Cookie not sending with Ajax request - cookies

Found an issue Forms authentication Cookie not sharing between the requests to service.
Cookie '.ASPXAUTH'generated and sent to Browser from the Login service successfully, but not sending the Cookie to consequent requests for the same service.
Found When Calling service from Cloud app the request using HTTP 1.1 and for Response it is HTTP 1.0
More observations with the user of Fiddler and other tools:
Working fine for the following circumstances:
Running Service and Client website from local development system
Hosting Service and Client on same IIS (local and remote)
Accessing based on URLs, cookies transmitted properly
Not working for the following circumstances:
Hosting service and Client in different IIS servers.
Hosting Service in IIS (or Azure) and Client from local development system
Some more details:
Both requests made for the same service i.e. same domain, same protocal, same port nr, etc.
Updates at 20-12-2012 15:14:
As I said earlier Login functionality working on Ajax call without fail, Fiddler shows the Set-Cookie on Response, but Browser not reading the Cookie.
Tried to read document.cookies on "complete:" event of $.Ajax(), where I unable to read the cookie. means browser not getting or holding the cookie (where Fiddler shows on the Response of the same)
Regards,
Ramakrishna

Using the Forms Auth, have you performed some actions to take the ASP.NET Session out of process and out of server?
You cannot share the session between servers, so you have to either use SQL Session State provider and put session into SQL Azure, or use the Windows Azure Cache and provided Session State Provider to storage the session into a cache.
I'm sure you are good in using internet search engines, but here is a list of good articles to start with (taking the session out of process):
http://msdn.microsoft.com/en-us/wazplatformtrainingcourse_buildingappswithcacheservice_topic3.aspx
http://msdn.microsoft.com/en-us/library/windowsazure/gg185668.aspx
http://msdn.microsoft.com/en-us/library/windowsazure/gg278339.aspx

Related

Authentication and websockets

I'm doing this -
Load single page application - an apollo client is initialised with a websocket and http link. This happens when the user is logged out, let's say.
The user then logs in without a page reload. The graphql response now contains the session cookie.
Problem - whilst subsequent http requests include the session cookie the websocket connection does not.
How do people solve this problem?
I'm guessing either make all communication with the server via websockets, or, create a new apollo client upon successful sign in and use this for subscriptions.
This is for a chat app. I'm using http and websockets at the moment.

Making sense of "Storage" in a browser

In this post about sessions, they basically say a session is a way the server has to identify a client (in subsequent requests).
The process consist in giving the client a cookie, that's the id. The client sends a request, the server does something like Session[cookie] --> details.
Some NodeJS/Express servers can create a session on connection, and set the loggin to true after successful authentication. Following the previous paragraph, we could do Session[cookie].loggedIn==true, then allow something.
I can see this either persistent or expiring cookies in the browser "storage" in the console.
But where in the server, and where on my machine is stored this data? Would a persistent cookie persist not only browser shutdown but also PC restart?

Two __VCAP_ID__ created for a single JSESSIONID

I have an Authentication microservice in Pivotal cloud foundry which is built on Spring SAML2. It is integrated with PingFederate IDP. Whenever this service is invoked from a web application, a JSESSIONID is created. In order for this service to work properly, sticky session needs to be enabled. The http request for auth and the response has to be handled by the same service instance in PCF. However, it is not happening. Request is going out from one instance and response coming back to another instance. Since the response doesn't find the SAML message in current session, the authentication fails. Below is the flow -
Browser-->GoRouter for UI-->Angular UI Service and Nginx Reverse proxy-->GoRouter for API-->Auth Service-->PingFed
PCF allows to have sticky sessions based on JSESSIONID. However, when the web app tries to access Auth service through Nginx reverse proxy, there are 2 VCAP_ID's created for a single JSESSIONID. Due to this, the response from PingFed is not able to reach the same auth service instance from the request went out. So, i would like to know why PCF is creating 2 __VCAP_ID's for a JSESSIONID, when the request comes through reverse proxy?
I tried different storage like redis. But, since the Spring sAML2 works on httpstorage, i was not successful. It will be like hacking the Spring Saml2 which i don't want to do.
I tried to check which app the VCAP_ID's belong to by restage the applications. I got to know that one VCAP_ID was for reverse proxy instance and the other one was for the auth service. So, the VCAP_ID for the reverse proxy is causing the issue and am not sure how to eliminate that.
Expected: PCF should create ONE VCAP_ID for a JSESSIONID per instance.
Actual: PCF creating TWO VCAP_ID's for a JSESSIONID per instance

Jersey client for accessing web services having Single Sign-On authentication [ webSSO / SSO ]?

I have a web service for which the user authentication is provided by web browser Single Sign-On authentication method , through which a human user is automatically logged in with his/her company email ID from a web browser.
I have written a java Jersey 2.x client (a non human consumer of web service). In client code I am using HttpAuth as
HttpAuthenticationFeature feature = HttpAuthenticationFeature.basic("ENTER_USERNAME_HERE", "PASSWORD_HERE");
But the client fails stating the HTTP status code as 302 (redirection error)
Then I used curl for the same and received the response as an HTML page stating
The document is moved here(<-- a link containing websso url to my resource).
After searching on SO I enabled the FollowsRedirection feature for my jersey client and now the error is changed to
Exception in thread "main" javax.ws.rs.NotAuthorizedException: HTTP 401 Unauthorized
Any pointer on how to handle this authentication problem ?
The issue was finally resolved , so I am going to answer my own question,
After all the RnD , it was clear that there isn't any sophisticated way for passing (Authenticating) the WEb SSO (Single Sign-On) from jeresy 2.x client code.
Although I found some interesting articles regarding kerberos here and here.
So , finally
I created an other URL path as
/AuthWithCert CONTEXT in server proxy configuration and added the requests coming from this path as an exclusion in webSSO login conf.
So automatically the authentication was pointed to default (HttpBasic Client Auth) without any redirection error and the client worked fine.

When django session is created

I don't really understand when session is created and per what entity it is created (per ip, per browser, per logged in user). I see in documentation that sessions by default is created per visitor - but what is visitor (browser or ip)?
What are HTTP sessions?
To display a webpage your browser sends an HTTP request to the server, the server sends back an HTTP response. Each time you click a link on website a new HTTP transacation takes place, i.e. it is not a connection that is persistant over time (like a phone call). Your communication with a website consists of many monolitic HTTP transactions (tens or hundres of phonecalls, each phonecall being a few words).
So how can the server remember information about a user, for instance that a user is logged in (ip addresses are not reliable)? The first time you visit a website, the server creates a random string, and in the HTTP response it asks the browser to create a so called HTTP cookie with that value. A cookie is really just a name (of the cookie) and a value. If you go to a simple session-enabled Django site, the server will ask your browser to set a cookie named 'sessionid' with such a random generated value.
The subsequent times your browser will make HTTP requests to that domain, it will include the cookie in the HTTP request.
The server saves these session ids (for django the default is to save in the database) and it saves them together with so called session variables. So based on the session id sent along with an HTTP request it can dig out previously set session variables as well as modify or add session variables. If you delete your cookies (ctrl+shift+delete in Firefox), you will realize that no website remembers you anymore (Gmail, Facebook, Django sites, etc.) and you have to log in again. Most browsers will allow you to disable cookies in general or for specific sites (for privacy reasons) but this means that you can not log into those websites.
Per browser, per window, per tab, per ip?
It is not possible to log into different GMail accounts within the same browser, not even from different windows. But it is possible to log in to one account with Firefox and another with Chrome. So the answer is: per browser. However, it is not always that simple. You can use different profiles in Firefox, and each can keep different cookies and thus you can log into different accounts simultaneously. There are also Firefox plugins for keeping multiple sessions, e.g. MultiFox.
The session all depends on which session cookie your browser sends in it's HTTP request.
Play around
To get the full understanding of what is going on, I recommend installing the FireBug and FireCookie plugins for Firefox. The above screenshots are taken from FireBug's net panel. FireCookie will give you an overview of when and which cookies are set when you visit a site, and will let you regulate which cookies are allowed.
If there is a server side error, and you have DEBUG=True, then the Django error message will show you information about the HTTP request, including the cookies sent
It's browser (not IP). A session is basically data stored on your server that is identified by a session id sent as a cookie to the browser. The browser will send the cookie back containing the session id on all subsequent requests either until the browser is closed or the cookie expires (depending on the expires value that is sent with the cookie header, which you can control from Django with set_expiry).
The server can also expire sessions by basically ignoring the (unexpired) cookie that the browser sends and requiring a new session to be started.
There is a great description on how sessions work here.