Good Day to you.
Our organization is using IBM HTTP Server 6 (Server version: IBM_HTTP_Server/6.1.0.47-PI31516 Apache/2.0.47)
We have a requirement to update an cookie parameter/attribute from web server. I have tried options from stackflow and other sites. However I cannot get the current value of the cookie
httpd.conf Entry
SetEnvIf Cookie "TEST_COOKIE=([^;]+)" AuthUniqueId=$1
Header add Set-Cookie "TEST_COOKIE=%{AuthUniqueId}e; SameSite=None; Secure; path=/" env=AuthUniqueId
I can see the cookie TEST_COOKIE set in response. however the value is always $1
Can you help in advising how to make it work?
Thanks in advance.
SetEnvIf in IHS 6.1 (which is out of service for years) does not support substituting regex backreferences.
Related
when i post the data using POST method in woocommerce api. i am getting cors issue
Access to fetch at 'http://localhost/wordpress/wc-api/v3/customers?oauth_consumer_key=ck_64d88e1fa3516e9f5a06b6053f02976a534d3f8f&oauth_nonce=zsu3ysEnFHhvrZt4Nc7H66Dgu28H20K7&oauth_signature_method=HMAC-SHA256&oauth_timestamp=1562587817&oauth_version=1.0&oauth_signature=KtFxvyQNklUlfCi6rNWyJ0DEJ6AS2ZbwbO44u%2FEqxG4%3D' from origin 'http://localhost:8100' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: It does not have HTTP ok status.
You have to set a Access-Control-Allow-Origin header on each request to the server, if your server is on a different domain than the app on which you are making those requests (the server sets it as a response header). Adding that header tells the system that the external domain "localhost:8100" is allowed to make those requests.
You cannot circumvent this requirement in vanilla browsers, because it is a built in security feature to reduce CORS attacks
PS. different ports on the same domain are considered to be different domains. Thus example.com will get a 401 error, if you are making a request to example.com:8100. Same goes for localhost, or any other domain.
Example code from an Apache2 web server .conf file, that I personally use to set these headers.
SetEnvIf Origin "^http(s)?://(.+\.)?(staging.\xxx\.com|xxx\.com|xxx\.local|xxx\.local:4200|a2\.local)$" origin_is=$0
Header always set Access-Control-Allow-Origin %{origin_is}e env=origin_is
Just replace the xxx.com domains with localhost:8100 or whatever else you need in that array. (if you are using Apache web server)
As a result, the Chrome network tab should have an Access-Control-Allow-Origin header on attached to the request
I was searching the internet quite a time but I didn't find a satisfying answer to my question.
I have to get a json object from a certain http site. I do this with a get-request over http (site is available only over http). The site responds with a session cookie:
Set-Cookie: session_id=95656983e1feaff45a000aa7f2f9093a1ea4b1c3; expires=Fri, 20 Apr 2018 14:00:51 GMT; httponly; Max-Age=3600; Path=/; secure
My first question is why the cookie is sent over http when httponly & secure flag are set??
After I get the json object I have to do some fancy stuff and send a json object back to an other site of the same domain. Also this site is available only via http. (I do the requests in python with python-requests and use requests.session() for dealing with the cookies so no problem there). When I look through the header of my request with mitmproxy I see that no cookie is set and the page responds with "WHERE'S MY COOKIE??"
I think the problem is with httponly & sercur flag. I just don't know how to deal with it because the page is only available over http and not https?
Secure attribute instructs the client/browser to only return the cookie when using a secure channel, but such a cookie can be set by the application/server on to the client/browser over normal HTTP. You are correct the secure flag is causing the problem and AFAIK there is no way to work around it
Enabling sticky sessions in Phusion Passenger adds set-cooke header in next form:
Set-Cookie: _passenger_route=598708409; Path=/
Questions:
How to alter Path?
How to set httpOnly option?
How to set secure option?
How to set other options?
This is the relevant code that sets the cookie.
Path is controlled by the baseURI
httpOnly is not set for this reason:
// Note that we do NOT set HttpOnly. If we set that flag then Chrome
// doesn't send cookies over WebSocket handshakes. Confirmed on Chrome 25.
& 4. The current code offers no way to inject other values.
Path is set to the value of passenger_base_uri
httpOnly is not set by Passenger because it stops cookies being sent over websockets on Chrome (Last confirmed on Chrome 25).
To set httpOnly, secure, and other options, perhaps using something like header_filter_by_lua_block from the ngx_http_lua_module might be of use (this is included in the apt packaged nginx provided by Phusion, and can be installed as a dynamic module otherwise).
I have configured nginx as Proxy server and my backend is tomcat8.5 on Redhat7. I have configure SSL in nginx. I would like to have cookie in secure and httponly but my header shows only JSESSIONID in cookie.
my result:- Cookie:JSESSIONID=D442DD723352EA8354E4D .
i'm seeking of below result
click on here- pic 1
I have follow below solution , but that was not worked for httpOnly.
https://geekflare.com/secure-cookie-flag-in-tomcat/
I'm trying to understand how the cache-control http header works.
The cache-control header can have the no-cache value. I have checked the definition in w3c and it said:
If the no-cache directive does not specify a field-name, then a cache
MUST NOT use the response to satisfy a subsequent request without
successful revalidation with the origin server.
It tells no-cache value will trigger validation for every request.
What I want to know is, what is cache validation and what it does in the http protocol?
thanks for your help guys. now i understand validation means check if cache contain latest content from server.
my further question would be what issues no-cache will fix. please provide some scenario, like after applied no-cache in http header, what security issue will be fixed.
thanks guys
The no-cache directive is not intended for a security purpose. Security gets covered in rules that define which data/resources a cdn/proxy server is not permitted to cache. So, if security is required, the no-store directive should be used by the client/server. Look under :
paragraph 2 under section 13.4 on https://www.w3.org/Protocols/rfc2616/rfc2616-sec13.html
https://www.rfc-editor.org/rfc/rfc7234#section-3
The no-cache directive is used by the client when it is ready to accept a resource from a cache, provided there is a confirmation from the server that the cached resource is up to date (fresh). The proxy/cdn can use two methods to re-validate the resource's freshness :
If client sent an ETAG value, proxy/cdn can forward it to the server under an If-None-Match header. If server responds with '304 Not Modified', then the cached resource is fresh to serve.
Using an If-Modified-Since header with a date value that was received the last time the resource was downloaded from the server (was to be found under the Last-Modified header in server's last response).