I have a cookie that is being set by Microsoft ISA. I want to check that the cookie exists from ColdFusion, but the cookie isn't listed in the cookie scope. The page I'm trying to read the cookie value from is using HTTPS. Why can't I read the cookie? All the non-secure cookies are listed in the cookie scope.
If the domain value of the cookie was set by another domain then it can't be read by your web application.
It would be a security breach if www.attackerwebsite.com could read session cookies from www.yourbank.com.
I think I've found the problem. The cookie is created by the ISA server as httpOnly. Does that mean the only way to access the cookie is from the server it was created on?
The definitive answer: the ISA server sits between the client and the web server, and it grabs the cookie and doesn't let go. I can access the cookie through ColdFusion from any machine on the domain that is not behind the ISA server. So the solution I came up with was to get the cookie value through an JSONP AJAX call to another machine in the domain.
Related
is there a way to set a httponly cookie with blazor server side?
Setting a non httponly one with js-interop is not a problem but in case of httponly it is obviously not possible this way.
Thanks in advance
Holger
It seems that HttpOnly cookies are not accepted with Blazor Server as they are with Blazor WASM.
One of the reasons I was interested in using HttpOnly cookies with Blazor Server was for passing authentication tokens from a Blazor App to some back-end in a secure fashion.
Fortunately, there is a secure alternative to HttpOnly cookies in Blazor Server that may assist you. This is called ASP.NET Core Protected Browser Storage. You can store what ever you want in local storage or session storage, but it will be encrypted so that only the server can decrypt and read the stored details. This reduces the potential risk of tampering with stored data. While this is technically different to HttpOnly cookies, it can be used as a solution to solve similar problems.
You can read more about it here: ASP.NET Core Protected Browser Storage
Wicket saves jsessionid (actually tomcat does that) , now can I make those jsessionid cookies as persistent cookies and can I use them to make the user login next time he/she visits my page .
The idea behind 'JSESSIONID' cookie is to track a live user session.
Once this session is expired at the server side, i.e. inside Tomcat, the cookie becomes useless. The browser will send it to the web server and there it will be ignored.
What you ask for is "RememberMe" cookie. This cookie usually brings encrypted information about the user. If the user session is expired then the application will forward you to the login page. During this process the application may check for such RememberMe cookie and use it to auto-login this user without asking for her credentials.
Apache Wicket provides DefaultAuthenticationStrategy with support for RememberMe cookie. See wicket-auth-roles SingInPanel.java and the source code for http://examples6x.wicket.apache.org/authentication3 to see how it works. You could also use Spring Security, Apache Shiro, Stormpath, etc. for the same functionality if you decide so!
I found out that for some users of my website the _ga (client id) cookie is empty while I really need it in my script for 100% of users.
I found this out by logging what's happening in my PHP script. This is strange to me, because for me the _ga cookie is always present, no matter which browser I use.
1) Why can the _ga cookie be empty?
2) Is there any way to force creating it? Or maybe there is another way to find out the client id of the user on the server-side?
If javascript or cookies are disabled on client browser cookies always will be empty. You can implement additional logic on server to form an id from IP and/or User-Agent header of request if cookies are empty.
I am testing an application that requires a user to authenticate, and then uses a cookie to track the user session. If authentication fails, a cookie is set that identifies the session as belonging to an unidentified user.
Unfortunately, authentication is via Kerberos or NTLM, which cannot be done in JMeter 2.8. My plan is therefore as follows:
Log into website with Internet Explorer.
Copy cookie that identifies session out of IE and into JMeter cookie manager as a user-defined cookie.
Use JMeter to test application
Essentially, this is session hijacking.
What I am observing is that (1) the JMeter cookie manager does not seem to be supplying the cookie to the application in the first request, (2) after the first request the application sends a different cookie back to JMeter, and (3) subsequent requests use the application-defined cookie, not the one I supplied.
So my questions are:
Is the approach described plausible, in theory at least?
Do application-defined cookies always override user-defined cookies?
Why might the cookie manager be not sending my user-defined cookie?
Thanks in advance.
Try using JMeter nightly build, it has been reported recently that it worked with NTLM after upgrade of httpclient libraries.
http://jmeter.apache.org/nightly.html
You approach seems really weird to me and I don't think it will work or even if it does be realistic.
ColdFusion sessions are supported with a combination of CFID, CFTOKEN and jsessionid values. When a cfm page is first hit, these values are established thus creating the SESSION.
My question is, if the SESSION is created under HTTP and then a link is clicked to get to a login page under HTTPS, are those SESSION token values compromised because they were created under http (i.e. they were passed in clear text as part of the request).
I'm guessing that someone astutely sniffing the a public router could get those values and then spoof the session from then on out. It would definitely be a rare occurrence, I know, but nevertheless a concern.
Yes, your cookies will be vulnerable to eavesdropping and session hijacking if you pass them over a non-secure channel. Wikipedia has some good prevention mechanisms listed on their Session Hijacking page. Probably the easiest is to do as invertedSpear said and just regenerate the session after a successful login, and once logged in, stay on HTTPS.