I'm developing an app that logs into a HTTPS website. After authentication, the website sends a final cookie that is marked as 'Secure'.
The app works when I use defaultSessionConfiguration() for NSURLSession().
When I change one line in the app to use the backgroundSessionConfigurationWithIdentifier() then I can't proceed past the authentication stage. I do get a webpage showing that I am authenticated but subsequent requests return the login page.
It appears that the "authentication successful cookie" is not present in the shared cookie storage.
This cookie is the only cookie that the website marks as "Secure". Note that this HTTPS website does all it transactions via HTTPS.
TL;DR
What does the NSURLSession background session do differently from the default session to lose a Secure cookie??
EDIT: I've done some more work.
When NSURLSession redirects using the backgroundSessionConfiguration it appears to ignore cookies that were sent in the Header of the redirect? (I think the cookie being "Secure" may not be critical.)
The redirect works correctly when the defaultSessionConfiguration is specified.
It turns out that this is a known bug. Apple r. 16,852,027.
The backgroundSession is known to ignore new cookies on redirect. The solution is to use a defaultSession to get the cookies and then continue using backgroundSession.
See Apple Developer Forum post
Related
[SOLVED READ COMMENTS ]
I got a problem with the asp.net core hosted Blazor app.
locally it works like charm, when it is deployed there is a problem related to the cookies, that I don't know how to fix, I did my best, now seeking help :)
The problem is: once the user comes to the login page he gets this message in the console:
Here I found those cookies in response
There is no way to fix this issue in this scenario, I have tried everything, only one thing will work that is SSL certificate.
Chrome version 80 or higher will block all third-party cookies by default. If you use the api using HTTPS, switch the protocol to the HTTPS and check whether the Set-Cookie in the response header contains SameSite=None and Secure.
If it doesn't use HTTPS, Chrome 80 will intercept the login function under the http protocol, causing the entire local deployment service to be unavailable. For this situation, open chrome://flags/#same-site-by-default-cookies and chrome://flags/#cookies-without-same-site-must-be-secure in chrome, set it to be Disabled.
I have a website freshly deployed on the internal network of a client. I can test it only by remote desktop on a Windows Server 2012.
The website performs SAML authentication: the browser first receives a session cookie from the website, then is redirected to the SAML identity provider, and comes back to the website with the SAML response, where it also sends back the session cookie. This works fine with Chrome, but for some reason IE11 won't send back the session cookie, which prevents the server from accepting the SAML authentication.
I have no idea why IE11 fails to send the session cookie. I have checked in the Network pane in debug tools, and I do get the cookie (though I can't confirm IE is actually storing it) :
Set-Cookie ASP.NET_SessionId=yzk4rdznlg534so2xuxqmuv4; path=/; HttpOnly
Then I am redirected to the identity provider, but when coming back to the website, it doesn't send the cookie. The cookie is HTTP only so I can't check in the console if it is stored or not. I have used the instructions posted here to see stored cookies, and I can't see a cookie for my website at any time (though redirections happen fast, so it could possibly be added and then removed before I have a chance to see it).
I also believe I have explored all possible security and privacy settings to allow everything, to no avail.
In case it's important, the site URL has no dot (it's https://mmr-pp_sef/)
Any idea how I could troubleshoot what is (or isn't) happening?
Well, turns out that it IS related to the URL used (should have checked myself sooner instead of just pointing out that the URL was weird in my question).
Apparently, IE will not store cookies if there is an underscore _ in the host name. This can be verified by modifying your "hosts" file:
Open the file C:\Windows\System32\drivers\etc\hosts (you'll need admin rights)
Add this line at the end and save the file:
127.0.0.1 test_site
Enter the URL http://test_site in your browser (this assumes your web server listens on 127.0.0.1)
Observe that IE won't store any cookie.
The only workaround I have at this time is to use another host name, that does not contain an underscore, such as test-site.
In my application, I have a screen where user clicks different types of files to view and download them. However this screen is only accessible after user is logged in through web site.
I launch the Safari browser with my URL by using this method:
UIApplication.sharedApplication().openURL(NSURL(string: url)!)
However, the user is being redirected to login screen because he is not authorized to use the website yet.
My question is, how to pass cookies or headers to Safari and launch the URL with those?
You can't do that directly. openURL does just that, no more.
You need to pass required credentials in the URL. The target server may read them from the URL and then set desired cookies in the response.
If you implement that, make sure it can't be abused to set arbitrary cookies or perform session fixation attack. One way to implement that securely is to use one-time identifiers:
In the iOS app contact the server using a valid auth cookie and ask for a one-time long random key, which the server needs to store for a while.
Redirect user to URL with ?key=<that one-time key>
Make the server verify that the key matches and set cookies for the user, and delete the key.
Be careful with passing any secure data in the URL query as it's considered to be a security risk.
Some reasons are:
URLs are stored in web server logs
URLs are stored in the browser history
URLs are passed in Referrer headers
Reference: https://blog.httpwatch.com/2009/02/20/how-secure-are-query-strings-over-https/
I know it's not what you are looking for, but more secure solution would be to use session level cookies together with WKWebView. Check this SO answer for more information https://stackoverflow.com/a/26577303/14009088
I manage a Rails 4.2 application which runs dual stack: SSL and Non-SSL. I'd like to set the Secure flag for cookies when the resource is requested via HTTPS and I want to leave out the flag when the resource is requested via plain HTTP.
Is there a way to achieve this in Rails (session cookie, cookies sent manually in the Code)? And especially when using Devise with rememberable enabled.
I know this is a late response, but I'm currently looking into the same thing and it seems https://github.com/mobalean/devise_ssl_session_verifiable should automate this for you, although it uses a different approach (regular session cookie over http + https, but an additional secure cookie in https, so that someone hijacking your session cannot access your https-only resources.
I have a HTML5 web app using cookie for authentication. In iOS6 it face some problem receiving cookie from server that the outbound request will not have cookie inside header as before. I come up with idea to request session id from a http request, and put into some where (maybe NSHTTPCookieStorage?) and then all request from UIWebView will contain cookie, then most of the html5 code don't have to change..
Is it the correct way to go? if yes, how to implement this? thanks.