I would be grateful if someone would explain how servlets can tell that cookies have been disabled on the client's browser.
I understand that while creating a session in a servlet:
If cookies are enabled, the server will return the sessionID as a cookie.
If cookies are disabled, the sessionID will be written into the URL.
What I don't understand is how the server can tell that cookies have been disabled.
HTTP is a stateless protocol, there is no way (that I know of) the server can tell that the client has disabled cookies.
I expect that the server would not receive cookies in the request header but that could mean that no cookies have been set in the first place.
I have checked these answers:
Servlet HttpSession cookies disabled
Manage Session when broswer has disable cookies
They both explain how to enable URL-rewriting but they do not explain how the server knows cookies have been disabled on the client.
how servlets can tell that cookies have been disabled
They can't.
When the session is first created, the server sends the session ID both as a cookie and with URL rewriting. On the second request, if it receives the session cookie, then it stops rewriting URLs.
Related
When I go to the HTTPS server, I can see in Developer tools (or in Fiddler) a request cookies that are send to the server by client. But how client know, which cookies should be sent, if no response cookies are sent by server. At least I canĀ“t see any response cookies in Developer tools or Fiddler.
First up each domain has its own cookies in a cookie jar / cookie store. Whenever a request is made by the browser to the server all cookies in the store for that domain or subdomain will be sent to the server.
secure cookies vs insecure cookies
Secure cookies will be sent only on connections that are made over ssl(https protocol). Normal cookies will be sent on both http and https protocols.
session cookies vs. persistent cookies
session cookies - These cookies persist as long as the browser session is open. This means that Once you have cleared cache or closed the browser they get lost.
persistent cookies - These will persist even if the browser is closed and opened again unless you have set the browser to clear cookies on exit in which case they will behave just like session cookies.
First party cookies vs. Third party cookies.
First party cookies - generated by the domain currently open as main document - this means they have same domain as the one displayed in your browser.
Third party cookies - generated by a different domain then currently opened by the browser(in the addressbar) but which are managed inside an iframe or various resource calls like css, script, media(images, videos or other embedded media)
CORS - cross domain calls via xhttp ajax calls - this case arises when you create a domain requests resources from another domain via xhttp(ajax calls). In this case the browser makes a preflight check to see if the receiving domain accepts queries from the origin domain(origin headers are sent to the domain to check the cross domain policy). The server must necessarily respond with a valid options header and the server may allow identity data which is short for cookie data. If the remote domain has answered correctly with an "Access-Control-Allow-Origin" header that allows your domain or "*" then you are allowed to send cookies via this request. And these will behave just like normal calls.
To read more about cors:
https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
To directly answer the question: the client sends back all cookie data it has for that domain and path.
If you do not see any Set-Cookie header in any HTTP response, it may be because the cookie has been issued by server and stored on your computer before you started looking at Dev Tools or Fiddler. It could have been up to a few days, weeks, even months ago.
In Firefox, if you navigate to about:preferences#privacy and click Manage Data, you can see which domains already have cookies issued and stored on your computer. The Storage tab in Firefox Dev Tools can show you details of all cookies. The expiry of the cookie is determined by the server, using the Expires or Max-Age directive in the Set-Cookie header.
How a cookie first ended up on the client computer:
Client makes its first ever HTTP request to server, e.g. GET www.example.com
Server creates a cookie and sends it back in the HTTP response, e.g. the response headers contains a line: Set-Cookie: sessionID=1234567; path=/; Max-Age=31536000
The client receives HTTP response and stores the cookie in the "jar" for domain www.example.com.
How server uses cookies to identify the client
In subsequent HTTP requests to domain www.example.com, the client sends back all cookies in the jar that matches the path or sub-path. For example, the client wishes to issue a request GET www.example.com/about, sees that the URL is a sub-path of / in domain www.example.com, so it sends the cookie as a line in the HTTP request header, i.e. Cookie: sessionID=1234567.
The server sees the cookie and knows exactly which client made this request.
Assume you have XSS attack on your site.
Hacker can make any request with cookies.
So, what's point to hide this value from client?
In an XSS attack, "hackers can make any request with cookies", but NOT all cookies. If one cookie is HttpOnly, it cannot be accessed by client JavaScript, which means hackers cannot read the cookie value and send it to his own server, not even know whether this cookie exist.
Normally, when HttpOnly is used to protect cookie, the cookie's Domain is also set (if Domain is missing in HTTP response's Set-Cookie header, browser will set the cookie's domain as that HTTP connection's hostname). Hackers can trigger HTTP request and make browser put HttpOnly cookie in the request, but it would be restricted by cookie's Domain -- the cookie is sent only when its Domain match the HTTP request. Thus, HttpOnly cookie with website's Domain is safe, it will not be leaked to XSS attackers.
Well Http Only cookies can only be accessed by the server. They cannot be accessed from JavaScript. Which means it will be more difficult for hackers to use these cookies for their own use.
Http Only cookies reduces the possibility of Cross Site Scripting attacks on websites.
See this link for more information: https://www.owasp.org/index.php/HttpOnly
Seeing as using session and cookies are so unsafe, is it possible to securely use just servlet context variables and hiddenform fields, url rewriting to implement same things that session does?
But will it be equally secure and convenient? Why is this method not used?
I am just trying to avoid cookies! Plus, if I save user details in servlet context variables , will it not work same as cookies, but just in server side?
Is that the reason that cookies are ultimately used,That they are client side?
No, Cookies are different from Servlet Context. ServletContext is singleton per application. Not per user.You should avoid using ServletContext for user specific information because you also need to take care of User Lifecycle such as deleting the User info when he is idle.
If you do not want to use Cookie, the alternatives for session tracking are:
URL Rewirting
Hidden Form Fields
But you can make Cookies Secured with the help of following properties:
httponly: On a supported browser, an HttpOnly session cookie will be used only when transmitting HTTP (or HTTPS) requests, thus restricting access from other, non-HTTP APIs (such as JavaScript).
secured: A secure cookie has the secure attribute enabled and is only used via HTTPS, ensuring that the cookie is always encrypted when transmitting from client to server.
Domain : They tell the browser that cookies should only be sent back to the server for the given domain.
Path: They tell the browser that cookies should only be sent back to the server for the given path.
I am .net Beginner,when the log-in request send from client to server in forms authentication
the server will sends authenticated cookies back to client after successfull log-in ,at every request cookies will sends to server.
so can we see this cookies on browser if yes then how?
Cookies can be read using this: http://www.w3schools.com/js/js_cookies.asp
I don't think the .NET framework cookies are exposed to the client, but could be wrong. Some cookies, if a setting is enabled on it (called HttpOnly) are server-only cookies and can't be read on the client. The name of the cookie is configurable in the web.config's element.
HTH.
I have two virtual directories, one hosts an application the other hosts a web service layer running WCF with ASP.NET compatibility mode enabled.
The service project has an HTTP module that deals with authentication for incoming requests. The login service writes an authentication cookie to the client.
Subsequent requests are handled via AJAX (jQuery) to the services from the application project (another virtual directory on the same domain.)
Cookie domain is set correctly, the cookie path is "/", the cookie is set to HTTP ONLY so that scripts cannot interact with it.
My issue is the login service seems to be sending the SET-COOKIE header with the correct payload in the cookie, however the subsequent requests are not sending the cookie back to the server, in fact when inspecting the local store the cookie is not even there.
Potentially what could be my issues?
We tracked the issue down to Chrome. Apparently there was a prior bug that seems to be presenting itself again whereby expires cookies are not promoted to session and are instead discarded.