I am working on a C++ windows phone application that uses IXMLHTTPRequest2 to perform HTTP Requests. I have run into a situation in my app where I want to remove one of the HTTP cookies that the server assigned to the session. The cookie is used for authentication, and I want to remove it to force a new logon.
I could not find a method to remove a cookie, and when I tried to overwrite the cookie with a new value, it did not work.
The original value of the cookie was set with the set-cookie header:
Set-Cookie: XYZ=9c2725ec03169f17345525d5f4f58455e445a4a42;Secure;Path=/
I tried to manually inject my own expiring cookie in this format:
XYZ=xyz;Path=/;expires=Wednesday, 09-Nov-1999 23:12:40 GMT;
However, when the next request was sent, it still used the original cookie sent by the server. Is there any way that I can properly accomplish this.
Thanks
Ok, I figured it out. Looks like I was just setting the cookie incorrectly:
XHR_COOKIE xhrCookie = {0};
xhrCookie.pwszUrl = url;
xhrCookie.dwFlags = XHR_COOKIE_IS_SESSION;
xhrCookie.pwszName = L"XYZ";
xhrCookie.pwszValue = L"xyz;expires=Wednesday, 09-Nov-1999 23:12:40 GMT;";
DWORD dwCookieState=0;
m_xhr->SetCookie(&xhrCookie , &dwCookieState)
Related
I am writing a chrome extension that makes calls to an API and for that I am trying to get some existing session cookies in the service worker. My worker makes a call like this,
const cookies = await chrome.cookies.getAll({} )
const sessionToken = cookies.filter(
cookie =>
cookie.name === "__Secure-next-auth.session-token")[0].value
However the value I get back for the cookie is different than the value in chrome dev tools. Interestingly enough both values have the same prefix (the value is long, I only pasted enough to demonstrate my point):
Dev tools cookie: eyJhbGciOiJkaXIiLCJlbmMiOiJBMjU2R0NNIn0..dCOoryziuSU3zkJl...
chrome.cookies.getAll: eyJhbGciOiJkaXIiLCJlbmMiOiJBMjU2R0NNIn0..colJ2H6th0yLZ9Q8...
In case it's useful the cookies have the HttpOnly parameter set. Can anyone guess why the cookie values might be different?
My worker is running after the page has loaded (so there's no chance that I'm getting an old value), I know the value the chrome API is giving is completely invalid because when i try to use it with the API I'm calling, I get "invalid token". On the other hand, the cookie in dev tools works with my API.
I thought maybe the cookie value had been decoded/encoded in some way but then why would the prefix match? I thought maybe the chrome API is storing multiple cookies with the same name, but when I log cookies, there is only one cookie with this name.
Would appreciate any thoughts.
I have a question about the lifetime/behavior of a session cookie
The user opens siteA.com. An authentification cookie sessionAuth=xyz is set. The cookie is HttpOnly, Secure and Expires=Session.
siteA.com redirect to siteB.org by submitting a HTTP-Form, so the HttpMethod is POST.
siteB.org does some stuff and redirects back to siteA.com, also with HTTP-Form and HttpMethod=POST.
Should the browser now send the cookie sessionAuth=xyz with this HTTP-Request?
I did some tries with Chrome 86.0.4240.111 (64-Bit), unfortunately sometimes the cookie was added sometimes not. But I couldn't figure out when/why it worked and when not.
My thoughts:
Yes, the cookie should be added because the browser was not yet closed, so the session is still valid.
No, because the cookie is from siteA.com, but the HttpPost is done by siteB.com
No, because the session is closed as soon the first redirect/form-submit happens.
What is the correct behavior?
I have the impression this worked in the past (Cookie available and added). Maybe the lastest cookie privacy changes have some impact? https://blog.heroku.com/chrome-changes-samesite-cookie
I have some questions.
Are SiteA.com and SiteB.com on the same domain ?
How you create your cookies ?
For me :
setcookie('admin_id', $result['admin_id'], time() + 28*24*3600, "/", null, false, true);
When we declare like that the cookies are valid in any part of the site.
Im working on a .NetCore MVC project.
As the title suggests my goal is to store a cookie that will eventually be accessible through an iframe.
In order to achieve that this is what I did -
Startup.cs -
app.UseCookiePolicy(new CookiePolicyOptions
{
MinimumSameSitePolicy = SameSiteMode.None
});
Using the actual CookieOption class -
public void SetCookie(string key, string value, int? expireTime, HttpResponse Response)
{
CookieOptions option = new CookieOptions();
//allow cross-site cookies for iframes
option.SameSite = SameSiteMode.None;
if (expireTime.HasValue)
option.Expires = DateTime.Now.AddMinutes(expireTime.Value);
else
option.Expires = DateTime.Now.AddMilliseconds(10);
Response.Cookies.Append(key, value, option);
}
Doing the above It seems like it doesn't always work as intended.
Iv'e tested lots of browsers both desktop and mobile.
Just found out that sometimes the cookie is stored successfully like so -
Send for:
Any kind of connection
Accessible to script:
Yes
And sometimes on the same exact chrome version just a different computer its stored like so -
Send for:
Same-site connections only
Accessible to script:
Yes
Which basically means it won't be accessible using iframes.
The problem isn't a specific computer issue as I was managed to duplicate the problem on 3 different computers running the same chrome version which works fine on other computers.
The example above was produced using this chrome version (last version):
Version 80.0.3987.149 (Official Build) (64-bit)
Anyone have an idea how can I overcome that ? gotta make sure cookies will always be accessible using an iframe.
Thanks!
Edit - Attempt with Secure and HttpOnly flag
So iv'e adjusted my code to set the HttpOnly and the Secure flags to true.
The computers that usually worked fine had this cookie settings -
Send for
Secure connections only
Accessible to script
No (HttpOnly)
And it works fine with iframe.
The computer which didn't work before had this cookie settings -
Send for
Secure same-site connections only
Accessible to script
No (HttpOnly)
Which obviously didn't work with an iframe...
Just updating of another approach that didn't work.
Edit 2 - Using fiddler to intercept the cookies response:
So using fiddler to read the cookie this is what it looks like -
Set-Cookie: __cfduid={randomvaluehere}; expires=Fri, 24-Apr-20 17:37:48 GMT; path=/; domain=.domain.com; HttpOnly; SameSite=Lax
Set-Cookie: mycookie=mycookievalue; expires=Fri, 24 Apr 2020 17:37:49 GMT; path=/; secure; httponly
So seems like the response is storing a cookie with is SameSite=Lax on the apex of the domain, which I don't care about.
I work on a sub-domain which is the second set-cookie that is shown above.
Looks like SameSite=None isn't explicitly presented, should it? if so why wouldn't it seeing the code above?
Also reminding you that exactly that works fine for other browsers or other computers with the same chrome version.
The sample above is exactly the same on computer where it worked and in one that it wasn't.
I'm having issues setting session cookies in Internet Explorer 3.0. Does anyone know if there is something special that needs to be done?
I'm doing with PHP, like so: setcookie('test', '1');
I'm not using a path or expiration time, is that necessary?
Perhaps someone has some old experience, or a 1997-1998 web development book laying around?
In case anyone is wondering why I'm bothering with this, because no-one uses IE3 anymore, and it's hard, yadda yadda, it's an art project.
Edit: Just to clarify, I have not tried setting cookies via JS yet, this is being done via HTTP.
I'm not sure the setCookie was around at this time. You could, however, use the older way of setting cookie which is
document.cookie = "someCookie=someCookievalue"
or
document.cookie += "someCookie=someCookievalue"
if you don't want to override cookie.
You can then retreive it using the document.cookie property. This will return a string of all the cookie. you can parse them using this function.
function parseCookie(cookiesString) {
var cookiesOutput = {};
var cookieKeysAndValue = cookiesString.split(';');
for(var i = 0; i < cookieKeysAndValue.length; i++){
var keyAndValue = cookieKeysAndValue[i].split('=');
cookiesOutput[keyAndValue[0]] = keyAndValue[1];
}
return cookiesOutput
}
document.cookie = 'someCookie=SomeCookieValue';
console.log(parseCookie(document.cookie));
I'm not 100% sure this will work since, you know, you are using Internet Explorer 3. But it is worth a shot.
If you need more information on that, you can consult the MDN doc
P.S. I tried to write something old javascript type as much as I could, but there still might have some errors. I already miss the modern browser feature.
So I've gotten to the bottom of this issue, and there were three causes for my confusion:
First, if you don't set a path= parameter for the cookie, IE3 will assume that the cookie is for this exact path only. This means that it will send back the same cookie when accessing /test.php again, but nowhere else on the site.
The solution is to include path=/ when setting the cookie.
Second, IE3 does not recognize cookies without an Expires parameter. The solution is to include Expires= in the Set-Cookie header, in "standard" cookie format.
The third is caused by the new Max-Age parameter, helpfully added by PHP for some reason, which IE3 does not recognize. Instead, it assumes everything up to and including Max-Age is the cookie name.
The solution is to set the cookie using PHP's header() function instead, like so:
header('Set-Cookie: test2=hi; expires=Tue, 02-Feb-2021 04:20:00 GMT; path=/');
(In this case, test2 is the name of the cookie, hi is the contents, and it expires about a year from today, on Feb 2nd.)
I have a small multiplayer Flash game in which you can display a player profile by clicking at his or her avatar:
const PROFILE_URL:String = 'http://myserver/user.php?id=';
try {
navigateToURL(new URLRequest(PROFILE_URL+id), '_blank');
} catch(e:Error) {
}
This works well, but now I'd like to extend the user.php, so that players can add comments about each other. For authorization I'd like to use HTTP cookies, passed from the game.swf to the user.php.
(I don't want use GET or POST here, because GET will have the auth. variables in the URL and players might occasionaly send that URL around or post it in my forum. And POST will ask to re-post the request when you reload).
My problem is that I can't find the way to set HTTP cookies through the navigateToURL() method. Please advise me
Regards,
Alex
You could first authenticate by logging in via a seperate call, for example login.php and that script would start a session. Then all other calls to the same domain would already have the session started and you could check authentication. No need to worry about cookies when PHP can do it for you.
Assuming that you already have the cookie value in your swf you should be able to use the URLRequestHeader together with the URLRequest as follows:
var header:URLRequestHeader = new URLRequestHeader("Cookie", "<the cookie>");
var request:URLRequest = new URLRequest("http://example.com/script.php");
request.requestHeader.push(header);
request.method = URLRequestMethod.POST;
navigateToURL(request, "_blank");
Under certain circumstances, the browser will send the cookie to the server if it has been already set even if you don't explicitly include it in the request. This depends on the browser and the version of the Flash Player. You might also need to adjust your crossdomain.xml file.
Also note that there might be security implications of passing around an unencrypted cookie token. See Firesheep.