Can we restrict from storing cookies in sharedHTTPCookieStorage by default?
I am using other approach for session authentication and don't want cookies to be sent to server on each server request. Currently I read all cookies from sharedHTTPCookieStorage and delete them manually after Login.
It would be better if they are not set automatically by default at first place.
I'm not an expert on this. But I worked on some apps that need to cache zero to none info for security reasons.
I think that you could go with a combined approach.
Defining a no-caching policy to responses, on NSCachedURLResponse and also intercepting calls with your own NSURLProtocol.
Here's some info on the whole URL Loading system on iOS
I hope it helps a little! Good luck!
Related
I am doing an api with Rails(api-only). Security is so importand for me. I got 2 question. 1-) I am keeping user's id in session[:authID], is it safe to use like this? 2-) Do i need CSRF protection for api-only? I'm using Next.js for client. If it is needed, how can i?
Q1. I am keeping user's id in session[:authID], is it safe to use like this?
ANS - It's not good practice to keep user ids in session as it reveals your table structure (not fully but still) like where your user table's primary key starts from. Rather than that you can use device-token-auth gem (details can be found here and here)
Q2. Do i need CSRF protection for api-only?
ANS - Cross-Site or Cross-Session Request Forgery requires a user to have a browser and another trusted website. This is not relevant for APIs, since they don't run in the browser and don't maintain any session. Therefore, you should disable CSRF for APIs. You can check here for details.
Hope the brief helps you.
Thank you
In looking at persisting user information across a web session (.Net MVC), if we use a state server and set cookieless=true, is there still a cookie stored on the user's system, as it relates to the .Net authentication, etc.
We would also use the state server to store what would have been used in a session object.
I to realize that some cookies are good - ie, AntiXsrfToken and
__RequestVerificationToken. Apart from these, we are looking for a fully cookieless solution.
Thank you.
if we use a state server and set cookieless=true, is there still a cookie stored on the user's system?
This question is incomplete.
I can only give you the answer you're looking for: when using cookieless=true, ASP.NET will not use cookies on the client machine to store the session ID. That is all that this setting does in regard to cookies.
If you use user controls or application code that do use cookies, those are unaffected by that setting - such cookies will still be sent to the visitor's machine.
It is possible to expire cookies automatically when the user logouts? Or it should be done manually? If manually, how can I get a list of all cookies I have during a session? (I know the names of all my cookies but I do not want to explicitly set every cookie to nil manually)
Shortly - no. Rails its a pretty web framework. You needn't worry anything, only for business logic.
Read off docs about security for more details.
Summary of problem: I am using MKNetworkKit and use Basic Auth to authenticate myself against a REST server. I am no expert on the detail setup on the server side. All I know is that it will take a Basic Auth without SSL.
If I authenticate myself with a valid user/password, and if I do so 2nd time with some bogus input, it will still succeed. I read documentation and tried to do this:
[op setCredentialPersistence:NSURLCredentialPersistenceNone];
it doesnt work. But if i do this:
[op setCredentialPersistence:NSURLCredentialPersistenceNone];
[op addHeader:#"Cookie" withValue:#""]; // a hunch I tried
then it seemed to work. It is as if some cookie is always being passed and the server accepts it without even checking the authorization header. I have done a few test where I will provide things in this order (good, bogus, good), and (bogus, good, bogus), and it seemed to be working as expected.
Now, could someone point out if this is not how things should work, that there must be a bug somewhere, either MKNetworkKit, or the server side? If I set NSURLCredentialPersistenceNone, then why would adding that Cookie header will make it work?? it must have overwritten the thing it would have sent and caused the wrong behavior, and thus "fixed" it.
Due to the stateless nature of the HTTP protocol, clients often use cookies to provide persistent storage of data across URL requests. The URL loading system provides interfaces to create and manage cookies, to send cookies as part of an HTTP request, and to receive cookies when interpreting a web server’s response.
OS X and iOS provide the NSHTTPCookieStorage class, which in turn provides the interface for managing a collection of NSHTTPCookie objects. In OS X, cookie storage is shared across all apps; in iOS, cookie storage is per-app.(check https://developer.apple.com/library/mac/documentation/Cocoa/Conceptual/URLLoadingSystem/URLLoadingSystem.html#//apple_ref/doc/uid/10000165-BCICJDHA) As stated by Moxy Try to log [[NSHTTPCookieStorage sharedHTTPCookieStorage] cookies].I was facing the same issue and reason was cookies were used and maintained by the server.As redirection was taking place whenever i logged in using the credentials i checked the request and response in
(NSURLRequest )connection: (NSURLConnection)inConnection
willSendRequest: (NSURLRequest*)inRequest
redirectResponse: (NSURLResponse*)inRedirectResponse
And cookies were maintained in the headers.The only thing you can do is sending a random cookie for a new session
I am using this answer here to log unique page views in my app: https://stackoverflow.com/a/15174466/1235816
I am using a cookie to check for unique visits. As far as I am aware, because the site will be hosted in the UK, I should have a message which asks the user to accept cookies or if they don't... it asks them to leave the site.
I want it to work like this... If a user wishes to accept cookies, then the 'app-name-visited' cookie should then be downloaded, otherwise if they just exit the site without clicking accept, no cookies are downloaded to the clients machine...
Is this:
1/. a correct way of thinking?
2/. possible?
The cookie law has since been modified, so this is not quite necessary any more, you only need to let the user know that they you will be using cookies.
The organisation that enforces this is the ico, which doesn't ask for permission for cookies on their site:
http://www.ico.org.uk/
Suggest you follow this pragmatic approach.
If you are wanting to comply as per your question I did some work on this a while back for rails projects which should be a decent starting point:
https://github.com/yule/threepwood