I'm trying to set the session cookie secure flag to true. I added the following to my environments/production.rb
ActionController::Base.session_options[:secure] = true
In the production mode I don't see the set-cookie header in the server response (I'm using the Tamper Data Firefox tool to view the traffic). I tried removing all cookies, manually setting the domain including the child domain(since domain is shared among many applications, the appache server forwards the requests to the right application and thus the request is always received by the application server as if it's coming from localhost).
I also tried to test it in development mode, I assume the server should at least set the cookie even if the request is over http but the browser won't send the cookie over http but again the server does not send the set-cookie header. The session works just fine if I don't set the secure flag. Am I missing something here?
I found out that in my version of actionpack, session cookies are only set over ssl.
Although by definition, the server can set a secure cookie when the request is over http but the browser will not send it with further requests. In my application I don't enforce ssl on the app level but on the appache level instead so the initial request made by rails is over http and the cookie is not set.
Related
[SOLVED READ COMMENTS ]
I got a problem with the asp.net core hosted Blazor app.
locally it works like charm, when it is deployed there is a problem related to the cookies, that I don't know how to fix, I did my best, now seeking help :)
The problem is: once the user comes to the login page he gets this message in the console:
Here I found those cookies in response
There is no way to fix this issue in this scenario, I have tried everything, only one thing will work that is SSL certificate.
Chrome version 80 or higher will block all third-party cookies by default. If you use the api using HTTPS, switch the protocol to the HTTPS and check whether the Set-Cookie in the response header contains SameSite=None and Secure.
If it doesn't use HTTPS, Chrome 80 will intercept the login function under the http protocol, causing the entire local deployment service to be unavailable. For this situation, open chrome://flags/#same-site-by-default-cookies and chrome://flags/#cookies-without-same-site-must-be-secure in chrome, set it to be Disabled.
I have a website freshly deployed on the internal network of a client. I can test it only by remote desktop on a Windows Server 2012.
The website performs SAML authentication: the browser first receives a session cookie from the website, then is redirected to the SAML identity provider, and comes back to the website with the SAML response, where it also sends back the session cookie. This works fine with Chrome, but for some reason IE11 won't send back the session cookie, which prevents the server from accepting the SAML authentication.
I have no idea why IE11 fails to send the session cookie. I have checked in the Network pane in debug tools, and I do get the cookie (though I can't confirm IE is actually storing it) :
Set-Cookie ASP.NET_SessionId=yzk4rdznlg534so2xuxqmuv4; path=/; HttpOnly
Then I am redirected to the identity provider, but when coming back to the website, it doesn't send the cookie. The cookie is HTTP only so I can't check in the console if it is stored or not. I have used the instructions posted here to see stored cookies, and I can't see a cookie for my website at any time (though redirections happen fast, so it could possibly be added and then removed before I have a chance to see it).
I also believe I have explored all possible security and privacy settings to allow everything, to no avail.
In case it's important, the site URL has no dot (it's https://mmr-pp_sef/)
Any idea how I could troubleshoot what is (or isn't) happening?
Well, turns out that it IS related to the URL used (should have checked myself sooner instead of just pointing out that the URL was weird in my question).
Apparently, IE will not store cookies if there is an underscore _ in the host name. This can be verified by modifying your "hosts" file:
Open the file C:\Windows\System32\drivers\etc\hosts (you'll need admin rights)
Add this line at the end and save the file:
127.0.0.1 test_site
Enter the URL http://test_site in your browser (this assumes your web server listens on 127.0.0.1)
Observe that IE won't store any cookie.
The only workaround I have at this time is to use another host name, that does not contain an underscore, such as test-site.
I'm pretty newbie in https and my project is MVC web application and i've created a self-signed certificate in IIS and set the website's binding to use that certificate and ssl settings to 'require SSL' and I can browse the website over https (although it's not verified and has red x on it).
The part that I don't understand is when I send a request to server (post request), I can still check the network console and see what was the parameter passed.
I can still check the network console
I assume that you mean the information about the send and received data within the browser with "network console". Since the browser is creating and encrypting the data the browser has access to the clear text before encryption and after decryption and thus can show these information.
I manage a Rails 4.2 application which runs dual stack: SSL and Non-SSL. I'd like to set the Secure flag for cookies when the resource is requested via HTTPS and I want to leave out the flag when the resource is requested via plain HTTP.
Is there a way to achieve this in Rails (session cookie, cookies sent manually in the Code)? And especially when using Devise with rememberable enabled.
I know this is a late response, but I'm currently looking into the same thing and it seems https://github.com/mobalean/devise_ssl_session_verifiable should automate this for you, although it uses a different approach (regular session cookie over http + https, but an additional secure cookie in https, so that someone hijacking your session cannot access your https-only resources.
I've deployed my app on to a Ubuntu VPS using Capistrano, nginx/
Passenger and a wildcard SSL certificate.
The app works fine on development and my staging environment on
Heroku.
However, there are two problems on production when users sign into the
site using a secure page.
On latest Chrome and Firefox the browsers start to enforce HTTPS
requests on every single request every time. Regardless if the user is
signed in or not. Even if I disable SSL on nginx the browser still attempts HTTPS and complains it cannot connect. The main page serves some insecure dynamic embedded
items and uses an insecure CDN so I would like to serve that page as non-
SSL. Whenever I tried to redirect a page to non-SSL either through
nginx rewrite or a before filter in Rails it will cause an infinite
redirect loop.
Safari does not have the first problem as above it respects both
HTTPS and HTTP requests. However, when the user has logged in and
browses to a non-SSL page they are signed out or lose the session
instantly.
Has anyone encountered such a problem before or have an idea on how I could diagnose/fix the problem?
Thanks
Were you using Rails 3.1 force_ssl to enable SSL, or a gem?
When you enabled HTTPS, you also enabled the the HTTP Strict Transport Security flag, which the browse uses to immediately go to any HTTPS page on that domain before it sends the request to the server.
On Chrome, enter chrome://net-internals/#hsts into your browser and then you can delete your domain from the HSTS list which should fix it for Chrome. Can't speak for Firefox as I don't use it that often.
The issue with it losing session is likely because Rails is setting the authentication cookie as secure which means they are only sent for HTTPS requests and not HTTP. Make sure your cookie_options in Rails are not setting :secure => true. Also check the Devise cookie_options setting to ensure that :secure => true isn't being set.