My goal is to use Varnish to cache my static assets with my Symfony 1.4 site (http://my.perqworks.com).
I can write a VCL file that strips out cookies on all static files while leaving the user authentication cookie on the php file -- but the user authentication is failing. I cannot log into my application.
I am looking for an answer that describes how to use Varnish to cache static files while allowing my Symfony application to log in and support user authentication.
Currently I am using something like this:
if (req.url ~ "\.(png|gif|jpg|swf|css|js)$") {
unset req.http.cookie;
}
A different, but perhaps better, approach would be to serve your static content from a different domain or subdomain that has no cookies set. If your website is "example.org", then instead of setting cookies for ".example.org" you would set them for "www.example.org, and put static content on "static.example.org".
As well as making your set up easier to manage, this would make the client's HTTP requests for static items smaller, which is one of the YSlow recommendations.
Related
I am thinking about hosting my static website using gitlab pages.
The website is completely static, no dynamic contents (besides me updating it from time to time).
Now I am wondering: Since I am in the EU, I have to add a cookie Banner if applicable. Looking at my websites request headers, I can see the following cookie:
gitlab-pages=MTY3MzI2MDgwMXxSMGFLVnNPYVk2X1F3WTlDeVhkeENLMGw5blVBNDItTHRwNDlEQVJ1b2p1ZUMwVExRaUMwOF9zcXl0UElic21JbDFUajlzdl9tUkJJNm05U29yMnRBUFNEV1pvMGhycDJuLXZEMUV2bGN5cEhneWRrdC1EaDI2aEI4QXByR3YyYXl6OVZKSEJ0VnFveTJzdFNwU1NOdGFlOFZnLWFfMHRuUGEzd0s3QWd4aXhLOUMtcXlyQ3QwVExXRURSZEFKa0JWNWdiS0MzbmREQWR0MHlPdGVXTmZGSzN2cV9zaWZ6c0NtOWZiNXFIZ2RpMHlHeGI1N2RCT3UzRU42WDRpZGR4YjlfeTdYcm1TODVPVW5WYzZqdmZ4YU5mZWhsWFA3N0I4Zm9uME5aR3B1ellhYTBadXpqeGt1a0Q3YWlYN2FkQzloMzRNX2ZQQmhCMXQxa0NvQnh4a1BGWTlPdE5MOXVLdHl5T0oxRkcxNzBQTHZ0eFpFMW9QeTlHNTZoUHhlemxUUW4yaDJZRVZsNkF8uBra7CQZU8byJzld_UbWI8oEm_Rl-pfIPpynNRNoM1U=
I am wondering:
What does this cookie do?
Can I disable it somehow?
If I cannot disable it, do I have to make a cookie banner?
I am helping to create a Rails app that uses Ember for a front end MVC. For the app, it is hosting user content accessed via subdomains. On the subdomains, the user can upload custom JS and CSS. What I'm wondering about is if token authentication on the root domain will be safe if stored in Ember from the custom JS people could upload and run on their subdomains?
Provided the following:
Don't use cookies on *.domain.com or use cookies at all.
They can't run (or really display it unescaped in any way) the JS/CSS on your main site.
The ember app with your token doesn't run on their sub-domain (obviously).
They can't put HTML in a file with a different extension or even Content-Type on your subdomain (or you aren't using cookies). They could direct a user's web browser there and it'd display the HTML. Be wary of phishing though (looks like it's your secure content). I can't imagine you could prevent this easily other than not using cookies -- without 100% ensuring properly formatted JS/CSS which would present all kinds of problems.
You can limit cookies to domain.com and www.domain.com, but I don't recommend it (prone to mistakes). If you don't somebody can make a GET request through CSS or ie. an image tag (not to mention JavaScript) and it'll send the authenticated cookies to your server. Remember unescaped input in their app can leave holes too.
If your token is stored in ember, and they have access to custom JS where the app is running of course it'll leave your token vulnerable. If you run your ember app only on the www.domain.com, avoid cookies, storing the token only locally/in JS, you might be okay.
If they just put HTML code in a file with another extension and direct people there it'll be interpreted as HTML.
I wonder if there's a way to tell TYPO3 to share the sessions / cookies between different domains?
We wrote an Extbase extension on a multi language / multi domain site.
We store search words from a search form in the user session. If the user switches the page language, he should get the same results as before - Without the need to re-fill the search form.
One way would be to tell the browser to store several cookies at the same time - one for each domain/language. How can this be achieved with TYPO3 / Extbase?
By default, there is no way to set cookies for a different domain - not with or without TYPO3. This is a security measure implemented in every browser (or do you want me to set / read your cookies from yourbank.com when you visit my web site? ;-))
You have to create some helper script that does this for you. One way could be:
example.com is loaded
this page includes an iframe to a PHP script (or TYPO3 site, e.g. with eID) on example.org with a GET parameter storing being the session id
the script loaded from example.org reads the GET parameter and sets a cookie with that session id (or whatever parameter you want to transfer).
afterwards the cookie is also available when browsing example.org
I have never tried this, but I'm pretty sure it will work with PHP. Maybe it's even possible with pure JavaScript, but I'm not so sure. In every case, think about what security holes you get with the explained script. In doubt sign the parameters (or require a token)!
We are designing an application that will use Rails and Wordpress to interact with each other. We would like to have a universal logout where you could logout from either application and it would delete cookies from the other app. They will share the same host and toplevel domain. Is there a way to do this?
Access to a cookie is dependent on the domain of the server attempting to read the request -- and potentially the domain specified in the cookie. So assuming the domains match (e.g. www.example.com and www.example.com on both blog and Rails app) either should have access to a cookie set by the other.
If this is not the case (e.g. blog.example.com, www.example.com), you'll need to make sure when the cookie is set in either place, it's set for the entire domain (e.g. .example.com). But this doesn't help: while Rails can delete WP's cookie, and vice-versa, the method for creating (and using) them needs to be mutually understood.
So there's a twist here, since this is a session cookie; in this case, the cookie (which either app should have access to) is setting a value that is used and interpreted on the server side, where sessions are managed. WordPress and Rails both different methods and look for different cookies.
A solution (idea) would be to have one or the other subsystem catch incoming requests (most likely WP, and probably through some .htaccess RewriteRule, assuming you're using Apache) and create an intermediate cookie that the other could check that provides sufficient proof that the user has logged in correctly. WP's PHP for this is pretty good, and easily extended -- you just need to create some token that's a shared secret between the two apps (one of the values in wp-config.php such as LOGGED_IN_KEY might be a good option).
Maybe a solution would be to take the publicly available value from the WP cookie for username, and append the shared secret value and (in both systems) create an MD5 hash to store in a cookie. In this case, Rails' authentication would subordinate to WP's, so you would need to make sure Rails knew to delegate things like forgotten password, changed password, etc, to WP's mechanisms.
Obviously I am thinking aloud, but maybe this is a path to consider.
In any case, this is preferable to having both systems know how to trust the other's authentication.
Fiddling with cookie deletion appears to be dirty and error prone.
You might rather want to have a look at auth providers and the according plugins such as:
OAuth (WP - Rails; maybe make either side an OAuth provider)
CAS (WP - Rails)
LDAP (WP - Rails)
...
Maybe it's an option to switch from WP to one of Rail's CMS like:
Refinery CMS
Typo
...
I tried looking up any tips for restricting access to static content/partial urls on a web server for my grails web-app but getting confused about using element in web.xml, since right now I am using the grails default jetty server (doesn't use web.xml) and the images, css, js etc are all accessible without any authentication. how do I go about restricting access to
1) all static content directories - only accessible in a valid user session.
2) all intermediate url paths not displaying content in the appropriate format/incorrect content.
It should say like not available/forbidden if the user tries to access above 2 by hitting urls.
Implement your own filters (by URI) in grails-app/conf. For more details see section 6.6 Filters in grails documentation
... off the top of my head I'd try the spring-security plugin, it has options for restricting access on per url basis. Good start is here the screencast