebook is storing something on my location computer so I can be automatically authenticated next time
I just want to add some disadvantages of storing tokens in cookies that you should also be aware of:
The max size of a cookie is only 4kb so that may be problematic if
you have many claims attached to the token.
Cookies can be vulnerable to cross-site request forgery (CSRF or
XSRF) attacks. Using a web app frameworkâs CSRF protection makes
cookies a secure option for storing a JWT. CSRF can also be partially
prevented by checking the HTTP Referer and Origin header. You can
also set the SameSite=strict cookie flag to prevent CSRF attacks.
Can be difficult to implement if the application requires
cross-domain access. Cookies have additional properties (Domain/Path)
that can be modified to allow you to specify where the cookie is
allowed to be sent.
------- Update -----
You can also use cookies to store the auth token, even it is better (at least in my opinion than using local storage, or some session middleware like Redis). And there are some different ways to control the lifetime of a cookie if we put aside the httpOnly and the secure flags:
Cookies can be destroyed after the browser is closed (session
cookies).
Implement a server-side check (typically done for you by
the web framework in use), and you could implement expiration or sliding window expiration.
Cookies can be persistent (not destroyed
after the browser is closed) with an expiration.
Your JS should not have access to the cookie. There are flags you can set on cookies that will help protect them and make sure they are only used for the correct purposes.
The HttpOnly flag is set on the cookie then JS will not be able to access it but it will still be sent with any request.
The SameSite flag will ensure that the cookie is only sent back to the site that gave it to you. Which prevents leakage.
The Secure flag will make it only send the cookie over a secured connection to prevent someone from sniffing it out of your web traffic.
Edit
You might want to lookup an authorization workflow but the gist of it is this:
User logs in with username and password
A JSON web token is issued upon login from the backend and sent to the browser
The JWT(JSON web token) can be stored in a cookie in the Web Storage(Session Storage) on the browser
Subsequent requests to the REST API will have the token embedded in the header or query string for authorization. With that form of authorization, your REST API understands who is making the request and what kind of resource to return based on the level of authorization
Please see #tpopov answer as he also made some really good points.
Wicket saves jsessionid (actually tomcat does that) , now can I make those jsessionid cookies as persistent cookies and can I use them to make the user login next time he/she visits my page .
The idea behind 'JSESSIONID' cookie is to track a live user session.
Once this session is expired at the server side, i.e. inside Tomcat, the cookie becomes useless. The browser will send it to the web server and there it will be ignored.
What you ask for is "RememberMe" cookie. This cookie usually brings encrypted information about the user. If the user session is expired then the application will forward you to the login page. During this process the application may check for such RememberMe cookie and use it to auto-login this user without asking for her credentials.
Apache Wicket provides DefaultAuthenticationStrategy with support for RememberMe cookie. See wicket-auth-roles SingInPanel.java and the source code for http://examples6x.wicket.apache.org/authentication3 to see how it works. You could also use Spring Security, Apache Shiro, Stormpath, etc. for the same functionality if you decide so!
I found out that for some users of my website the _ga (client id) cookie is empty while I really need it in my script for 100% of users.
I found this out by logging what's happening in my PHP script. This is strange to me, because for me the _ga cookie is always present, no matter which browser I use.
1) Why can the _ga cookie be empty?
2) Is there any way to force creating it? Or maybe there is another way to find out the client id of the user on the server-side?
If javascript or cookies are disabled on client browser cookies always will be empty. You can implement additional logic on server to form an id from IP and/or User-Agent header of request if cookies are empty.