You log in to an application and the server sets the following cookie:
Set-cookie: sess=ab11298f7eg14;
When you click the logout button, this causes the following client-side script to execute:
document.cookie="sess="; document.location="/"; What conclusion would you draw from this behaviour?
That they are using session ids stored in a cookie for authorization. When you logout, they reset the value of the cookie named "sess" (the wrong way, they should use a negative expiration date instead of a empty value to delete it). They den redirect you to "/", ie their start page.
Related
I'm using the omniauth-google-oauth2 gem to sign in users with Google.
After the oauth response is handled in controller, the user is redirected to another page: /dashboard. When landing on this page - a octothorpe (aka a hash/number/pound) character is added to the URL:
https://myapp.tld/dashboard#
From what it seems, that pound sign is somehow coming with the oauth response. But I cannot gather how and why it consequently gets passed on to the final page.
Any clues how this happens OR otherwise how to clear a redirect from passing that character?
Make sure your response type is set to code in the URL you are providing the user.
response_type=code
Does anyone has any information about s_sess cookie. All I can find is that it's a performance cookie.
The issue here is : My client has 2 websites, one of them is storing the value of query string parameter "cid" in s_sess cookie while the other site is not. Both of them has same adobe analytics code and both sites are on third party cookies.
Many of Adobe's plugins make use of the s.c_r() and s.c_w() (legacy H code) or s.Util.cookieRead() and s.Util.cookieWrite() (AppMeasurement) functions, which are for reading/writing cookies, respectively. Out of the box, you specify a cookie name and it writes to that cookie namespace.
However, Adobe also has a "combined" cookie plugin. With this plugin, all cookie reading/writing with the above functions are instead written to one of two cookies:
s_sess - This cookie is for session scoped "cookies"
s_pers - This cookie is for "cookies" that persist longer than session
So for example, let's say on the following page:
http://www.yoursite.com/index.html?cid=some_code
And in your AA code, you have the following:
// look for cid= param to put into campaign variable
s.campaign = s.Util.getQueryParam('cid');
// use getValOnce plugin to make sure duplicate values do not pop it again
s.campaign = s.getValOnce(s.campaign, 'cid', 0);
Without the combined cookies function, you will see a cookie named "cid" in document.cookies with value of "some_code" set to expire on Session.
But with the combined cookies function, you will not see a cookie named "cid". Instead, you will see a cookie named "s_sess" with a value like this:
// encoded
%20cid=some_code%3B
// unencoded
cid=some_code;
Or, if you use a plugin that makes use of s.c_w or s.Util.cookieWrite for longer than Session, you will instead see the s_pers cookie populated the same way, but with a timestamp value thrown into the mix, e.g.
// encoded
%20cid=some_code%7C1519759520136%3B
// unencoded
cid=some_code|1519759520136;
Multiple "cookies" are separated by (unencoded) "; " (similar to document.cookie)
But why do I see it on one site but not the other?
Assuming your implementation is in fact identical, my guess based on what you posted vs. common implementations is you have code similar to my example above: You grab cid= param for campaign tracking and make use of getValOnce or some other plugin that pushes the value to a cookie, and you went to siteA page with a campaign code (cid= param) but not siteB.
I have a website built from Ember.js. A user can access a page through URL http://..../view?showTitle=true. However I don't want to explicitly expose the parameter showTitle=true to the user (meaning user will only see http://..../view). This URL is automatically generated and serves as a redirect destination URL. So, I have to remove it manually somewhere before the page load. But I still need this value of this query parameter to query data. Is there a way to achieve that (A example would be great)? What about do it without refreshing the router?
Actually, an example of your scenario would be greater :)
There are some other ways to store data while transitioning to a route. Such as: storing the params in transition object or storing the value in a service. Create a redirection route, use beforeModel hook to grab the value from query params then do a redirection to the real route.
A working example is: ember-twiddle-1
By the way, even if you don't describe your queryParamsin your routes, you can access them via transition.queryParams. This seems a bit hacky. But it works: ember-twiddle-2 (Note: It doesn't work in the same route.)
Updated:
At the setupController hook you can override the controller parameters. So you can remove the parameters from the url. ember-twiddle-3
our front end guy needs to form a url containing the hash, (i.e, http://blah/#some-link.) when we hit this on the browser and inspect the http traffic using fiddler, we saw that everything after blah/ gets removed, so the request is really just http://blah/. we also confirmed this on our server eclipse debug log.
the request gets redirected to the correct login page by Spring security(because user hasn't logged in), but the url on the browser now shows:
http://blah/some-link (the hash got removed) but the url on the browser should really be http://blah/log-in.
any idea why this is? any fix or workaround? thanks in advance.
URI part after # is called a fragment:
URI = scheme ":" hier-part [ "?" query ] [ "#" fragment ]
Scheme and hier-part identify the location of a document, and fragment helps the browser to identify a location inside this document.
Fragment is stripped from URI by client software before it is sent as a part of request.
From RFC3986:
the fragment identifier is not used in the scheme-specific
processing of a URI; instead, the fragment identifier is separated
from the rest of the URI prior to a dereference, and thus the
identifying information within the fragment itself is dereferenced
solely by the user agent, regardless of the URI scheme. Although
this separate handling is often perceived to be a loss of
information, particularly for accurate redirection of references as
resources move over time, it also serves to prevent information
providers from denying reference authors the right to refer to
information within a resource selectively.
Content after the # is only used on the client side, per HTTP specification. If you require that information on the server, you can either use a different separator, or you can submit it via ajax after the page has loaded by reading it on the client with javascript.
The part of the URI including and after the hash (#) is never sent to the server as part of the HTTP request.
The reason is that the hash identifier was originally designed to point at references within the given web page and not to new resources on the server.
If you want to get the hash identifier, you'll have to use some client-side JavaScript to grab the value and submit it with the form.
Hashmark is removed from URL when the back button is clicked in IE9, IE10 or IE11
In IE10 , first time on clicking the HREF link leads to the correct below url:
http://www.example.com/yy/zz/ff/paul.html#20007_14
If back button is clicked again the, then it comes to the below url:
http://www.example.com/yy/zz/ff/paul.html
Solution :
Please change the url with https
It works for me
you can do this with javascript
<script>
if(window.location.hash) {
console.log(window.location.hash);
window.location.hash = window.location.hash;
}
</script>
I just did a quick test with a simple ASP.NET MVC 3 sample by modifying default LogOn form. According to this article, both hidden field __RequestVerificationToken and cookies __RequestVerificationToken_Lw__ must contain same value that generated by Html.AntiForgeryToken(). But it isn't exactly same when I got them in Fiddle, by the way, looking at MVC 3 source code, method GetAntiForgeryTokenAndSetCookie seemed not use salt value for generating the cookies. Was there any change in MVC 3?
Forgot to say that I could still log on successfully with both normal or Ajax POST request.
Here is raw log from Fiddle:
POST http://localhost:51713/Account/LogOn HTTP/1.1
Referer: http://localhost:51713/Account/LogOn
Content-Length: 256
Origin: http://localhost:51713
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
Cookie: __RequestVerificationToken_Lw__=OIRtVqUvNt/LfDGeoVy3W1VhdKN7MwdbUZmRNScz4NqS4uV0I0vQH2MHg77SsVhcinK5SJi9mVcdBUWk2VMiPTk8EMUN2Zq0X4ucK8XQ3/zr6NoiIvVF73Bq8ahbFaY/IrNrWY7mmzvO9j/XVLNN2lNqgCd6I3UGZAw3/nlOmpA=
__RequestVerificationToken=zeDS%2F8MZE%2BLf%2FrRhevwN51J7bOE3GxlGNLQc8HogwFctF7glU1JboHePTTHa5YFe9%2FD2sY7w167q53gqvcwYZG1iZeecdnO4fdg6URdR4RUR%2BjIgk1apkXoxQ2xg48REfv4N5D4SHKU4MAf30Diy0MVyyF9N2Dl7uUGT6LbKHZU%3D&UserName=Tien&Password=tien&RememberMe=false
what makes you think they should be the same ? :) of course, they must me comparable in some way, but that doesnt mean they must look identical in their serialized form. There is different set of data serialized to cookie (i think only the "salt" and token) and to HTML markup (salt, token, creation time, username).
If you are interested in details, take ILSpy and look for System.Web.Mvc.AntiForgeryDataSerializer, System.Web.Mvc.AntiForgeryData and OnAuthorization method of System.Web.Mvc.ValidateAntiForgeryTokenAttribute
The article you are referencing in your question is simply wrong, because the hidden field anti forgery token will never be the same as anti forgery cookie value.
Added value of my answer is the link to interesting article which describes ASP.NET anti-forgery token internals. It, among others, provides clear steps to decode and decrypt cookie/form token:
BitConverter.ToString(System.Web.Helpers.AntiXsrf.MachineKey45CryptoSystem.Instance.Unprotect(tokenValue))
... and subsequent steps in order to match the cookie and form tokens.