Is there a way to prevent websphere from sending cookies in a response on a per request/url basis?
Our users get a link which allows them to download a file. Works fine in all major browsers except for IE8 & IE7. In IE7 & IE8, the file download breaks when cookies are sent with the response.
When a new session is created, the WebSphere sends a JSESSIONID cookie, and sets Cache-control to no-cache=set-cookie. This causes the download process to break in IE8 and lower.
Things I tried:
1) I know that no-cache=set-cookie can be turned off in Websphere admin console, but it's not an option.
2) The websphere is fronted by a web server, so the response headers can be changed using the web server, but it's not really an option.
3) I created a servlet filter, but it seems like whatever websphere does happens after the filter runs.
4) I created a JSP page that would prompt file download on load. The idea was that the cookie will be exchanged on page load, so that it won't interfere with the download. Unfortunately, because the download is triggered through JavaScript, IE blocks the download, and a user needs to manually approve it.
Is there any way to make it work?
IE8 has bug that may connected with your problem. Bug description. stackoverflow
I solved similar problem using good article.
Related
I am using cypress for e2e testing with the session storage feature enabled.
Until recently the only two cookies in the project were "access_token" and "refresh_token". Now I added 2 more cookies which store some data which will automatically be written and read while you're using the website.
When browsing the website with any native browser (chrome, firefox, edge), no cookies get sent by the frontend to the backend in the request. Only the "access_token"s content will be used as the Authentication bearer.
When browsing in any browser inside cypress or letting cypress automatically browse, all cookies which exist will be added to every sent request. Not only requests sent by cy.request() but also the requests which the frontend natively sends.
This is a problem since the header size gets to large and the backend wont accept it. The quickfix was to increase the accepted header size in the backend but I'd prefer not sending the cookies at all.
Is there a way to tell cypress which cookies to send or prevent sending cookies at all? I don't really care which cookies will be stored in the cypress session. Only which cookies get sent.
EDIT:
All cookies use "strict" same site settings.
When testing against a deployed system https is used but with an invalid certificate.
When testing against a locally running system http is used.
The cookies only get sent when running cypress against a local system (localhost).
Using samesite=strict means that the cookie will never be included in requests to other sites, so I guess that is your core problem here. You need to use samesite=none to get cookies included in HTTP POST Request across sites.
I'm working on an browser extension that authenticates with a remote server via XMLHttpRequests. In Firefox (59.0.2) I have the problem that the session cookie send by the server is not stored in the browser. When looking at the network traffic I get a Set-Cookie response from the server for every request:
Set-Cookie JSESSIONID=node01abks2u96hf84wt0i1uqwsb9879.node0;Path=/
but it seems that the cookie is never accepted or stored in the extension.
When looking at Chrome (where the extension is working) my extension includes this cookie in the request:
Cookie: io=jCX1X9rlaOhCqE0nAAAB JSESSIONID=node01abks2u96hf84wt0i1uqwsb9879.node0
However, this is not the case in Firefox. Why is Firefox is not including the cookie in the request? and why is it not storing the cookie?
UPDATE: as suggested I filed a bug report:
https://bugzilla.mozilla.org/show_bug.cgi?id=1454806
Furthermore, I created a very minimal example addon that fails:
https://gitlab.com/czeidler/firefox-cookie-problem
Could somebody please let me know if that addon really should work? or am I doing something wrong? To trigger the problem open the debug view of the addon and select the network view. Then click the addon popup icon. This will trigger two requests to my server. The first reply contains a Set-Cookie header that is not reused in the second request.
I found the reason why it is not working. Firefox handles a request from the popup as a cross domain request and does not set the cookie for this reason. Not sure if Chrome and Firefox should behave the same here or which approach is the better one. Here is how I fixed this issue to make it work in both browsers:
On the server:
response.addHeader("Access-Control-Allow-Origin", request.getHeader("Origin"))
response.addHeader("Access-Control-Allow-Credentials", "true")
In the popup:
connection.withCredentials = true;
Our web app restricts access to authenticated users; our servers are configured to refuse access to any resource requests unless the HTTP request includes the session cookies. We use a Java applet, for which access to the JAR file is also prevented unless the request has the correct session cookies set.
This works fine for all major browsers we have tried on Windows clients except for Safari (don't have a Mac to test Safari on this). All page resources e.g., html, js, images, ..., load fine; except for the JAR file, where our server returns a 'not authorised' page which obviously doesn't work in the applet container.
It looks like the JVM isn't sending the session cookies when it requests the JAR. I suspect that Safari isn't sharing the cookies with the JVM, because everything works OK in other browsers with the same JVM (IE, Chrome, Fx).
Is there anything we can do to fix this? Or work around this? We can't make the JAR available to non-authorised users due to licensing issues, nor can we change the hosting environment.
I'm having issues deleting client cookies with the cfcookie tag, I'm setting the value to "" AND changing the expiration date to now.
But I think it's resetting the cookie in the same page that it deletes it.
Is there a application (or addon for chrome,firefox) that can tell me where it's giving me cookies?
There's Fiddler, an application that logs all HTTP(S) traffic between your computer and the Internet.
1) Run Fiddler.
2) Open your site on the browser you use.
3) Look at the request and response headers on Fiddler. Any cookie set or delete will be there.
Other references:
Fiddler Can Make Debugging Easy. [September 12, 2006]
Fiddler Proxy and HTTP Debugging Tool [December 17, 2010]
As tiangoinu said, use Fiddler for Windows, or if you're on a mac, check out Charles Proxy.
As to your specific question, verify that you're not doing a redirect after you delete the cookie. In order for the cookie to be deleted on the client, the necessary HTTP headers need to be passed to the browser, and sometimes a cflocation will prevent those headers from being sent.
Yes, look at HTTPLive Headers for FireFox. Or some other type of intercept proxy to put between the browser and the server. You can then see the HTTP headers and try to determine where the cookies are being set (or at least how often).
I'm using Internet Explorer 8 beta 2.
Client performs POST on http://alpha/foo
Server responds with redirect to http://beta/bar
Client performs GET on http://beta/bar
Server responds with redirect to http://beta/baz and sets cookie
Client performs GET on http://beta/baz including cookie
Server provides response
User selects "Open in new window" on a link in the page
Client performs GET on http://beta/link, without cookie!
If in step 7 the user just clicks the link, the cookie is passed correctly. If there is no redirect, the cookie is passed correctly even if the user selects "Open in new window".
Is there a way to convince IE8 to pass the cookie in step 8?
(Edit: I believe this is a bug in IE8 beta 2, so I've raised it on the IE beta newsgroup. Workaround suggestions welcome.)
I believe that IE8 uses a separate process for each window. If you're using session cookies, the new process will start with a fresh session and therefore won't be able to submit the session cookies received by the other process. Can you try using persistent cookies and see what happens?
From http://www.microsoft.com/windows/internet-explorer/beta/readiness/developers-existing.aspx#lcie
Loosely-coupled Internet Explorer
(LCIE) is an architectural effort to
improve the browser by separating its
components and loosening their
interdependence: most notably, it is
an attempt to isolate the Internet
Explorer frame and its tabs into
separate processes. In Internet
Explorer 8, this isolation will bring
about improved performance and
scalability, as well as more potent
methods to recover from problems like
disk or system failure.