I'm making an offline webpage that automatically logs into an online website.
The website uses ssl (https) and to login it uses a form (post variables)
The problem I'm encountering is the following:
The site only accepts my offline form, when I open the online login page first.
This is because the website uses (server-side) sessions which are made when opening the first page. (The purpose of the session is to detect a time-out)
When I first open the online website and then run my offline page everything works fine.
So I need to make my offline webpage open the online website before posting the form automatically.
I tryed this with an iframe, but this doesn't work in internet explorer, as it is a https website. (It does work in Chrome, firefox,...)
I was wondering if Ajax could send a https page request before posting my form. But I guess not as it is https.
Does anybody know a method to send a https page request just like the browser does, but without showing it's output? Afterward I can automatically submit my form.
Thanks in advance!
Internet Explorer treats iframes from other domains as third party content, and uses a separate set of security policies for them. The security zone settings are also in effect between file:/// "local machine"/"offline" webpages and "internet"/"online" webpages. Cookies are usually blocked from third party content (depending on your settings), which means that the unique session key set in the cookies won't be saved. Without this key, the site you are trying to log in to will "forget" your session/login.
Cross-domain AJAX request are also affected by security zones and cross-domain policies, but the settings may differ between IE versions.
There are ways around the limitations, using P3P policies, if you control the target web page. Cookie blocked/not saved in IFRAME in Internet Explorer shows how. But, if you do own the web page, it would be better to enable or implement your own "remember me" feature.
In your case, depending on if you are the only one to use your offline autologin webpage, perhaps allowing third party cookies in Internet Explorer will help. See Options > Privacy > Allow all cookies (or in a similar). This will allow others (mostly ad companies) to track you all over the internet though.
If the purpose for your autologin page is testing, rather than actually using the browser as a human being, perhaps you can automate both logging in and testing?
Related
I need to set login cookies manually in Chrome when testing our site in certain testing environments because the normal login process doesn't work there.
I can get the cookies manually using Postman.
Normally I'd use F12 -> Application -> Cookies but our site immediately redirects you to a our centralized login page (which is on a different domain).
Any idea how to add a cookie to a domain in Chrome if I can't open the domain for long enough?
EditThisCookie doesn't work for this anymore. I found the easiest approach to be to go to a static resource on the site you're visiting that doesn't redirect you —like the URL of the logo in the login page for example— and set the cookies that way.
I found an extension that allows me to do it, called EditThisCookie. I installed it in a separate Chrome account (just for safety) and then I could add a cookie to a site even when it is not currently opened, thus avoiding the redirect:
I am publishing a Visio 2013 drawing to a site (using File->Export->Change File Type->Web Page (*.htm). The website is checked into CM and then labeled. My web server has a (ClearCase) view based on this label that automatically refreshes itself.
What I'm finding is that my browsers are always showing the cached (old) version of the pages. I've been able to change my IE browser settings so that it always refreshes the cache (Internet Options->General Tab->Settings->Check for newer versions of stored pages = Every time I visit the webpage. When I do this, I see the changes.
But, this isn't a real solution. I don't want to have to tell my viewers to change their browser settings so it automatically refreshes. Is there something I need to do to the page contents to tell all browsers to refresh?
You can handle caching of browsers through the http response your server provides.
The Cache-Control field of the http response no-cache can prevent clients from caching the drawing if it is something you expect would be refreshed often: Mozilla Docs
Alternatively you can set the Expires field of the http response to expire after a day if the image would be updated on a periodic basis: Mozilla Docs
The following question has a good comparison of the two: what’s the difference between Expires and Cache-Control headers?
I know this has been asked a few times, but on all the answers I found there was someone asking if it would still work and somebody else saying that it doesn't, so I was wondering if there is a solution to this problem that still works with the latest version of chrome:
Lets say we have website with an iframe embedded in it, the iframe source is from another host. The page inside the iframe needs cookies to work, but Google Chrome seems to refuse to set cookies that are set within the iframe. (This only happens when "block 3rd party cookies" is checked which seems to be happening on its own because I have multiple reports from different users who didn't touch the advanced options)
I have control over both of the sites, though I can only modify the html on the page that contains the iframe, no server side stuff.
Things I have tried so far that didn't work:
Emedding an image from the same host as the iframe's source
making a post request to the iframe
setting up a P3P header
I can also send messages using xdm, though I don't know if that could help.
If anyone has any further ideas it would be greatly apreciated! I feel like there must be a solution to this problem somewhere
Setting cookies inside an iFrame can be troublesome. However, iFrame can access cookies set outside the iFrame. You can show the page in a popup window which sets the necessary cookies (like authentication, etc) and then access these cookies from within the iFrame.
This is very helpful in case you want to authenticate user on some other domain. Just show a popup, authenticate and set cookies, then access these cookies on your site from iFrame.
Visiting my site in SSL and in Chrome (12.0) I get
Your connection to someWebsite is
encrypted with 256-bit encryption.
However, this page includes other
resources which are not secure. These
resources can be viewed by others
while in transit, and can be modified
by an attacker to change the behaviour
of the page.
The connection uses TLS 1.0.
The connection is encrypted using
AES-256_CBC, with SHA1 for message
authentication and DHE_RSA as the key
exchange mechanism.
The connection is compressed with
DEFLATE.
I searched with FireBug (NET tab) and Chrome Inspector and all resources are accessed via https. Where is the problem? *I cleared the cache already
What could be the problem?
Chrome will give this error if you've visited another https page on the same domain that had mixed content however this should not be the problem if you've tried clearing your cache.
You might want to try Ctrl-Shift-J for the JavaScript console, it should show the insecure content.
I have the same thing - and I read from the Google Chrome help site that elements on the site are not encrypted - like videos. I looked via Firefox - right click->View Page Info->Media tab and saw that every time I use a YouTube video in my video player I have plain http addresses like:
http://s.ytimg.com/yt/swfbin/watch_as3-vflrEm9Nq.swf and
http://img.youtube.com/vi/V6JgyNy59yA/1.jpg
I think these non https links are causing the security message site-wide. Thus, it appears using videos from 3rd party sites will always throw a security error in Google Chrome for https pages.
That's my answer - but I have no solution yet. I need to be able to share videos from youTube in our news section, but my online store section needs to use https without scary red letters and slashes through it for my clients.
Has anyone dealt with this effectively?
Thanks
Had the same problem on my Magento Site. Be sure to change all image and js links (even in .css) from http:// to simply //. Solved it for me.
I had the same issue, my problem was that some img tags had src to http instead of https, it does not matter even they link to other domain like <img src="http://otherdomain.com/image.jpg" /> it still shows that warning. As soon as I changed all internal and external img links to https the warning disappeared.
If you check the page and it seems to have no insecure content, check to make sure that something on the page is not submitting data to an insecure location.
Content should be submitted over HTTPS, not HTTP.
Trying to copy a cookie from second.com to first.com, with full control of both domains.
Previously an iFrame was used, however this is not able to work across all browsers as it touched on 'third-party cookies' which are hard to implement and impossible in Safari and Chrome.
The new approach uses a SCRIPT tag pointing to second.com and included in the HEAD of first.com. The server-side script is actually a piece of Java which reads the cookies sent with the request (the cookies from second.com) and the JavaScript returned executes on first.com and essentially duplicates the cookie here. This is working great in all browsers except IE, where IE appears to not be sending the second.com cookies with SCRIPT request, so the Java is not able to pickup the cookie value from second.com.
This is surely to do with IE security settings as when I put privacy to the lowest level it is working, but my question is why are the cookies being blocked at all? I thought the SCRIPT tag was not subject to the same origin policy (that AJAX and other technologies have to comply with).
Any solution to this without heading down the P3P privacy policy route?
It's definitely IE security settings, if you're attempting this you'll need to set a P3P compact privacy policy on the page which sets the cookie on first.com, even before you've reached second.com