Background:
AspNet web app / C# 3.5
IIS7
VS 2010
Windows 7
When user is authenticated, we create a cookie, this way:
var cookieASP = FormsAuthentication.GetAuthCookie(user.Id, true);
cookieASP.Domain = "x.y.local";
Yes, domain is hard coded for this example.
Using cookies viewer extensions in Firefox 11, I can see that domain of cookie is : .x.y.local, with a leading .. I know that it allows shared cookie between w.x.y.local and q.x.y.local. Ok.
But, when user clicks on disconnect, he is not kicked out...
var cookieAsp = System.Web.Security.FormsAuthentication.GetAuthCookie(u.Identifiant, true);
cookieAsp.Expires = DateTime.Now.AddDays(-10);
Response.Cookies.Set(cookieAsp);
FormsAuthentication.SignOut();
And with debugger we can see that cookieAsp.Domain is null. And cookie is not removed from browser's cookies.
If I edit cookie domain (directly from browser), and set its domain to x.y.local without the leading ., cookie is deleted and user disconnected.
I don't understand why this . is added, and why it is not well understand by the browser.
EDIT (major importance I guess): we are doing such way because if we don't set domain, then IE8 (only 8) can't understand our cookie...
When you want to remove a cookie, you have to specify the cookie with the exact domain of the cookie you want to remove. The cookies domain is not sent by the browser on a request, so you will always get a null value when you try to inspect it within a debugger session.
So before Response.Cookies.Set(cookieAsp); add cookieASP.Domain = "x.y.local";.
Related
I made (asp core) an e commerce website.I used cookies for shopping and compare list.Before adding cookies my website works well, but after I added cookies(add product to cart or compare list) when I want to open compare page or any page it shows this error:
403 - Forbidden: Access is denied.
Is there a problem with my code? or is it my host settings?
This is my code:
var cookie = compare+ "=" + JSON.stringify(items) + ";path=/";
document.cookie = cookie;
Probabily because you had other cookie for authentication.
With this code you probably overwrite the authentication cookie.
Try to set some breakpoints and check the code.
I need to share cookie between two web applications deployed on azure (eg. x1.azurewebsites.net, x2.azurewebsites.net)
I thought that all i need to do is to set a domain:
Response.Cookies.Add(new HttpCookie("TEST", "BLE")
{
Domain = "azurewebsites.net"
});
But its not working.
For test purposes I added:
Response.Cookies.Add(new HttpCookie("TEST2", "AQQ"));
And this one works ok - but its available only on x1.azurewebsites.net
So the question is whats wrong with the code above?
Is it possible to share cookie like this?
Maybe this is security issue? - i understand that every application hosted on azuerwebsites will have access to information stored in my cookie
I found my question similar to
Chrome34 ignores cookies with domain ".cloudapp.net"
So the cause of my issue is browser checks the publicsuffix.org list for domains and block cookies for security reasons.
For more info please see:
http://publicsuffix.org/
RFC2109 says, that explicit specified domains must start with a dot.
http://www.ietf.org/rfc/rfc2109.txt
I am trying to test a scenario where an http request is ran to login to a site using username and password and on success it redirects to google.com.It also creates session cookies of its own which I am able to view in the Firefox browser manually.
However when I am trying to retrieve all cookies using Selenium Webdriver, it is just returning the cookies that belong to the present domain.
I am using the following code:
Set <Cookie> allCookies=driver.manage().getCookies();
Iterator <Cookie> itr=allCookies.iterator();
APPLICATION_LOGS.info("Cookie Size--->"+driver.manage().getCookies().size());
while(itr.hasNext())
{
Cookie c=itr.next();
APPLICATION_LOGS.info("Cookie Domain--->"+c.getDomain()+"Cookie Name---"+c.getName()+"Cookie Value---"+c.getValue());
}
Please let me know if there is any other way to retrieve all the cookies.
I'm creating a gateway app which will control access to various other apps (tools).
On visiting the site the user is identified and a list of tools they have access to is displayed. Clicking the link takes the user to the tool. The URL is affixed with a token as a querystring. The token is encrypted.
On arriving at the tool site the system checks to see if there is a querystring with a token. It checks to see if the token is valid (the date is part of the encryption). If OK then the token is also saved as cookie which is valid for 8h and access is granted.
If the user hits the Tool site directly from a bookmark the system once again checks to see if there is a token and that it is valid. If no token is passed as a querystring then the system will see if it still has a valid cookie. If there is no valid token or cookie the site invokes a response.redirect to the gateway together with two querystrings t and r. t is the tool's numeric ID and r is the Tools URL.
What should happen is that the user will be redirected to the Gateway which will check to see if the user has access to tool id t and if the have redirect back to r with a fresh token appended as a querystring.
My code has the following....
Private GatewayURL As String = "http://GatewayURL/default.aspx?t=2&r="
Private ToolURL As String = "http://ToolURL/default.aspx"
In my page load I have….
…
If AuthenticationPass = False Then
'We are not authenticated...
Response.Redirect(GatewayURL & ToolURL, True)
End If
…
Unfortunately when this is triggered I get the following error...
Invalid path for child request 'http://GatewayURL/default.aspx'. A virtual path is expected.
I've run out of ideas on resolving this.... any help appreciated.
You should URL encode your query string parameters:
Response.Redirect(GatewayURL & HttpUtility.UrlEncode(ToolURL), True)
so that you redirect to:
http://GatewayURL/default.aspx?t=2&r=http%3A%2F%2FToolURL%2Fdefault.aspx
instead of:
http://GatewayURL/default.aspx?t=2&r=http://ToolURL/default.aspx
The second is a pretty broken url.
Although I've set isPersistent to false, the authorization cookie is persisted between sessions. This only happens with IE8. With other browsers it works as supposed.
Sys.Services.AuthenticationService.login(username, pw, false, null, null, null, null, "User Context")
This is because IE8 treats sessions differently.
For instance, if you open 2 IE8 windows at the same time and go to web site, login as user A, then visit the same site in the other window, it will have shared your session. Then if you logout and the login as user B in the other window, then go back to first window and refresh, you will be logged in as user B there too.
You can't force the browser (IE8) to behave differently by code, you can, however force IE8 to open up with a new session by opening up a new window then go to File - New Session. Alternatively, you could start IE8 from the command line using:
iexplore.exe -nomerge
for more information on the new Process model of IE8, see this article