Browser is ignoring reponse cookies (csrftoken + seesionid). document.cookie() returns empty string and chrome developer tool shows this site has no cookies
How to solve this ?
FRONT : Angular 2 (localhost:4200)
Back : Django/DRF (localhost:8000)
Login route : [post] /login
Response header :
Access-Control-Allow-Credentials:true
Access-Control-Allow-Origin:http://localhost:4200
Allow:POST, OPTIONS
Date:Wed, 05 Apr 2017 07:38:24 GMT
Server:WSGIServer/0.2 CPython/3.5.2
Set-Cookie:sessionid=d5v1mri12bniyvyqqt55ar8mfl9mr2jk; expires=Wed, 19-Apr-2017 07:38:24 GMT; HttpOnly; Max-Age=1209600; Path=/
Set-Cookie:csrftoken=5PcTF8aQ1O79gdrylZcGchnmKyRy6zwS3kL2jR5dY2CMdjPfEYyhkoJjOzsDZuvj; expires=Wed, 04-Apr-2018 07:38:24 GMT; Max-Age=31449600; Path=/
Vary:Accept, Cookie, Origin
X-Frame-Options:SAMEORIGIN
Request header :
Accept:application/json, text/plain, */*
Accept-Encoding:gzip, deflate, br
Accept-Language:en-US,en;q=0.8,fr;q=0.6
Connection:keep-alive
Content-Length:51
content-type:application/json
Cookie:sessionid=d5v1mri12bniyvyqqt55ar8mfl9mr2jk; csrftoken=sml3uocRIeiB3KfHSnNkJXBJn3QAFN3p7lLtdvhrALgUwoVnfNjGM5PIy2L3UHls
Host:127.0.0.1:8000
Origin:http://localhost:4200
Referer:http://localhost:4200/
User-Agent:Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/56.0.2924.76 Chrome/56.0.2924.76 Safari/537.36
Cookies are not shared among different ports of a host (localhost in your case). The browser shows you content from localhost:4200, but the cookies are set to localhost:8000. They are correctly set and used, as can be seen in your second listing titled "Request header". So to see them in the browser, you would have to open a URL from localhost:8000. Even then the sessionid would not be listed in document.cookie(), because it's marked as "HttpOnly" (which means not available to JavaScript).
If you are use angular cli you could set proxy.
ng serve --proxy-config proxy.conf.json
sample of proxy.conf.json
{
"/api": {
"target": "http://localhost:3000",
"secure": false
}
}
Or local development use
https://chrome.google.com/webstore/detail/allow-control-allow-origi/nlfbmbojpeacfghkpbjhddihlkkiljbi
Related
Consider this view that generates an ico image:
from django.http import HttpResponse
from app.somewhere import Favicon
# View URL: `/<str:colour>.ico`
def favicon( request, colour ):
response = HttpResponse(
Favicon.render( colour ),
status=200
)
response['Content-Type'] = 'image/x-icon'
response['Cache-Control'] = 'public, max-age=31536000'
return response
Favicon.render() returns a valid byte stream, do not pay any attention on that.
Here is a link element in head of my HTML document:
<link rel=icon href=/7f9fa4.ico>
Now comes the question: why each time I reload the page, my browser, Chromium 73, makes a request to /7f9fa4.ico, instead of retrieving the icon from cache? If I will open /7f9fa4.ico in a new tab, first time request to the server would be sent, further my browser will retrieve an image from cache; now tell me what's wrong with the browser-caching system.
Here is a request (cookies and preferences are omitted):
GET /7f9fa4.ico HTTP/1.1
Host: localhost:8000
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36
Referer: http://localhost:8000/
And these are response headers:
HTTP/1.1 200 OK
Date: Mon, 03 Jun 2019 07:03:58 GMT
Server: WSGIServer/0.2 CPython/3.6.8
Content-Type: image/x-icon
Cache-Control: public, max-age=31536000
X-Frame-Options: SAMEORIGIN
Content-Length: 196
Console output (if it somehow could help):
[05/Jun/2019 09:17:42] "GET /7f9fa4.ico HTTP/1.1" 200 196
Also, if I will remove link element from head, browser will make requests to /favicon.ico (which in my case just mirrors /ffffff.ico) each time I reload the page with the same effect.
What you may find is that this request is being made to validate the cached content. I noticed that the request you sent to the server has Cache-Control: no-cache and Pragma: no-cache.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control#Cacheability
no-cache
Forces caches to submit the request to the origin server for validation before releasing a cached copy.
So it forces caches to submit the request for validation.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Pragma#Directives
no-cache
Same as Cache-Control: no-cache. Forces caches to submit the request to the origin server for validation before releasing a cached copy.
These state that the browser would be expected to send a request to your server for "validation" before it uses the cache icon.
I'm trying so setup file Download for primefaces as described here: https://www.primefaces.org/showcase/ui/file/download.xhtml
Primefaces version 6.
There is a cookie called primefaces.download that needs to be set during the download process, in order to monitor the download process using javascript.
The response header has these cookie set as you can see bellow:
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-Powered-By: JSF/2.0
X-UA-Compatible: IE=edge
X-UA-Compatible: IE=edge
X-UA-Compatible: IE=edge
X-UA-Compatible: IE=edge
X-UA-Compatible: IE=edge
Content-Disposition: attachment;filename="aggregatedContent"
Set-Cookie: primefaces.download=true
Content-Type: text/plain
Transfer-Encoding: chunked
Date: Tue, 11 Jul 2017 05:42:41 GMT
But when I look in Chrome in the Application->Cookies, this cookie is not there.This is true for Firefox and Internet explorer as well.
Also, typing in console document.cookie does not return this set cookie.
P.S. The request is a POST with status 200 returned from a request URL on localhost.
Any ideas?
now I am using play framework 2.3, how to share cookie on cors (cross domain)
i have play application on port localhost:9000 and i want to share cookies to my client running on localhost:5000
client cannt get the cookies
i try with this in play framework app:
response().setCookie(AUTH_TOKEN, authToken); //with setting on application.conf (session.domain="http://localhost:5000") cookies sent but cannt read by javascipt /failed
response().setCookie(AUTH_TOKEN, authToken,10000,"localhost:5000","/"); //fail
response().setCookie(AUTH_TOKEN, authToken,10000,"127.0.0.1:5000","/*"); //fail
response().setCookie(AUTH_TOKEN, authToken,10000,"127.0.0.1:5000","/*"); //fail
and this is response on chrome :
Remote Address:127.0.0.1:9000
Request URL:http://localhost:9000/common/login
Request Method:POST
Status Code:200 OK
Request Headersview source
Accept:application/json, text/javascript, */*; q=0.01
Accept-Encoding:gzip,deflate,sdch
Accept-Language:en-US,en;q=0.8,id;q=0.6,ms;q=0.4
Connection:keep-alive
Content-Length:33
Content-Type:application/x-www-form-urlencoded; charset=UTF-8
Host:localhost:9000
Origin:http://localhost:5000
Referer:http://localhost:5000/index-login.html
User-Agent:Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
Form Dataview sourceview URL encoded
username:adilramdan
password:1234
Response Headersview source
Access-Control-Allow-Headers:X-Requested-With, Content-Type, X-AUTH-TOKEN
Access-Control-Allow-Origin:*
Content-Length:52
Content-Type:application/json; charset=utf-8
Set-Cookie:authToken=8cd7d5cc-600a-42a0-ab79-d7ff2b4f71b0; Expires=Tue, 15 Jul 2014 02:30:09 GMT; Path=/
<------COOKIES IS AVAILABLE ON RESPONSE SERVER BUT JAVA SCRIPT CLIENT SAY NO COOKIES FOUND
how the right way?
any one can help me?
You may need to use the Access-Control-Allow-Credentials header. If you are using AJAX/JQuery you must set
withCredentials = true
In your request. The server must also respond with header
Access-Control-Allow-Credentials: true
Note that if you do this you must specify a value for Access-Control-Allow-Origin. The browser will not accept Access-Control-Allow-Credentials header while Access-Control-Allow-Origin is a wildcard.
See the resources here:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS#Access-Control-Allow-Credentials
http://www.html5rocks.com/en/tutorials/cors/
I have set withCredentials = true, and I get the following headers from the server
Access-Control-Allow-Credentials:true
Access-Control-Allow-Headers:DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Accept,Origin,Referer
Access-Control-Allow-Methods:GET, POST, OPTIONS
Access-Control-Allow-Origin:.mydomain.com
Connection:keep-alive
Content-Type:application/json
Date:Tue, 06 Aug 2013 12:37:47 GMT
Server:nginx/1.1.19
Set-Cookie:sessionid=zjn8naedymjj6mm0aqjgxljbs3u1njzf; expires=Tue, 20-Aug-2013 12:37:47 GMT; httponly; Max-Age=1209600; Path=/
Transfer-Encoding:chunked
Vary:Cookie
but the cookie doesn't get set or transmitted on next request.
It turned out that I can't just use .domain.com (wildcard) with Access-Control-Allow-Origin, and I have to use `http://exact.subdomain.example.com'
I was just trying to analyse all the HTTP header fields in Firefox plugin - Firebug. First I logged out from Stack Overflow and then cleared all the cookies from my browser.
Then I went to the Stack Overflow's home page. I mean while saw the HTTP request and response header fields. This is what I saw:
Response Headers
Via 1.0 proxy_server
Content-Length 135
Date Mon, 05 Mar 2012 06:01:33 GMT
Content-Type application/json
Cache-Control private
X-Cache MISS from sampark.ncb.ernet.in
Request Headers
Host stackoverflow.com
User-Agent Mozilla/5.0 (Windows NT 6.0; rv:12.0a2) Gecko/20120303 Firefox/12.0a2
Accept application/json, text/javascript, */*; q=0.01
Accept-Language en-us,en;q=0.5
Accept-Encoding gzip, deflate
Proxy-Connection keep-alive
X-Requested-With XMLHttpRequest
Referer http://stackoverflow.com/
Cookie __qca=P0-383120279-1330927291125; __utma=140029553.974890682.1330927291.1330927291.1330927291.1; __utmb=140029553.1.10.1330927291; __utmc=140029553; __utmz=140029553.1330927291.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gauthed=1
There is a cookie included in the request header. But as I said I have removed all the cookies from my browser. How is the cookie included in the request? What is actually happening here?
I did as Andy Davies told. I first cleared all the cookies, restarted Firefox and then went to www.stackoverflow.com. Firebug shows this:
GET http://stackoverflow.com/tags/ios/subscriber-info?_=1331946084371
The headers for the above request contained:
Cache-Control private
Content-Encoding gzip
Content-Length 390
Content-Type text/html; charset=utf-8
Date Sat, 17 Mar 2012 01:01:19 GMT
Vary Accept-Encoding<Br>
Request Headers
Accept text/html, */*; q=0.01
Accept-Encoding gzip, deflate
Accept-Language en-us,en;q=0.5
Connection keep-alive
Cookie __utma=140029553.1336172974.1331946082.1331946082.1331946082.1; __utmb=140029553.1.10.1331946082; __utmc=140029553; __utmz=140029553.1331946082.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-115511794-1331946081644; gauthed=1
Host stackoverflow.com
Referer http://stackoverflow.com/
User-Agent Mozilla/5.0 (Windows NT 6.0; rv:12.0a2) Gecko/20120303 Firefox/12.0a2
X-Requested-With XMLHttpRequest
If this is not the first request, then why is it not showing the first request?
Did you restart the browser after clearing the cookies as, from my memory, some browsers don't clear the cookies for any sites currently open?
The snippet you've posted looks like a JSON response part way through loading the page, so it is not the initial request for the HTML page.
When the HTML page would have been requested again, the Google Analytics cookie (which is what you've got above) would have been resent, so any subsequent components on the page will also get the cookie too.