I am trying to test a scenario where an http request is ran to login to a site using username and password and on success it redirects to google.com.It also creates session cookies of its own which I am able to view in the Firefox browser manually.
However when I am trying to retrieve all cookies using Selenium Webdriver, it is just returning the cookies that belong to the present domain.
I am using the following code:
Set <Cookie> allCookies=driver.manage().getCookies();
Iterator <Cookie> itr=allCookies.iterator();
APPLICATION_LOGS.info("Cookie Size--->"+driver.manage().getCookies().size());
while(itr.hasNext())
{
Cookie c=itr.next();
APPLICATION_LOGS.info("Cookie Domain--->"+c.getDomain()+"Cookie Name---"+c.getName()+"Cookie Value---"+c.getValue());
}
Please let me know if there is any other way to retrieve all the cookies.
Related
I have a intranet application which i'm able to login using username/password.
Im trying to access the same application using python requests passing my username/password but that does not work. Its a difficult task to get a application support.
Meanwhile, I want to see if I can login using the session the web application created which is in my other browser.
How can I just pass the session using the requests module.
You may need to send data among username and password (usually this data is generated randomly by the server and are inside <input type="hidden"> form elements) which we prevent the CSRF (cross-site request forgery) attack. You may also need to send cookies the Web server send to you.
So, to solve your problem you need to:
Create a requests session to handle cookies;
Request the login page (where the form is) and extract CSRF data;
Post CSRF data among your credentials to the form action URL.
The code will be like this:
import requests
LOGIN_URL = '...' # put URL here
# replace 'user' and 'pass' with form field names for credentials
CREDENTIALS = {'user': '...', 'pass': '...'}
session = requests.session()
# get cookies and CSRF data
response = session.get(LOGIN_URL)
csrf_data = ... # extract data from response.text in a dict
# post data
csrf_data.update(CREDENTIALS)
# you may change LOGIN_URL below with form's 'action' URL if they differ
response = session.post(LOGIN_URL, data=csrf_data)
# now check response.text to see if you're logged in
There are many ways to extract CSRF data, such as: simple string manipulation, regular expressions or more specialized libraries such as lxml and BeautifulSoup (it depends on your input HTML and familiarity with the methods).
I have a PL/SQL application which has a log out button with following code being executed when log out button is clicked:
-- Open the HTTP header
owa_util.mime_header('text/html', FALSE, NULL);
-- Send a cookie to logout
owa_cookie.send('WDB_GATEWAY_LOGOUT', 'YES', path=>'/');
-- Close the HTTP header
owa_util.http_header_close;
-- Generate the page
htp.p('You have been logged off from the WEBSITE');
htp.p('click here to log in');
htp.p('<BR>bye');
It works perfect when using internet explorer, however when I use mozzila when I log back in I am still logged in as previous user. Has anyone else been in this situation? How can I make this work for mozilla as well?
I got this code from oracle documentation page:
https://docs.oracle.com/cd/B13789_01/server.101/b12303/secure.htm
Thanks in advance!
I've found it best to set and unset your own session cookie. Then use owa_custom to verify the cookie.
In the dad.config file add:
PlsqlAuthenticationMode CustomOwa
Then create a package in your schema: called owa_custom and add one function inside: owa_custom.authorize
owa_custom.authorize will be called before each web invocation. You can check your session cookie and if you want to allow the web call return true. To block, return false and the user will get a 403 forbidden.
Then if you like you can write a custom 403 forbidden page and redirect to your login page.
Just know that in 12C, mod_plsql is going away and you'll need to use the Oracle Rest Listener. The same functionality exists there. Things just have different names.
I got single sign in working but I don't know how to configure single sign out.
Here is what I've tried so far (without any success):
[My Service provider] -> Inbound Authentication Configuration -> [my issuer] -> Enable Single Logout is Checked (custom URL is not given)
What I try is to simply redirect the browser to the URL where login is configured with the following parameter:
https://localhost:9443/passivests?wa=wsignout1.0
So the login works perfectly with this URL: https://localhost:9443/passivests
As I understand there is nothing else I should do but WSO2IS does not remove the cookie and when I try with my other webapp it logs me in as if nothing happened.
I omitted wreply (as it is optional) so I expect that the browser is not redirected back to my application or login screen. This is the reason I try it with a different application. Also the other app is opened FIRST after logout and it still gets the claims. (I always test with a new incognito mode chrome window to avoid false negatives because of leftover cookies)
So is there anything else I should do or is it perhaps a known bug?
This is a known bug. I can't find the particular class right now but the logout function called when using WS-Fed is an auto-generated //TODO stub.
https://svn.wso2.org/repos/wso2/carbon/platform/branches/turing/components/identity/org.wso2.carbon.identity.sts.passive/4.2.0/src/main/java/org/wso2/carbon/identity/sts/passive/processors/SignoutRequestProcessor.java
I'm creating a gateway app which will control access to various other apps (tools).
On visiting the site the user is identified and a list of tools they have access to is displayed. Clicking the link takes the user to the tool. The URL is affixed with a token as a querystring. The token is encrypted.
On arriving at the tool site the system checks to see if there is a querystring with a token. It checks to see if the token is valid (the date is part of the encryption). If OK then the token is also saved as cookie which is valid for 8h and access is granted.
If the user hits the Tool site directly from a bookmark the system once again checks to see if there is a token and that it is valid. If no token is passed as a querystring then the system will see if it still has a valid cookie. If there is no valid token or cookie the site invokes a response.redirect to the gateway together with two querystrings t and r. t is the tool's numeric ID and r is the Tools URL.
What should happen is that the user will be redirected to the Gateway which will check to see if the user has access to tool id t and if the have redirect back to r with a fresh token appended as a querystring.
My code has the following....
Private GatewayURL As String = "http://GatewayURL/default.aspx?t=2&r="
Private ToolURL As String = "http://ToolURL/default.aspx"
In my page load I have….
…
If AuthenticationPass = False Then
'We are not authenticated...
Response.Redirect(GatewayURL & ToolURL, True)
End If
…
Unfortunately when this is triggered I get the following error...
Invalid path for child request 'http://GatewayURL/default.aspx'. A virtual path is expected.
I've run out of ideas on resolving this.... any help appreciated.
You should URL encode your query string parameters:
Response.Redirect(GatewayURL & HttpUtility.UrlEncode(ToolURL), True)
so that you redirect to:
http://GatewayURL/default.aspx?t=2&r=http%3A%2F%2FToolURL%2Fdefault.aspx
instead of:
http://GatewayURL/default.aspx?t=2&r=http://ToolURL/default.aspx
The second is a pretty broken url.
I would like to get a list of meetings on the server however when i do a https://example.com/api/xml?action=report-bulk-objects&filter-type=meeting replacing the domain with my connect domain i get an access denied response. I am signed in to the connect work space and I am in the admin group. What could be the cause of this?
response:
<results>
<status code="no-access" subcode="denied"/>
</results>
This should work if you're in the admin group, logged in, and submitting the request from the same browser that's logged in. You might try adding the session parameter to your request ("&session=breez123abc456def")
The value of the parameter must be that of the BREEZESESSION cookie set by the Connect server on your authenticated session. One of several ways to discover that is with the common-info API method: https://connect.example.com/api/xml?action=common-info It'll be in the /results/common/cookie element.
If this still isn't working, check the debug.log on the server(s) for the failing request; there should be additional information there.