show forbidden access after set cookie - asp.net

I made (asp core) an e commerce website.I used cookies for shopping and compare list.Before adding cookies my website works well, but after I added cookies(add product to cart or compare list) when I want to open compare page or any page it shows this error:
403 - Forbidden: Access is denied.
Is there a problem with my code? or is it my host settings?
This is my code:
var cookie = compare+ "=" + JSON.stringify(items) + ";path=/";
document.cookie = cookie;

Probabily because you had other cookie for authentication.
With this code you probably overwrite the authentication cookie.
Try to set some breakpoints and check the code.

Related

DotNetOpenAuth with Google Provider fails works on localhost but fails on test server - return_to realm issue

I am using DotNetOpenAuth to perform my website authentication using Google accounts with ASP.NET MVC 4. I am able to run Google authentication without any problems on my localhost, but when deploying to test I get the following error.
DotNetOpenAuth.Messaging.ProtocolException: return_to '...//myserver/myapp' not under realm '...//myserver/myapp/'.
Notice that the only difference in the return_to realm parameters is the trailing slash "/". If I enter .../myserver/myapp/ (including the trailing slash) in the browser's address bar the site then works.
How do I get my application to accept both trailing and missing slashes when entered in the browsers address bar?
Below is my code:
IAuthenticationRequest request = openId.CreateRequest(Identifier.Parse(WellKnownProviders.Google));
FetchRequest fr = new FetchRequest();
fr.Attributes.AddRequired(WellKnownAttributes.Contact.Email);
request.AddExtension(fr);
request.AddExtension(new ClaimsRequest
{
Email = DemandLevel.Require,
});
return request.RedirectingResponse.AsActionResult();
Thanks in advance for any help!

webdriver not returning all cookies

I am trying to test a scenario where an http request is ran to login to a site using username and password and on success it redirects to google.com.It also creates session cookies of its own which I am able to view in the Firefox browser manually.
However when I am trying to retrieve all cookies using Selenium Webdriver, it is just returning the cookies that belong to the present domain.
I am using the following code:
Set <Cookie> allCookies=driver.manage().getCookies();
Iterator <Cookie> itr=allCookies.iterator();
APPLICATION_LOGS.info("Cookie Size--->"+driver.manage().getCookies().size());
while(itr.hasNext())
{
Cookie c=itr.next();
APPLICATION_LOGS.info("Cookie Domain--->"+c.getDomain()+"Cookie Name---"+c.getName()+"Cookie Value---"+c.getValue());
}
Please let me know if there is any other way to retrieve all the cookies.

Issue with Response.Redirect to another site

I'm creating a gateway app which will control access to various other apps (tools).
On visiting the site the user is identified and a list of tools they have access to is displayed. Clicking the link takes the user to the tool. The URL is affixed with a token as a querystring. The token is encrypted.
On arriving at the tool site the system checks to see if there is a querystring with a token. It checks to see if the token is valid (the date is part of the encryption). If OK then the token is also saved as cookie which is valid for 8h and access is granted.
If the user hits the Tool site directly from a bookmark the system once again checks to see if there is a token and that it is valid. If no token is passed as a querystring then the system will see if it still has a valid cookie. If there is no valid token or cookie the site invokes a response.redirect to the gateway together with two querystrings t and r. t is the tool's numeric ID and r is the Tools URL.
What should happen is that the user will be redirected to the Gateway which will check to see if the user has access to tool id t and if the have redirect back to r with a fresh token appended as a querystring.
My code has the following....
Private GatewayURL As String = "http://GatewayURL/default.aspx?t=2&r="
Private ToolURL As String = "http://ToolURL/default.aspx"
In my page load I have….
…
If AuthenticationPass = False Then
'We are not authenticated...
Response.Redirect(GatewayURL & ToolURL, True)
End If
…
Unfortunately when this is triggered I get the following error...
Invalid path for child request 'http://GatewayURL/default.aspx'. A virtual path is expected.
I've run out of ideas on resolving this.... any help appreciated.
You should URL encode your query string parameters:
Response.Redirect(GatewayURL & HttpUtility.UrlEncode(ToolURL), True)
so that you redirect to:
http://GatewayURL/default.aspx?t=2&r=http%3A%2F%2FToolURL%2Fdefault.aspx
instead of:
http://GatewayURL/default.aspx?t=2&r=http://ToolURL/default.aspx
The second is a pretty broken url.

Strange behavior on cookie domain

Background:
AspNet web app / C# 3.5
IIS7
VS 2010
Windows 7
When user is authenticated, we create a cookie, this way:
var cookieASP = FormsAuthentication.GetAuthCookie(user.Id, true);
cookieASP.Domain = "x.y.local";
Yes, domain is hard coded for this example.
Using cookies viewer extensions in Firefox 11, I can see that domain of cookie is : .x.y.local, with a leading .. I know that it allows shared cookie between w.x.y.local and q.x.y.local. Ok.
But, when user clicks on disconnect, he is not kicked out...
var cookieAsp = System.Web.Security.FormsAuthentication.GetAuthCookie(u.Identifiant, true);
cookieAsp.Expires = DateTime.Now.AddDays(-10);
Response.Cookies.Set(cookieAsp);
FormsAuthentication.SignOut();
And with debugger we can see that cookieAsp.Domain is null. And cookie is not removed from browser's cookies.
If I edit cookie domain (directly from browser), and set its domain to x.y.local without the leading ., cookie is deleted and user disconnected.
I don't understand why this . is added, and why it is not well understand by the browser.
EDIT (major importance I guess): we are doing such way because if we don't set domain, then IE8 (only 8) can't understand our cookie...
When you want to remove a cookie, you have to specify the cookie with the exact domain of the cookie you want to remove. The cookies domain is not sent by the browser on a request, so you will always get a null value when you try to inspect it within a debugger session.
So before Response.Cookies.Set(cookieAsp); add cookieASP.Domain = "x.y.local";.

How to allow secure login across multiple domains

I have a web based application that allows a user to point their DNS at my IP and my app will serve up their content based on the domain name I see in the HTTP host header. I should point out this is done by the application, not by the actual HTTP server(apache), it is a rebranded app sort of thing. The problem I have is that I would like the users to be able to login through a form on the served page and somehow stay within the domain of the user. This is easy, unless you want security. I would have to have a SSL cert installed for every domain to pull this off. Right now I can do it by submitting the form to a domain with an SSL cert installed, but due to browser security I can't exactly set the required cookies on the original domain.
Does anyone know a way I can securely log in users through the app that does not involve installing a lot of ssl certs. I can think of some convoluted ways using redirects or other mechanisms, but it is not that clean. I don't mind a submit to the secure url and a redirect, it's just setting the cookie can't be done.
I've done this before using the following method...
Create auth key on server 1.
create_auth_key
expires = time + expire_time
data = username + '|' + password + expires
secret = 'my secret key'
hash = md5( data + secret )
key = base64( data ) + hash
On server two you pass the newly created authkey
valid_auth_key(key)
hash = key[-hash_size:]
b64data = key[:-hash_size]
data = base64decode( b64data )
data_hash = md5( data + secret )
if data_hash != hash:
return false # invalid hash
data_parts = data.split('|')
user = data_parts[0]
password = data_parts[1]
expires = data_parts[2]
if now > expires:
return false # url expired
return true
It's kind of quick and dirty but only relies on simple data passed via URL. The down side is that a specific url is all that's required to login and someone could share that url for a period of time. You also have to make sure your expiration time is not greater than the time difference between servers.
A common trick is to pass data in the URL. Facebook Connect does this. You can redirect from one domain to the other with a session token in the URL and then verify the token (perhaps convert to a cookie) when the request comes in on the other domain. Edit: the MSDN article that Facebook links to has much more detail.

Resources