I try to emulate the access to the webservice of my company using a dart file.
Here is my request where I try to send the jsessionid cookie to the server :
taches = await http.post(
Uri.parse('https://test1.beotic.net/beop3server62/p3servicejson'),
headers: ({
"content-type": "application/json-rpc",
"set-cookie": setcookie
}),
body: body
);
The recuperate the setcookie variable is from the response header of a previous request that I sent to the server with an authentication token, what's inside setcookie look like this : JSESSIONID=01D68460B589F3B34A9C3208FA6CEA51; Path=/beop3server62; Secure
But it seems that the setcookie variable is never sent to the server as the response to this last request always contains a different jsessionid cookie in its headers and the body is :
{"jsonrpc":"2.0","id":"10","error":{"code":0,"message":"The user is
not
authentified","data":{"exceptionTypeName":"com.beotic.apps.p3.exception.AuthentificationException","message":"The
user is not authentified"}}}
I'm quite lost with all this as I tried many different things and none of them seem to work.
Thanks for helping !
Set-Cookie is a response header, not a request header.
Clients should read the Set-Cookie header, use the information in it to store data in their internal cookie jars, then generate Cookie request headers from the cookie jars when making subsequent requests to the same host.
Related
I’ve setup the react UI in Cloudflare Pages with custom domain https://ui.example.com. There is a login page that allows users to key in user name and password. Once they’ve supplied the info, it will use axios to make a call to an API that is hosted in Cloudflare Workers https://apis.example.com and from there I’ve written sample codes to return Set-Cookies header with the “secret-token” value.
Since Pages and Workers reside in different domain, so I’ve configured Workers to supplied the following values to the API response, in addition to Set-Cookies header-values:
"Access-Control-Allow-Origin": "*"
"Access-Control-Allow-Methods": "*"
"Access-Control-Allow-Headers": "*"
"Access-Control-Expose-Headers": "Set-Cookie"
But when I check the response headers by using script (console.log) written in my login.jsx, it only contains content-length and content-type. But when I check the response from Chrome (Developer Tools’ Network) in my case, those header-values above exist.
How can I get the response’s header values from the axios call in this case?
You will need to use a different header name.
Set-Cookie is a forbidden response header, which means JavaScript is not permitted to read this header. The browser handles this header (adding the cookie to cookie storage) and then removes it before JavaScript sees the response at all.
Instead, try inventing your own header name, like X-Secret-Token.
I've read https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication and the Basic Authentication chapter from HTTP: The Definitive Guide.
I thought Proxy-Authenticate + Proxy-Authorization + status code 407 was essentially the same as WWW-Authenticate + Authorization + status code 401. I thought if the server responded WWW-Authenticate + 401 or Proxy-Authorization + 407, under both conditions, the browser would pop up an auth dialog, and then the browser would send the credentials with the Authorization or Proxy-Authorization header.
The "WWW-Authenticate combination headers" did work as expected, while the "Proxy combination headers" did not. For Proxy-Authorization + 407, I get ERR_UNEXPECTED_PROXY_AUTH in Chrome and get nothing happened in Firefox(No auth dialog popping up!).
Error in Chrome:
This site can’t be reached.
The webpage at http://localhost:5000/http_auth might be temporarily down or it may have moved permanently to a new web address.
ERR_UNEXPECTED_PROXY_AUTH
So what's the difference between these 2 sets of similar headers? When and where do I use Proxy-Authenticate? Practical exmaples that I can run would be much appreciated.
I am using Python with Flask for testing.
My serverside code:
WWW-Authenticate
#app.route('/www_auth')
def ha():
print("====request headers begin======")
print(request.headers)
print("====request headers end======")
if 'Authorization' in request.headers and request.headers['Authorization'] == 'Basic MTIzOjQ1Ng==':
return render_template('demo.html')
else:
resp = make_response(render_template('demo.html'), 401)
resp.headers['WWW-Authenticate'] = 'Basic realm="WWW-Authenticate required :)"'
return resp
Proxy-Authenticate
#app.route('/proxy_auth')
def haha():
print("====request headers begin======")
print(request.headers)
print("====request headers end======")
if 'Proxy-Authorization' in request.headers and request.headers['Proxy-Authorization'] == 'Basic MTIzOjQ1Ng==':
return render_template('demo.html')
else:
resp = make_response(render_template('demo.html'), 407)
resp.headers['Proxy-Authenticate'] = 'Basic realm="Proxy-Authenticate required :)"'
return resp
I did some tests and here's what I found. (I took a look at RFC and as usual it's too overwhelming :) )
The Proxy-Authenticate set of headers can indeed result in auth pop-up dialog too. But it is something that one must manually set in the client/browser at first. Specifically, for example in Firefox, it's related to the proxy setting.
The Proxy-Authenticate set of headers is used when you connects to a proxy which needs username and password.
Attention: You need to set the root path to your proxy function like this:
#app.route('/')
def haha():
#rest of the code
The workflow is:
-----------------------------------Step 1---------------------------------------------------->
client/browser <---Step 2, 407,Proxy-Authorization response header, required username and password----------- proxy
----Step 3, Proxy-Authorization request headers, contains credentials------------------------> --------> target website
----Subsequent requests, Proxy-Authorization request headers with credentials is still sent--> ---------> target website
In this case, the Proxy-Authorization(with credentials) will be sent automatically for each request.
If the server does not require authentication, then the client can visit the target website directly, and there's no Proxy-Authorization header in the request. (Most free http proxies that you find on the Web works in this way I think)
I also tried the WWW-Authenticate set of headers while I had set the proxy setting in Firefox. The result is that: Every time I visit a new website, I need to authenticate again. So obviously the WWW-Authenticate set of headers aren't meant to be used in this case.
Any other in-depth opinions/explanation would be appreciated. After all I merely did some tests and I want to know more.
I'm trying to send a request with a session cookie, but when the request is sent the value for that cookie changes.
Here is how the cookie looks:
Here is how it looks after the request has been sent:
What is happening ?
Sorry for the late answer to this question. The only reason I see for the cookie to change is if the server sends back a Set-Cookie header in the response.
Paw will behave like web browsers by sending by default a Cookie header with the cookies stored for this domain, and will store new cookies when the server sends back a Set-Cookie header.
You can see all cookies stored in Paw by going to the left panel > Sessions > Manage:
Also, please note that you have the ability to disable cookie sending and/or cookie saving for each request in the Request > Options tab:
I am trying to login to a site, and then view user details.
The API documentation from the site is:
LogOn : All Calls with JSON and return JSON type
post - https://www.bit2c.co.il/Account/LogOn {UserName:'',Password:'',SecondFactor:[optional]}
return true if OK , error list of strings if not
Balance - GET https://www.bit2c.co.il/Account/Balance
return UserBalance as JSON
I've tried connecting to the site using
import requests
session=requests.session()
session.auth = ("username", "pass")
session.post("https//www.bit2c.co.il/Account/Balance")
but i am getting response 200 and the response content is "you must login".
What am I doing wrong ?
What kind of session? What is on server-side? Can you post the raw request/response pair(s)?
If PHP or ASP runs on server-side, you must capture the Set-Cookie header of the response to the login request, find the session cookie and in consequent requests you must set the Cookie header with the session cookie name and value captured previously.
Cookie usernameCookie = new Cookie ("username", attributeUsername);
usernameCookie.setMaxAge(24*60*60);
response.addCookie(usernameCookie);
A cookie is created in the server in this way and it is added to the HttpServletResponse .
Then why is it that , a HttpServletRequest Header contain cookies ??
Cookies are transmitted per request, example use case:
The first client request does not contain cookies
Server sets cookie A, it is transmitted back to the client in HTTP header Set-Cookie; this is what response.addCookie does.
The second client request sends HTTP header Cookie containing a list of all matching cookies (including cookie A)
Cookies are part of the HTTP protocol. Wikipedia provides a fine overview: http://en.wikipedia.org/wiki/HTTP_cookie