I have captured "FEDAUTH" security cookie (using Fiddler) while browsing my asp.net 3.5 site using IE 7 , Now I know that FEDAUTH security cookie is marked with a “HTTPOnly” flag, this means that you cannot access this cookie from code. All of the APIs in the stack honor this flag so you can’t get to the FEDAUTH token through code. But .NET includes a CookieContainer class that holds the collection of cookies sent and retrieved from a web request. So all you need to do is simply pass the CookieContainer along from call to call.
My question is can some one take this cookie and use it in a http request like
CookieContainer cc = new CookieContainer();
cc.SetCookies(new Uri(_uri), "FedAuth=77u/PD94bWwgdmVyhcmVwb2ludC5jb2addfdQ8UD4=; expires=Tue, 01-Jan-2010 02:37:12 GMT; path=/; HttpOnly");
Related
We are coping with orbeon session management:
We have a custom authentication mechanism that works fine on the server (locally), but we got 403 at every /xforms-server call after login when we are trying to use orbeon remotely.
Our custom authentication happens at tomcat/container level, and the result is a standard JSESSIONID cookie that present in the response of the login request.
The "funny" thing is that this JSESSIONID is present at every "normal" browser request (for resources) except these, so those that are trying to reach the /xforms-server
As if the client side javascript would not set this JSESSIONID cookie for the xhr request.
We already set the cookie forwarding described here
We already set the cookie path descibed here
We already raise the log4j level and orbeon debug but we got only the same info that we have already known, that the sessionId cookie was not forwarded to the server.
Do you have any idea what else we could do?
You are saying that the JSESSIONID cookie is not sent by the browser for Ajax requests. The cookie isn't set by JavaScript. It is set by the server with a Set-Cookie header. For instance, with Orbeon Forms deployed on /démo, if you clear your cookies, the first time you make a request to the server, in the response you will see:
Set-Cookie: JSESSIONID=FAD4923E960D0C0341BC750265222FB6; Path=/demo; Secure; HttpOnly
Note the Path=/demo. This is the server telling the browser "don't send the cookie unless it is a request under /demo. Could you try clearing your cookies, and checking what the header looks like? Does it include the path used for the Ajax request?
It might go without saying, but I'll say it anyway ;), in addition to the path, you need to make sure that Ajax request go to the same server from which the page was loaded, otherwise you have no change that the browser will send the cookie.
Correct me if I'm wrong but cookies are just special Set-Cookie: headers, right? Maybe I'm missing something but that always seemed like the case to me. If I set up a Rails API application and want to support sending HTTPOnly cookies (e.g. headers also assume I've got CORS and everything on the client setup etc) I should be able to do this correct?
Basically, my questions are these:
Does bringing back ActionDispatch::Cookies into my middleware and adding include ::ActionController::Cookies in my application controller totally defeat the purpose of an API application?
If it does, can I just send an HTTPOnly cookie through the headers manually?
And if that is so, is it a much bigger hassle to manage cookie headers manually? Is what I'm gaining from leaving the cookie middleware out out weigh handling them manually, if all I really need to do is send one HTTPOnly refresh token?
So I don't need to add back any middleware or include any classes for cookies. I can use reponse.set_header to send a cookie. However, this only lets you send one Set-Cookie header because it will overwrite the last header you set with Set-Cookie as the key. Instead you have access to response.set_cookie which will let you set multiple cookies with each set_cookie call. It also comes with some options that you can set that you would have to add to the value of the header you were sending manually with set_header.
Here's an example I used that allowed me to send a cookie:
response.set_cookie(
:jwt,
{
value: 'this could be a token or whatever cookie value you wanted.',
expires: 7.days.from_now,
path: '/api/v1/auth',
httponly: true
}
)
Check the documentation for this method for other options because there are others.
EDIT: I was having an issue where the cookie was getting sent in the response but not saved (still). It wasn't showing up in the cookie storage so I changed the path of the cookie getting sent to / and then it showed up. I deleted it and then changed the cookie's path to /my/real/path and it worked and was stored in cookie storage. Go figure.
This is my setup:
1 authentication server which gives out JWT token on successfull
authentication.
Multiple API resource servers which gives information (when the user
is authenticated).
Now I want to build my ASP.NET MVC frontend. Is it ok to take the token, which I receive after authentication, and put it in a cookie so I can access it with every secured call I need to make? I use the RestSharp DLL for doing my http calls. If it has a security flaw, then where should I store my token?
I would use this code for the cookie:
System.Web.HttpContext.Current.Response.Cookies.Add(new System.Web.HttpCookie("Token")
{
Value = token.access_token,
HttpOnly = true
});
You’re on the right path! The cookie should always have the HttpOnly flag, setting this flag will prevent the JavaScript environment (in the web browser) from accessing the cookie. This is the best way to prevent XSS attacks in the browser.
You should also use the Secure flag in production, to ensure that the cookie is only sent over HTTPS.
You also need to prevent CSRF attacks. This is typically done by setting a value in another cookie, which must be supplied on every request.
I work at Stormpath and we’ve written a lot of information about front-end security. These two posts may be useful for understanding all the facets:
Token Based Authentication for Single Page Apps (SPAs)
https://stormpath.com/blog/build-secure-user-interfaces-using-jwts/
Are you generating your own JWTs?
If yes, you should consider using a signing algorithm based on asymetric encryption, like "RS256" or "RS512" -- this way you can verify the claims in your client application without sharing the private secret.
Do you really need to pass the JWT into the Cookie?
It might be safer to just put a random id in your Cookie, which references the JWT access token, and do the de-referencing magic on the server which serves your web-app.
In my client side (controller of MVC application) I am using the code below to set cookie value:
HttpCookie cookie = new HttpCookie("TestCookie");
cookie.value = 'Test';
HttpContext.Request.Cookies.Add(cookie);
I am also setting the cookie value in request header. This is done when I am configuring breeze entitymanager. I use breeze queries to get data from web api.
'Cookie': UserProfileID = config.getCookies('UserProfileID')
But in Web API, I always find that there are no cookies present in request header.
request.Headers.GetCookies("UserProfileID").FirstOrDefault()
To set a cookie, you need to add it to the Response object, not the Request.
var cookie = new HttpCookie("TestCookie");
cookie.Value = "Test";
HttpContext.Response.Cookies.Add(cookie);
Upon more research, I found this question. The answer provides some insight about the nature of Web API:
There's not a whole lot to work with here, but generally speaking, Web API diverges from MVC mostly in that it's fully REST-compliant, whereas MVC is not. REST-compliant applications are stateless (in other words: no session, no cookies, etc.). Everything the API endpoint needs must be sent along with the request either in the URL, the request headers or the request body. That means you could send the value of the cookie (not the cookie, itself) in the query string of a GET request or the body of a POST, or as is typical with REST API auth, as an Authorization HTTP header.
So to get your desired result, you would need to extract the value of the cookie on the client in your MVC application, then send it along as part of the data of your API request, or use an Authorization HTTP header as suggested.
I have an ASP.NET MVC application. In this after user get Sign in .We set the a cookie for the user who logged in using FormsAuthentication.SetAuthCookie(userName, false).
In other page we get the Cookies using the FormsAuthentication.GetAuthCookie(userName]) .
This cookie values as string is then set in the
Response.Cookies["username"].Value = cookiesvalue
We have .aspx page in the same application that downloads silverlight application. Silverlight reads the cookies using the code
string[] cookies = HtmlPage.Document.Cookies.Split(';');
The problem is that once session expires in the application,silverlight cannot read the cookie value.
After the session expires we again set the cookies in headers using the
Response.Cookies["username"].Value = cookiesvalue
But still silverlight application cannot read this cookie .
Thanks in Advance
DNM
The authentication cookie (the one set with FormsAuthentication.SetAuthCookie(userName, false)) is a special cookie. It is encrypted using the machine key on the server and it can only be manipulated by the server. Silverlight executes on the client side which explains why you cannot decrypt the username stored inside this cookie.
Just imagine for a moment that you could read and modify the value of this cookie on the client side : this would mean that you could impersonate any user.