I'm developing a small site w/ Go and I'm trying to set a cookie from my server.
I'm running the server on localhost, with 127.0.0.1 aliased to subdomain-dev.domain.com on port 5080.
My When I receive the response for my POST to subdomain-dev.domain.com:5080/login I can see the set-cookie header. The response looks like this:
HTTP/1.1 307 Temporary Redirect
Location: /
Set-Cookie: myappcookie=encryptedvalue==; Path=/; Expires=Fri, 13 Sep 2013 21:12:12 UTC; Max-Age=900; HttpOnly; Secure
Content-Type: text/plain; charset=utf-8
Content-Length: 0
Date: Fri, 13 Sep 2013 20:57:12 GMT
Why isn't Chrome or Firefox recording this? In Chrome it doesn't show up in the Resources tab. In FF I can't see it either. And in neither do I see it in future Request headers.
See that Secure string in the cookie?
Yeah, me too. But only after a few hours.
Make sure you're accessing your site by SSL (https:// at the beginning of the URL) if you've got the Secure flag set.
If you're developing locally and don't have a cert, make sure you skip that option.
In my case, I had to add this to my response:
access-control-expose-headers: Set-Cookie
I found here that my Set-Cookie header was not accessible to my client unless I added it to the exposed-header header.
Hope this can help someone!
Found related github issue response cookies not being sent that helped.
In my case I am running react app under https (with mkcert tool) and making cross origin fetch request and get response. Cookies of the response is not set until I
specify credentials: 'include' for fetch request
example fetch api
fetch('https://example.com', {
credentials: 'include'
});
Specify these response headers from server
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: https://localhost:3000
Access-Control-Allow-Origin header has value of the url of my react app.
add these attributes of Set-Cookie Header Path=/; HttpOnly; Secure; SameSite=None using http cookies
Hope it helps someone!
Related
We sent an HTTP request from a C++ app (Arduino Sketck) to a Google apps script web app, but we got the HTTP Response: HTTP/1.1 302 Moved Temporarily. The url with the http request works fine from a browser.
The same code works also fine with other web site, like www.google.com. Do not work with script.google.com.
The Google apps script published web app is public, anyone even anonymous can access:
Here the code we used.
client.println("GET /macros/s/AKfycbyQnmHekk4_NNy3Bl5ILzuSRkykMWaXQ7Rtojk7fFieDUbVqNM/exec?valore=7 HTTP/1.1");
client.println("Host: script.google.com");
client.println("Connection: close");
client.println();
The answer was:
HTTP/1.1 301 Moved Permanently
Content-Type: text/html; charset=UTF-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Wed, 03 Feb 2021 09:29:02 GMT
Location: https://script.google.com/macros/s/AKfycbyQnmHekk4_NNy3Bl5ILzuSRkykMWaXQ7Rtojk7fFieDUbVqNM/exec?valore=7
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self'
X-XSS-Protection: 1; mode=block
Server: GSE
Accept-Ranges: none
Vary: Accept-Encoding
Connection: close
Transfer-Encoding: chunked
11e
<HTML>
<HEAD>
<TITLE>Moved Permanently</TITLE>
</HEAD>
<BODY BGCOLOR="#FFFFFF" TEXT="#000000">
<H1>Moved Permanently</H1>
The document has moved here.
</BODY>
</HTML>
0
disconnecting from server.
The url is correct (
http://script.google.com/macros/s/AKfycbyQnmHekk4_NNy3Bl5ILzuSRkykMWaXQ7Rtojk7fFieDUbVqNM/exec?valore=7) but seems that the google apps script web app redirect the request (to the same url, using the https protocol).
Using the same code, we did others HTTP request from Arduino, and it worked fine.
For example we did:
client.println("GET /search?q=arduino HTTP/1.1");
client.println("Host: www.google.com");
client.println("Connection: close");
client.println();
And we got the response `` HTTP/1.1 200 OK ```, and the html response contains the search result according with the query q=arduino
Any suggestion on how we can send a valid http/https request to a Google apps script web app?
Thanks.
As you have noticed, the Google script app is redirecting you from HTTP to HTTPS. Some Google sites are accessible via HTTP, they don't have to redirect to HTTPS if they don't want to. In your example, http://www.google.com/search?q=arduino does redirect, to https://www.google.com/search?q=arduino&gws_rd=ssl. But, your client is not sending a User-Agent header in the request, so Google knows your client is not a browser, and might not be issuing the redirect in your case. But in a real browser, it does.
Putting the URL http://script.google.com/macros/s/AKfycbyQnmHekk4_NNy3Bl5ILzuSRkykMWaXQ7Rtojk7fFieDUbVqNM/exec?valore=7 into a browser does redirect to https://script.google.com/macros/s/AKfycbyQnmHekk4_NNy3Bl5ILzuSRkykMWaXQ7Rtojk7fFieDUbVqNM/exec?valore=7. A real browser will follow that redirect automatically, a user might not even notice the difference.
But your client will have to follow the redirect manually. That means extracting the Location header from the response, closing the existing connection (to script.google.com on port 80), connecting to the specified server (script.google.com on port 443), and initiating an SSL/TLS encrypted session with the server before you can finally send the HTTP request.
SSL/TLS is complex, and HTTP has a lot of rules to it. Don't try to implement them manually. You are best off using an existing HTTP library that has HTTPS support built in. Let it handle all of these details for you.
I have a quart (basically flask) web-app that is doing OAuth2 with discord. It seems to be working in the cloud, but locally the set-cookie header that appears in the http response after discord authorizes the user is being IGNORED by the browser.
there is an HTTP response with set-cookie. the next request is the callback uri and it has a different session cookie! This is a serious problem and I'm completely stumped. It only seems to be happening on local host? I've read some about browsers ignoring set-cookie, but I have no domain in the set-cookie field and my path is "/"
Response from discord
session=<cookie_A>; Expires=Thu, 08-Oct-2020 19:22:57 GMT; HttpOnly; Path=/
request for callback url
session=<cookie_B>
I'm trying to have the expiration of an existing cookie on a site update from "Session" to some date in the future using the Set-Cookie header.
I believe my issue has to do with limitations on how browsers interpret the Path directive on the Set-Cookie header but I'm not sure nor can I find a use case quite like mine.
Example use case:
Browser navigates to:
GET / HTTP/2
Host: example.com
Server replies:
HTTP/2 200
set-cookie: PHPSESSID=abcd; Path=/; SameSite=None; Secure
Browser performs action and navigates to:
POST /some/path HTTP/2
Cookie: PHPSESSID=abcd;...
Server replies:
HTTP/2 302
Set-Cookie: PHPSESSID=dcba; expires=Mon, 17-Aug-2020 19:08:24 GMT; Max-Age=7776000; path=/
Location: /somewhere-else
All following requests from the browser contain the updated cookie value:
Cookie: PHPSESSID=dcba;...
Yet, upon inspecting the cookies with the dev tools (or simply closing the browser) I noticed that the Expires/Max-Age of the cookie is still "Session" (tried on Chrome and Firefox).
Is being able to update the value but not the expiration of a cookie through a Set-Cookie header a known/expected behavior? Or is there perhaps something wrong with how it's formed?
For any that come across this question/issue:
I discovered(?) that with each Set-Cookie header received: the browser will update the Expiration/Max-Age of that cookie to "Session" if it is absent but will not update other directive values to anything else if they are absent (such as the Secure flag or the value for SameSite).
This revealed that the underlying issue was that, in the next page, there was a request happening with the Set-Cookie header but did not have any value for the expires/Max-Age directives thus resetting the expiration to "Session", making the solution to ensure every Set-Cookie response header has a deliberate value (or absence) for the expires and/or Max-Age directive.
Explained with raw http, continuing the example in the question:
If the response for say an ajax request comes back with:
HTTP/2 200
Set-Cookie: PHPSESSID=efgh; Path=/; SameSite=None; Secure
Then the browser will update the cookie's value and set its expiration from "17-Aug-2020 19:08:24 GMT" to "Session".
Making the solution, as mentioned before, to ensure that the response contains the correct (or deliberate) value for the expires or Max-Age directive, so the correct response for the ajax call that accidentally set the expiration to "Session" in the example above would be something like:
HTTP/2 200
Set-Cookie: PHPSESSID=efgh; expires=Mon, 17-Aug-2020 19:08:24 GMT; Max-Age=7775900; Path=/
I have a scenario in which a client application sends a POST request to an asp.net page to which the page responds with a json string which I need to consume on the client side.
However, Internet explorer is trying to download the *.aspx page, containing the json string.
What HTTP headers must the response contain to disable the download in Internet Explorer?
Currently, the response HTTP headers are:
Access-Control-Allow-Headers:X-File-Name,X-File-Type,X-File-Size
Access-Control-Allow-Methods:GET,POST,OPTIONS
Access-Control-Allow-Origin:*
Cache-Control:private,private, no-cache
Content-Length:1050
Content-Type:application/json; charset=utf-8
Date:Fri, 12 Jul 2013 08:24:24 GMT
Pragma:no-cache
Server:Microsoft-IIS/7.5
Set-Cookie:ASP.NET_SessionId=qjudp3nct3czltyvc4yxpiri; path=/; HttpOnly
X-AspNet-Version:4.0.30319
X-Powered-By:ASP.NET
It depends on how you are consuming that web service.
If you are consuming it from inside a web page using jQuery, it shouldn't be a problem, Internet Explorer won't force download the file.
If you access the file directly after the POST (redirect to the URL that serves the JSON) and you want to display the JSON as plain text, you must set the Content-Type to text/plain; charset=utf-8
I am trying to find out where a cookie is being set.
I am running Varnish cache and want to know where the cookie is being set so I know if I can safely remove it for caching purposes.
The response headers look like this;
HTTP/1.1 200 OK
Server: Apache/2.2.17 (Ubuntu)
Expires: Mon, 05 Dec 2011 15:11:39 GMT
Cache-Control: no-store, max-age=7200
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
X-Session: NO
X-Cacheable: YES
Date: Tue, 04 Dec 2012 15:29:40 GMT
X-Varnish: 1233768756 1233766580
Age: 1081
Via: 1.1 varnish
Connection: keep-alive
X-Cache: HIT
There is no cookie present. But when loading the same page in a browser the headers are the same, I get a cache hit and no cookie in the response headers.
But then the cookie is there all of a sudden, so it must be being somewhere. Even if I remove it it reappears. It even appears in Incognito mode in Chrome. But it is not in the header response.
I have been through all the javascript on the site and cannot find anything, is there any other way of setting a cookie?
Thanks.
If the Set-Cookie header goes through Varnish at some point, you can use varnishlog to find the request URL:
$ varnishlog -b -m 'RxHeader:Set-Cookie.*COOKIENAME'
This will give you a full varnishlog listing for the backend requests, including the TxURL to the backend which tells you what the client asked for when it got Set-Cookie back.