Is there a way to somehow get the values of httpOnly cookies in electron?
The site I'm pre-loading before my main app loads, sends an httpOnly cookie that has a key inside.
I need this key for my http request headers.
I tried with webContents.session.cookies without luck.
I was able to to get an httpOnly cookie using Nightmare.js, which uses Electron. Therefore, I think you should be able to achieve that by looking at the source.
Related
We have a site that uses first party and third party cookies. Security has pointed out that several of our cookies are not httponly and not secure. After looking the web.config file I see this:
<httpCookies httpOnlyCookies="true" requireSSL="true"/>
Hitting the site and using Google Dev Tools shows the cookies are still not marked as httpOnly or secure.
Shouldnt this setting force all first party cookies to be rendered as httpOnly and Secure? Or am I missing something? Any reason these cookies would not be httpOnly/secure? I also set this via IIS at the server level, but no change in the cookie's status.
I'm trying to get cookies via document.cookies (session id) in the console after receiving them here:
As you see no HttpOnly is present. But cookies still are not accessible for some reason.
I'm using whatwg-fetch in react app for queries. Chrome browser, Version 80.0.3987.149 (Official Build) (64-bit), but tested with others and no luck as well
okay, the thing was that I cannot use cookies while working with wildcard allow access origin requests.
I'm trying to write some postman tests that require me to set a cookie. My first request returns a token in a json payload. I've pulled this out and stored it in a variable but I cant seem to inject this into a cookie for further requests.
I get the value for the cookie like:
var json = pm.response.json();
pm.globals.set("my-cookie", json.Token);
I've tried this in the cookie dialog box:
my-cookie={{my-cookie}}; path=/; domain=.myhost.com; Expires=Tue, 19 Jan 2038 03:14:07 GMT;
However when it sends the cookie it sends the above without replacing the variable the, i.e. it has {{my-cookie}} rather than the value of the variable.
I cant see anything in the postman API that will enable me to set cookies on a request grammatically.
I did see this, but it only mentions adding them via the dialog
https://www.getpostman.com/docs/v6/postman/sending_api_requests/interceptor_extension
I also found this, but could find no mention of how to use it.
https://www.postmanlabs.com/postman-collection/Cookie.html
I'm assuming this is a common requirement and must be missing something obvious. Does anyone know how to do this?
Try using the Headers feature with a key of Cookie and a value of cookieName={{yourVariable}}
In case anyone stumbles upon this question, in current version there is a special section for setting request cookies on the righthand side of the request window.
For me it was just inserting {{token}} also.
I had to click the 'whitelist domain' under 'cookies' to whitelist my domain first. Then re-request the request that populates the token.
This got it working.
Note if the cookie has secure set, your baseurl should also include https://
I have a slight confusion regarding HTTPOnly attribute in cookies. I am aware that its main use is for protection against XSS attacks. Let us assume there is web application which has set httponly enabled for the cookie. I used a interception proxy like Fiddler for this. But in all subsequent transactions the cookie is not accompanied with the httponly flag. is this a feature like set it once and the whole session is covered under httponly flag...or is this a implementation flaw. But again when monitored through a cookie manager addon,the properties show that httponly is enabled. My question is if its enabled why the cookie manager shows it enabled but not an interception proxy,is this the normal expected behaviour or a wrong implementation. Please help me understand.
HttpOnly is sent by the server in the Set-Cookie header to instruct the browser not to make the cookie available to javascript. The browser will still send it over http connections. The Set-Cookie header can contain all sorts of instructions for cookies, like when they expire, what domain they are for, whic path, whether they should only be sent over https(Secure flag) and HttpOnly. These are all instructions from the server to the browser, so there is no point in the browser sending them back to the server on each request.
Is there a way to get a list of all the cookies set by a website using WatiN?
The IE Browser class in WatiN provides a GetCookie method that allows you to retrieve a specific cookie, but I would like to iterate over all the cookies that have been set.
There are two methods that should allow you to get the cookies:
CookieCollection cookies = _browser.GetCookiesForUrl(new Uri(url));
and
CookieContainer cookies = _browser.GetCookieContainerForUrl(new Uri(url));
But both of these are empty. Also calling the GetCookie method for a specific cookie returns null.
Any suggestions of how to get this to work?
Recently I had to deal with this situation. At first I thought the cookies I was looking for were HttpOnly, but I took a look using WireShark and there was no HttpOnly flag.
Not sure why GetCookieContainerForUrl fails in this case, but a client side script call revealed the cookies were still there:
ie.Eval("document.cookie");
You might want to try that statement before resorting to packet sniffing every time.
Well, I suppose those methods should work as expected, but maybe you are trying to get HttpOnly cookies? Many sites/web frameworks sets this flag for important cookies, especially when it comes to "session id" cookies. You can't read them in WatiN and it's really hard to read them at all. I was looking for solution once and only one I got was article: Retrieve HttpOnly Session Cookie in WebBrowser
If you want to know if the site you are trying to get cookies is setting HttpOnly flag on the cookie, use Fiddler2 and look in response headers.