I need to run my WordPress website inside an iframe from a different domain
But cookies are blocking
How to set SameSite=None; Secure; in WordPress function.php
Related
I have a two websites.One is with django and onother on is wordpress.
I've configured wordpress on a url.For example xyz.com/blog.I handle my django sessions in cookie.
Now I worry about security of my cookie.What if some security issue become in wordpress and the attacker steal my cookies from wordpress blog?
Can I prevent sending cookies for my url?
Cookies will be sent by the browser as long as the domain and the path matches. If you set path to "PathA" cookies will only be sent on requests to /PathA, but not to /PathB or /PathC. But you can't set it to send to all paths except PathA which seems to be what you want. If you only work with two paths such as /blog and /app you can set cookie path to /app and they should never go be included in requests to /blog.
I have an e-commerce Ionic 5 Application connected with the WordPress website.
I get an issue in chrome and safari browsers that block all cookies that not set the SameSite attribute.
this is the message from chrome:
Indicate whether to send a cookie in a cross-site request by specifying its SameSite attribute
Because a cookie's SameSite attribute was not set or is invalid, it defaults to SameSite=Lax, which prevents the cookie from being sent in a cross-site request. This behavior protects user data from accidentally leaking to third parties and cross-site request forgery.
Resolve this issue by updating the attributes of the cookie:
Specify SameSite=None and Secure if the cookie should be sent in cross-site requests. This enables third-party use.
Specify SameSite=Strict or SameSite=Lax if the cookie should not be sent in cross-site requests
Screenshoot
from this issue, the application in iOS not able to (add to cart) and it always shows empty.
Any Help?
I am calling API at https://engine-beta.mydomain.com/list* inside http://localhost.mydomain.com website, API response with set-cookie: with domain landing.vahanacloud.com. The browser is ignoring(not saving) this cookie.
But with the same scenario, in API response with set-cookie: with domain .maydomain.com is working fine.
It is because you host domain and you domain is different.
Host Domain: Where the api is deployed.
App Domain: Where you web app is running.
If you save cookie to parent domain, all the sub domain will have access to cookies but siblings domain will not have access to other sibling cookies.
We have a wild card domain hosted on azure. I've setup up subdomain.domain.com to rewrite to domain.com/subdomain. It all works fine.
However when I login to our identity server, once the login process is completed and I am redirected back to subdomain.domain.com it seems like the authentication token is lost.
I can't see how this can be possible. This issue happens with all our identity providers (google, Facebook, Microsoft live)
If I change the setup to use domain.com/subdomain then everything works as expected
The main issue is what type of cookie your identity server places,
It looks like your server places and domain specific cookie, and not a wildcard one.
Cookie domains
Common issue with the cookie for the authentication is the domain for the cookie. Similarly to the paths of the cookies, if the cookies are created on two different subdomains, then the cookie will only be accessible on the domain where it was created. For instance, your main application may be on www.domain.com, but you have Telligent Evolution running on cs.domain.com. If you create the cookie on www.domain.com, the browser will only send it to that domain, and it won’t be passed along when they navigate over to cs.domain.com.
The cookie can be carried over by setting the domain to “.domain.com”. Cookies don’t use the common “*” wild card. Simply use “.domain.com”. With this entry, the browser will not to pass the cookie when it goes over to cs.domain.com as well.
Like the path, the domain can be specified in either the web.config or through code. When setting the web.config file, it will only check for the authorization cookie. You must have this set for the site to correctly recognize the new domain level cookie:
<authentication mode="Forms">
<forms name=".CommunityServer" ... domain=".domain.com" />
</authentication>
The "domain" name is ignored by the FormsAuthentication.SetAuthCookie method, so you must manually set it on your login page when creating the AuthCookie. For example:
HttpCookie cookie = FormsAuthentication.GetAuthCookie(username, true);
cookie.Domain = ".domain.com";
Response.Cookies.Add(cookie);
Suppose I have a cookie that is set for .domain.com, and my subdomain is sub.domain.com. Can I delete cookies that are set for the main domain? I know it is possible to read them, but is it possible to delete these cookies, or overwrite their values?
Yes, a subdomain can set/expire a cookie for the main domain, but the main domain cannot set/expire a cookie for a subdomain. See RFC 6265 Sections 5.1.3, 5.3 (see point #6), and 8.6. Section 8.6 in particular describes how a subdomain can set a cookie for the main domain and have it affect a sibling subdomain.