I'm making http request from React to our API for authentication. I'm using fetch to make the requests.
My question is, can a user go to the network tab in chrome dev tools, find the request, and see their own token?
It depends.
Normally, user can see all request headers in the HTTP request, in Network panel of Chrome dev tool.
However, after Chrome 67, a new feature named "Site isolation" was introduced, and enabled by default. As a result:
In Chrome's DevTools, cookies and other request headers are not shown in the network panel for cross-site subresource requests.
That is, if JWT token is transferred by cookie in a subdomain site, and the domain of JWT-cookie is wildcard, it will not be displayed in Network panel.
Here is an example. cookie token's domain is .miaotest.com, and it is used in HTTP request to site cshao.miaotest.com. While this cookie is transferred to backend successfully, you won't see it in "Request Headers" part in dev tool.
Cookie token's information in "Application" panel:
Cookie token is sent but not displayed in Network panel:
Please note the "Site isolation" feature can be disabled by visiting chrome://flags/#site-isolation-trial-opt-out in Chrome.
Yes, he can see the whole request including all request headers.
Related
I just set up my custom domain with Firebase Hosting, lets call it mydomain.example.com.
When I navigate to it in Firefox, it shows a toggle next to the domain, that when clicked shows this:
Where the redacted part is my firebase project ID, and the full domain is one of the default domains for Firebase hosting.
What is happening here, exactly, and how can I change the behavior so it doesn't result in these cross-site cookies? Is this related to the Google Auth provider, which I also noticed doesn't use the new custom domain (instead, using one of the default domains) in the popup window for sign-in?
This is a known issue with the Firebase Auth SDK. It is not related to the Google Auth provider. The issue is that the Firebase Auth SDK uses a cookie to store the user's session. The cookie is set to the domain of the Firebase project, which is a default domain for Firebase Hosting. The cookie is set to be secure, so it is not sent over HTTP, but is sent over HTTPS. The cookie is also set to be SameSite=Lax, which means that it is not sent on cross-site requests unless the request is a GET request. The cookie is not sent on cross-site requests that are POST requests, which is the case for the sign-in popup. The cookie is sent on cross-site requests that are GET requests, which is the case for the main page.
To solve this issue, you can set the cookie policy to SameSite=None. This will allow the cookie to be sent on cross-site requests, but it will also require the cookie to be marked as secure. This means that the cookie will only be sent over HTTPS. If you are using a custom domain, you will need to set up HTTPS for your custom domain. If you are using a default domain, you will need to set up HTTPS for your default domain.
When I go to the HTTPS server, I can see in Developer tools (or in Fiddler) a request cookies that are send to the server by client. But how client know, which cookies should be sent, if no response cookies are sent by server. At least I canĀ“t see any response cookies in Developer tools or Fiddler.
First up each domain has its own cookies in a cookie jar / cookie store. Whenever a request is made by the browser to the server all cookies in the store for that domain or subdomain will be sent to the server.
secure cookies vs insecure cookies
Secure cookies will be sent only on connections that are made over ssl(https protocol). Normal cookies will be sent on both http and https protocols.
session cookies vs. persistent cookies
session cookies - These cookies persist as long as the browser session is open. This means that Once you have cleared cache or closed the browser they get lost.
persistent cookies - These will persist even if the browser is closed and opened again unless you have set the browser to clear cookies on exit in which case they will behave just like session cookies.
First party cookies vs. Third party cookies.
First party cookies - generated by the domain currently open as main document - this means they have same domain as the one displayed in your browser.
Third party cookies - generated by a different domain then currently opened by the browser(in the addressbar) but which are managed inside an iframe or various resource calls like css, script, media(images, videos or other embedded media)
CORS - cross domain calls via xhttp ajax calls - this case arises when you create a domain requests resources from another domain via xhttp(ajax calls). In this case the browser makes a preflight check to see if the receiving domain accepts queries from the origin domain(origin headers are sent to the domain to check the cross domain policy). The server must necessarily respond with a valid options header and the server may allow identity data which is short for cookie data. If the remote domain has answered correctly with an "Access-Control-Allow-Origin" header that allows your domain or "*" then you are allowed to send cookies via this request. And these will behave just like normal calls.
To read more about cors:
https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
To directly answer the question: the client sends back all cookie data it has for that domain and path.
If you do not see any Set-Cookie header in any HTTP response, it may be because the cookie has been issued by server and stored on your computer before you started looking at Dev Tools or Fiddler. It could have been up to a few days, weeks, even months ago.
In Firefox, if you navigate to about:preferences#privacy and click Manage Data, you can see which domains already have cookies issued and stored on your computer. The Storage tab in Firefox Dev Tools can show you details of all cookies. The expiry of the cookie is determined by the server, using the Expires or Max-Age directive in the Set-Cookie header.
How a cookie first ended up on the client computer:
Client makes its first ever HTTP request to server, e.g. GET www.example.com
Server creates a cookie and sends it back in the HTTP response, e.g. the response headers contains a line: Set-Cookie: sessionID=1234567; path=/; Max-Age=31536000
The client receives HTTP response and stores the cookie in the "jar" for domain www.example.com.
How server uses cookies to identify the client
In subsequent HTTP requests to domain www.example.com, the client sends back all cookies in the jar that matches the path or sub-path. For example, the client wishes to issue a request GET www.example.com/about, sees that the URL is a sub-path of / in domain www.example.com, so it sends the cookie as a line in the HTTP request header, i.e. Cookie: sessionID=1234567.
The server sees the cookie and knows exactly which client made this request.
I installed some chrome extension that pop ups a modal box when I'm on a certain domain.
If I click the button in that box, I see in the Network tab of chrome developer tools, that the extension makes an HTTP Post request to the website.
The request contains some request cookies from the domain: A,B,C,D.
And response cookies from the domain: A,B,C - without D.
When the request is done (and the extension finished doing its "magic"), I discovered that the value of cookie D has changed, even though D was not in the response cookies. I tested it several times.
How is this possible? Can the extension make something in the background that is hidden from the network tab, that will cause the cookie D from the domain to change?
I want to be able to capture and document this Cookie D generation behavior, and don't know how to do that.
Using the chrome.cookies API, a Chrome extension can manipulate the cookies that are stored in the browser without the need to perform an HTTP request. The extension will need the cookies permission to access this API.
You will not be able to capture, or intercept, the extension's calls to the chrome.cookies API.
In addition, through the chrome.webRequest API, a chrome extension can modify the request headers, including cookies, which are sent or received without directly changing the cookies which are stored in the browser. The extension will need the webRequest and webRequestBlocking permissions to make such changes.
I know from questions like this one that there's no "official" way to log out of an HTTP auth "session". I've also read about the 401 header trick, but that does't seem to be too widely supported.
Now my home router, on the other hand, uses HTTP Auth, and it works perfectly! I type in my routers IP, and no web page is rendered. Instead I get an HTTP auth login box (I also have an industrial firewall at work that works this same way). How do devices like this handle HTTP auth "sessions"?
Or am I being tricked into thinking it's HTTP auth, because there's no webpage rendered, just a login box identical to one that HTTP auth uses?
The credentials for HTTP Auth/Digest are only stored until the browser is closed. If you were to login to your router, close the TAB, then go back to your router, you will see that you are in fact, still logged in.
Now if you were to log into your router, close the BROWSER, re-open the browser, and navigate back to the router IP. You will be greeted by the HTTP auth login box again.
I have a site (running a 3rd party app) that's available over HTTPS and HTTP. It allows people to log in with Basic Authentication. I'm trying to force all logins to happen over HTTPS rather than HTTP.
The app is odd in that the authentication "realm" is the root of the domain (/), and 401s are returned based on query string parameters rather than the URL path. I think I've got my RewriteRules set up properly so that any request that could result in a 401 is redirected to HTTPS first. However, I'm worried that after logging into the secure site, if users navigate back to the HTTP version somehow, browsers will still send Authorization headers (now unencrypted) without seeing a 401 since it's all the same domain with the /same/path/structure. That is, I'm worried about this behaviour from RFC 2617:
A client MAY preemptively send the corresponding Authorization header with requests for resources in that space without receipt of another challenge from the server.
Should I worry? Or does switching protocols (https to http) prevent browsers from sending those preemptive auth headers?
We heavily use basic auth for our application. All using https of course :)
Browsers have a good sandbox model, they know that when the protocol changes, the target machine may not be the same anymore. You don't have to worry about browsers submitting the authentication information.
Even when they run into the initial 401, they will still ask the user for the username/password pair.