I have a simple login form that submits to a service.
The service has the following behavior
If proper auth details are provided, the service accepts the login and redirects the user to the destination
If the login credentials are incorrect, the service responds by setting a 'abc-xyz' header. The html page submitting the form needs to read the 'abc-xyz' header and display and error message to the user.
I converted the form to make an AJAX call. Now I can read the response header and show the error message. But I'm running into CORS issues and limitations on the service doesn't permit me to configure the service to add the appropriate CORS headers. So I have to submit the form normally without AJAX. But when I do so (with wrong credentials for testing), the html form page refreshes thus losing all the headers.
Is it even possible to read the response headers with a regular form submission? Thanks.
Related
I developed a contact form for my site and it is working and redirects to another url inside my domain when it is sent (for example lets say domain.com/sent). The thing is, if someone by chance decides to access the url domain.com/sent directly, it can be accessed like if he had submitted the form and was redirected there. I also have configured a 404 error custom page for any other page outside the existing ones, is there any way of disabling the domain.com/sent external access and redirecting to the error 404 page and keeping the sent page only for the users who really submitted the form?
Have the response to the POST request to the form handler set a cookie.
Have the handler for /sent test for that cookie and:
If it is set:
Delete the cookie
Display the sent page
If it not send:
Do something different such as displaying an error or redirecting
I created a simple authentication extension that works in conjunction with PluggableAuth for the user to login automatically. Currently, I need two parameters: a username and a token. These parameters are generated by an external system that sends the data by hidden input. I can get the url data and authenticate correctly. But for security reasons I want to pass this data via $_POST and not via $_GET. But I cannot receive this data and store it in the session so that I can retrieve it in my authentication class. Basically, the user receives a link from a wiki page and Pluggableauth does the checks. But I can't find what code I can use to save the post in the session and retrieve it later. Does anyone have any examples of how to do this? Thanks!
Edit: For example, the user needs to go to www.minhawiki.com/something, the external system sends the post data with username and password to this example page, but because of pluggableauth it redirects to Special:UserLogin, then to PluggableAuthLogin and then to my authentication extension. I've tried to get the data on all these redirects but none of them work. The only way that worked to get the data was to direct the post directly to Special:UserLogin but that way I can't redirect to the login page.
I want to send the authorization header when I view the webpage of a local IoT device (http://deviceip). The device uses an authorization header encoded in basic.
I have created a web server using Node.js and Express.js with a URL link to the device, but I have not been able to set the authorization header properly and end up with a login prompt.
I have been able to get it working by using a separate proxy server which sends the header upon request and changing the webserver's links to the proxy which sends the authorisation header.
proxy.on('proxyReq', function(proxyReq, req, res, options) { // allows you to alter the proxyreq request object to send authentication before connection
proxyReq.setHeader('Authorization', auth); // sends Authorazition header auth
});
Is it possible to send the authorization header using a function in the web server when the URL is clicked as opposed to using the proxy?
"Is it possible to send the Authorization header using a function in the web server when the URL is clicked as opposed to using the proxy?"
No, it's not possible. The reason is:
The only way to add headers to a request from inside a browser ("the URL is clicked") is using the XmlHttpRequest (Ajax).[source]
If it is an Ajax request, you can't fetch the html response and then re-render the whole page. Otherwise, it would bring huge security problem -- any JavaScript code in browser can send an Ajax request and show user a completely new page, which is perfect for phishing attack.
I'm trying to create a http POST request using POSTMAN to this URL:
http://www.mfinante.ro/agentinume.html?pagina=domenii
on the codFiscalForm from HTML.
I set the input name=Oracle and judet=BUCURESTI and I'm receveing a piece of HTML, where I don't have the information I need (a HTML table form).
What I am doing wrong?
The reason of missing HTML table data in HTTP response is: The POST /numeCod.html request (action of codFiscalForm) is protected by TS*** Cookies. In POST /numeCod.html request, if TS*** Cookies, such as TS018732dc, TS5d0550f8_27 etc. are missing or incorrect, the request would be rejected by server.
When is TS*** Cookies retrieved/updated?
TS*** Cookies are retrieved or updated when you open webpage /agentinume.html?pagina=domenii. Please note all HTTP responses when open /agentinume.html?pagina=domenii will set/update TS*** Cookie, including responses of .js, .png files request.
When the result page is opened after submitting form, the TS*** Cookies are updated again.
How to confirm TS*** Cookies are critical for retrieving data?
On webpage, before click button VIZUALIZARE, you can open browser debug tool, such as Chrome DevTools, and delete one TS*** Cookie in panel Application - Cookies. After that, click button VIZUALIZARE will lead to an HTML page without table data.
Why Postman does not work even when TS*** Cookies are defined in headers?
Because TS*** Cookies keep changing, it is very difficult (if not impossible) to get the latest valid TS*** Cookies programmatically.
Most JWT tutorials I've seen say that you can attach it to the headers with AJAX. How do you attach the token on the initial page load?
For example, if a user goes to the base URL '/' and they don't have a token then show them the page. If they do have a token, redirect them to their profile page.
Edit:
I'm returning the generated token with a jquery ajax success function then redirecting the user. When the user gets to the home page ('/'), I'd like the access token to be sent via http headers to my server. Then the server can handle the request. However, anytime the user returns (if they close the browser and go to "mywebsite.com" or any other page), I'd like the server to be able to access the token. Are http headers the best way to do this?
success: function(token){
localStorage.setItem("token", token);
window.location.href('/');
}
If my application was a Single Page App (SPA), I could just use ajax all of the time, but it's not.
You cannot achieve what you want with HTTP headers. HTTP headers are something which are sent when a request is made to the server. In your case, you want to remember something about the client even if they close their website and come back later. The easiest to do that is through cookies.
Basically generate the JWT token for the client and send it to the client as a cookie. This logic will be written on the server side and there are many libraries available to do this depending on the technology you have chosen for server side. Then everytime the client makes a request to your server, browsers make sure that the stored cookies are sent.