I have two domains: domain1 and domain2
Let's assume the customer's browser has a cookie for domain2.
The customer is surfing on domain1 and is being redirected to domain2 via the form(POST method). Is there any way to send a cookie from domain2 with this redirection request?
Related
I have a web app on domain a.com, that requires authentication via a sso service with a return in the url on domain b.com.
the sso service receives the request from the browser, and returns a cookie to the return url specified in return url.
however, because the app domain and sso service domain are different, im unable to set the cookie in the browser for the app on domain a.com due to cross domain cookie restriction.
i have been trying to use nginx as a reverse proxy, whereby the call to the sso service is made via a a proxy running in the same domain as the app, which then returns as 301 to the sso service on domain b.com.
i'm struggling to work out how I then process the return response from the sso service in order to set the domain on the cookie to a.com domain.
any help appreciated!
my server block in nginx:
server {
listen 3002;
server_name server.a.com;
location / {
return 301 https://sso.b.com/Logon/v1/auto? returnUrl=https://service.a.com/Home;
}
}
Imagine the following scenario:
The user goes to http://example.com
The server redirects to the secure version https://example.com using a temporary redirect (status 302)
https://example.com responds with an HTTP basic auth challenge (status 401)
The user successfully provides username/password and access is granted (the browser stores these credentials in its internal cache)
What happens if the user follows a link to the unsecured version of the website (http://example.com)?
Would the credentials be exposed due to the clear-text HTTP request?
Are HTTP credentials and HTTPS credentials stored in separate "buckets" by the browser?
Technically, the two URLs belong to different origins so the credentials should not be shared. But I could not find any confirmation of this online.
Are HTTP credentials and HTTPS credentials stored in separate "buckets" by the browser?
Yes, and those buckets are officially called 'origins'. Specifications like HTML, Javacript, HTTP and URIs talk about origins, but the bucket is effectively the URI minus the path.
So for https://example.org/foo/bar, the origin is https://example.org
So this includes:
The scheme (http / https).
The domain
The port
So in your example the 2 relevant origins / buckets are http://example.com and https://example.com and they are separate.
I am about to move my website/App from https://www.example.xx to https://www.example.com
I am thinking about making a redirection in the .htaccess from the .xx to the .com
The question is shall I renew the https certificate on the .xx bearing in mind that some users might have bookmarks to https://www.example.xx ?
What would happen if a user tries to reach the .xx url on https after the certificate expires and the .htaccess having a redirection to the .com?
If application is hosted on the same server (assuming, you just change DNS address for your app) and you own both domains, you would need to purchase single certificate for both URLs: www.example.tld and www.example.com and bind this certificate to web site.
and you will have to maintain both URLs in the certificate until all users update their bookmarks to point to a new web site.
HTTPS redirection requires valid SSL certificate for all redirection URL.
Is it possible to delete cookie in http://domain.com from subdomain http://subdomain.domain.com
You can delete it if the cookie have been set from the domain, or the same subdomain.
When you make a cookie one of the parametres are the domain
Response.Cookies["nameof"].Domain
If you not set that parameter, then is get the domain that read from url.
If this parameter is with out subdomain domain.com then the cookie can be acceded from all subdomains.
If this parameter have subdomain, eg www.domain.com then can be acceded only from that one.
I have a site that has a mix of http and https pages. Under the root of the site, one folder has all the http pages and another has all the https pages. Login is over https and sends the user to the other pages. When a session expires the forms authentication redirects to the Login page but the browser uses http and the user gets a 403 error.
Is there any way to override the session timeout to send it to https?
one way is to configure IIS to redirect http traffic to https
http://support.microsoft.com/kb/839357
one thing to consider with mixed mode like that:
there is a common attack on SSL pages, which is, making a http request (to https resource) in order to obtain the un-encrypted session cookie. This is why you want to configure your session cookie to encrypted only (would not be sent over http). I am guessing that your http and https pages share session, which means you can't set this setting, making your site vulnerable to this attack. but it's good to be aware of this.
http://anubhavg.wordpress.com/2008/02/05/how-to-mark-session-cookie-secure/
another article you may find helpful
http://www.west-wind.com/Weblog/posts/4057.aspx