I need to do one request to take a session from server. Now I included it in the same POST request (this play no role) with authorization header. I successfully get a valid session by OPTIONS request from my Tomcat server in response cookies. Like this: JSESSION:XXXXX .
After I make main POST request with photos etc. And response is 401 Unauthorized. I looked in Chrome developers panel. Request cookies are empty. So I understood, that dart didn't save cookies. With this param in request: withCredentials: true on every request I'm getting a popup. I use Angular2 in my project. (I said it because, in Angular2 can be solution for my problem)
Dart code:
map["Authorization"] = "Basic YWRtaW5hZG1pbjphbm90aGVyY29vbA==";
await HttpRequest.request("http://localhost:8080/photo", method: "POST",withCredentials: true, sendData: formData, requestHeaders:map)
As far as I know Dart doesn't have anything to do with it. This is an issue between server and browser. What you you mean by OPTIONS request. You normally don't send and OPTIONS request yourself, they are normally created automatically by the browser and sent as preflight requests.
Cookies passed by the server are automatically sent back by the browser with each request.
Related
I got a backend, NestJS GraphQL, and I got authentiaction on it's side. On signIn query it returns 3 Set-Cookie headers: is_authenticated, access_token and refresh_token. I use useLazyQuery hook from apollo to make a signIn request. Everything works until I want to use these cookies server-side e.g. getServerSideProps. How to sync client and server cookies in NextJS? Do I have to set them manually?
When I console.log getCookies(ctx), ctx.req.cookies it returns empty object. On client-side getCookies() also returns empty object, but these cookies are set, because I also have a cart-id which sets the cart user can use, and it works properly, after refresh, restart browser and even restart my PC. Where is the problem then?
I have:
React app: https://myreact.com
Django + DRF: https://mydjango.com
React has a form that when submitted sends a POST request to mydjango.com/handle-form with all the cookies, because I speicfy withCredentials: true in my ajax request (thus all the cookies are sent).
As I can see it, there's no way to perform csrf attack, because browser stores cookies only for myreact.com. And if an attacker creates a domain myreact2.com with the same exact form (that upon submitting sends POST request to mydjango.com/handle-form), cookies from myreact.com won't be sent, meaning there's no csrf attack.
The questions:
Am I right?
Will browser store cookies only in myreact.com or in both domains, when I make an ajax request from myreact.com to mydjango.com and mydjango.com in response sends a Set-Cookie header?
I understand how it would work, when both frontend and backend shared the same domain. CSRF attack could be very possible without csrf token or something else. But my case bothers me.
I'm having a website that allows for CORS sharing, and that's an intended behavior from them,
However, when I try to send a Cross-Origin request the "SameSite" cookies won't be set for the request,
After digging deeper for this I've found if any website sends a normal form request to the targeted website and then went back and resend it the "SameSite" Cookie will be set for the second request. as example :
Create a post form to http://devs.aaa.com
Submit the request and the cookies won't be set
Click on go back on the browser and re-submit the request
The cookies will be sent with the request
I tried to make a CORS that will help me to do the steps above with XMLHTTPRequest or any alternatives, that re-send the request but I've terribly failed !!
SameSite cookies aren't set on cross-site POST requests.
You should use SameSite=None; Secure if you need to support cross-site AJAX requests.
I'm setting a cookie in a response from my web service. The set-cookie header is coming through, and I can see the cookie in the network tab in Chrome, but the cookie isn't being stored. It doesn't show up in the resources->cookies tab, and the cookie isn't sent with subsequent requests. Nothing shows up in the JS console. I've also tried leaving the domain field off the cookie, but it still isn't stored.
Is there a way to debug the browser to understand why the cookie was rejected from being stored?
Turns out it had to do with the way I was making the request. I expected fetch() to work the same way as XHR requests. Setting credentials: 'include' on my fetch call resolved the problem. See 5.6.14 of the fetch spec
I am trying to use the YUI uploader to upload files to Django view.
However, I am getting a 403 error in CsrfViewMiddleware. I have determined that the problem is due to the flash uploader (that the YUI uploader uses) not sending the CSRF cookie in the file upload request.
The YUI uploader's uploadAll() function allows additional data to be sent with the upload request in object form. Since the CSRF cookie can be easily retrieved, I am trying to add the cookie to the request via the uploadAll() function, but I am not entirely sure as to what format to send it in so that CsrfViewMiddleware finds the cookie where it expects it. This does not work:
var cookie = YAHOO.util.Cookie.get('csrftoken');
uploader.uploadAll(url, 'POST', { csrfmiddlewaretoken: cookie });
Any insight would be greatly appreciated!
Unfortunately, because of Flash player limitations, the YUI Uploader can't insert the cookie into the header of the request, which is where the backend expects it to be. The only thing you can do, which is what that additional argument up there does, is to add POST variables to the request. However, that means that you need additional server logic to extract them as POST variables and them compare them to the cookie record -- it won't work by default.
If you are unable to modify the server-side code, you won't be able to authenticate the requests sent from the Uploader :(.