I'm testing my Asp.Net application from localhost to check how it behaves when cookies are disabled. I tried blocking the cookies in IE8, by setting it at
Tools -> Internet Options -> Privacy -> Advanced
and selecting "Block" for both "First-party Cookies" and "Third-party Cookies". However, when I run my application, the cookies still get created.
Can you let me know how I can disable cookies in IE8.
Thanks in advance.
Just use the Dev Tools. Hit F12, go to Cache > Disable Cookies.
I believe that these setting are meant for Internet Zone. For your localhost site, I suggest that you use hosts entry to map some arbitrary domain name (say www.xyz.com) to localhost, add this site as blocked site (use sites button on privacy tab) and access your app using this address.
Related
I have a jasper server (versions 7.2) webapp running on Host-A.
Set the jasper server url source in Iframe of another app running on Host-B.
Access the Iframe app using Chrome/Edge - login page of jasper server loads.
After login credentials input, login is successful loads the Home page but logs out moment after the home page appears.
This does not happen with Firefox.
Tried disabling CSRF in Jasper server, setting samesite cookies enabling ssl, setting Referrer policy to no-referrer via Filters at both jasper server and Iframe app but no luck.
Chrome latest build 87.
Please guide under right direction to resolve the problem, Thank you.
I'm highly suspicious of same-site issues since the problem occurs in chrome & edge but not firefox. A patch or config change is needed for the newer version of chrome: https://community.jaspersoft.com/wiki/chromium-80-update-february-2020-cross-site-cookie-blocking-jaspersoft
Also, if the problem was CSRF, you'd see a CSRF related msg in the server-side logs.
Browser Developer Tools (f12 keyboard key in WIN) for chrome will list the http requests/responses in the network tab, and allow you to check the attributes for each cookie. Of course SSL is required for samesite attrs now in Chrome.
While confirming the appropriate cookie attributes are set (esp on the jsessionid cookie) you can also watch the console tab in chrome's Developer Tools to ensure there are no other client-side clues (like mixed http/https content, CORS blocks, etc)
I have some JS that is on some intranet application that's running on HTTP (this server/service is out of my control, run by the customer). I operate the internet application and it must run on HTTPS for security purposes.
I'm attempting to use XDomain but I'm finding that the cookies aren't being sent. Is the problem that I'm going intranet to internet or that I'm going HTTP to HTTPS or some configuration problem?
I keep getting 401 when checking authentication of the user even after they have logged in.
I've verified the backend/internet service works as expected via a jsfiddle (i.e. Access-Control-Allow-Origin, etc. are all correct).
Thanks!
There are some security related issues with XDomain that makes it strip any cookies according to no 5 in this msdn blog. However there also exist a workaround using proxy with example project on Github. I think everything you need to make it work are described in those two pages.
I have a client that has a domain registered through GoDaddy (e.g., http://www.godaddysite.com). He has the domain set to forward w/masking to a page on our servers (eg., https://www.someuniversity.edu/someproject/loginpage.aspx).
When on our network (a university network) I can navigate to his domain, the forwarding/masking works and I can log in without issue. However, anyone off the university network, when visiting the client's site, cannot log into the site. It forwards/masks as it should, accepts the user name and password but stays on the login page after the credentials are accepted. If they navigate directly to my site they have no issues.
I checked his GoDaddy settings and everything appears right. GoDaddy says it is our configuration that is causing the problem (not allowing a different domain mask the site). Is this true? Is there something I need to change in IIS to allow people to log in when they visit through the GoDaddy site?
Update:
Finally was able to test this offsite. This scenario ONLY happens in IE. So now it is a browser setting issue.
The most common cause of this sort of problem is described here: http://blogs.msdn.com/b/ieinternals/archive/2013/09/17/simple-introduction-to-p3p-cookie-blocking-frame.aspx
If you change the IE Privacy Settings (Tools > Internet Options > Privacy) to Accept All Cookies does the problem go away? If so, then you need to set a P3P response header.
I'm trying to get a ASP.NET application to use windows authentication. I have disabled anonymous auth and enabled windows auth in IIS7. On my dev box (my workstation, localhost) I can use fiddler and see proper token is passed in through the header and I'm not prompted. Everything is working fine and I'm authenticated as my domain user.
However, on a remote server on our domain, with identical settings, I continually get prompted. We need it to automatically send the domain authentication for windows auth.
Does anything in IE need to be configured for this to happen for a remote machine on the same domain? Could someone explain why this may not be working and what needs to be checked? Thanks.
Check your IE zone settings, I don't think IE is set to automatically send DOMAIN\Username credentials in an non Intranet zone. You can set this with a group policy at some point but for now set it manually in your IE settings.
Hope this helps.
I would thinks so because the "dev" box probably, in most cases, would use RFC1918 address space. (10.0.0.x etc) which is not routeable on the Internet.
what is the name of the dev box?
Is it a RFC1918 IP?
If the Dev box is on the domain then AD DNS is most likely putting it in the Intranet zone.
In this case add it to the list of sites.
I have an ASP.Net application where I am using Windows authentication to deny access to some components via roles. When using IE, the site pops up the "Authentication Required" box once, allows the user to enter their username/password for Active Directory, and all is fine.
HOWEVER, when using Firefox, it's "Authentication Required" box pops up, but when you click 'ok', it comes up again! It stays up a few dozen times! If you click cancel to all of them, it fails properly, denying access to the site. If you click cancel to all but 1 (Which you authenticate properly), it acts like you were properly authenticated.
My goal here is to have Firefox act like IE, and only ask the user once.
This forum post recommends updating your web.config to allow anon on WebResource.axd: http://forums.asp.net/p/1295804/2515478.aspx#2515478
Not ideal - I don't really understand WHY axd requests are behaving like this.
NOTE: NTLM requires keep-alive, if you install fiddler or firebug you should be able to see the "Connection: keep-alive" messages in the request header: http://davenport.sourceforge.net/ntlm.html#ntlmHttpAuthentication
you could get Firefox to behave exacylt like IE by adding the site to
about:config >>
network.automatic-ntlm-auth.trusted-uris
then firefox will use Windows Auth for the site
Maybe it would be best to redesign your login/authentication system such that authentication is asked only when the user first views/logs-in to the website (i.e. a login.aspx page) so that after that the users's credentials are cached throughout your website.