I work both on client and server. When developing, my client runs on http://localhost:3000/ while my server runs on https://local.somedomain.com. The server sends a cookie like
set-cookie: a=aB5Th....;Path=/;Expires=Sun, 02-Aug-2020 11:26:36 GMT;Max-Age=5184000
This cookie is needed for a download link looking like
https://local.somedomain.com/api/v2/ExportSomething.xlsx
however, it isn't there. As the server didn't specify a domain, it might make sense. OTOH, according to this answer, "You can't modify the cookies of one domain using a servlet or JavaScript hosted on another domain, for security reasons", and I don't want to set any cookie for any domain except the one the server runs on, so I'm asking why to specify anything when there's no choice?
Filtering "Has blocked cookies" in Chromium devtools shows nothing, which I'd interpret as "everything is fine, cookies came through". Am I wrong?
The strange thing is that it used to work one or two weeks ago, at least in Chromium (and I'm very sure about that as I worked a few hours on the export). Now it works in none of the four browsers I have tried. Any explanation?
Assuming it's necessary to specify the domain when setting the cookie, is this comment correct?
Boring details
every request sets the cookies in the same way
no requests beside the above download link use cookies
CORS is obviously needed and works and every request gets handled the same way
there are no other servers involved
Update
I've just tried cookie.setDomain("local.somedomain.com") and also this with a leading dot and it didn't help.
I also tried leaving out the Max-Age (which also removes Expires which was otherwise added automatically) and it didn't help either (someone claimed that only session cookies work on localhost).
Possible reasons for such behavior (that I can think of):
The browser settings reject all third-party cookies (if localhost receives a cookie from local.somedomain.com, that would be considered third-party)
A browser extension is blocking the cookie
The local.somedomain.com server response does not include the necessary CORS headers to allow localhost to receive the cookie. (Access-Control-Allow-Origin must be present and not set to '*', Access-Control-Allow-Credentials must be present and 'true')
Google is messing with you
That last point is actually not a joke, and most likely the cause here. Google has been tweaking the "SameSite" rules for cookies in Chromium, documented here: https://www.chromium.org/updates/same-site
An a related case on SO: Confusion regarding SameSite changes with Chrome
Related
Is there any way in Java EE to know what SSL/TLS protocol is being used for a secure connection?
Ideally I want the application to use TLS/1.2 for everything, but I know some browswers (ie 9 say) by default wont support that. If I configure my enviroment to only allow TLS/1.2 then IE 9 will go "ohh this website is down", if you then click help, advance it actually tells you "oh this might be that the settings in IE disable sensible encryption, you and do this to enable sensible encryption". (I am paraphrasing slightly).
Anyway the response is a cold, "website down", which is not true, its just IE does not wish to support sensible protocols. My preference would be to change the configuration to allow weaker protocols like TLS/1.0, my application can then detect that a weak protocol is being used and on every page there can be some sort of warning "you know this is not secure, click here for more information", ie a helpful message that confirms that the website is working, just their browser is insecure. I cant see any attributes that form part of HttpServletRequest that might give me this information or any other method that answers the question.
Any thoughts?
I'm not sure if you can get the TLS protocol compatibility upfront.
How about checking for browser and its version in the request.
If any of the browsers (like you had mentioned ie) are having issues with it, then send that Warning message of yours in the response along with the actual content.
You can get the browser info using:
String userAgent = request.getHeader("User-Agent");
Also, you could probably look up some answers for achieving this using javascript. As it resides at client end, it could be used to handle such scenario's.
I'm wondering how i'd go about allowing a connection from a Java application totally bypass cloudflare for my site. I've disabled browser integrity checks for my RSS feed connections which has allowed those through, but whenever cloudflare is active, when clicking the 'Play Now' button to update the client, it'll go grey, as it should, then remain like that. No errors or 404/403 errors are printed upon it doing this, and the client will not download.
The only thing that totally resolves this is pausing cloudflare and fully disabling it for my site. I've tried adding these rules for the download url, none of which have solved it:
I think it's not possible to do it with the free plan with page rules.
Maybe you can do it by using a subdomain and disable the "Orange Cloud", so traffic will bypass any CloudFlare setting (CloudFlare will just give the IP of the server).
Or instead you can set "Security level: Off", but it's only for Enterprise Plan, and I'm not sure if you can make a Page Rule with it, because at least for the Free Plan (what I'm using) the "Off" value don't appear in the Page Rule config.
I'm endeavouring to locate and inspect a cookie created by a server process and returned to a client. The client is accessing the server via specialized interface (ie - not a web browser). I am able to inspect the server code but at present I can not make changes to it. I do know the value of the [name] parameter being passed to the Cookie-constructor. I tried searching the client file system for anything containing the [name] value with no luck. My guess is that the [name] parameter is not included in the file name. I've also checked the java hidden directories for them to no avail. Finally, I attempted to find the file via local temporal search thusly:
sudo find / -mtime -.1 ! -path "*/sys/*" ! -path "*/proc/*"
Any thoughts on how I can find this little guy?
Without REST client specifics, I can only tell you that a Cookie it nothing else than plain text. A Cookie is usually stored (in memory, files, cache, hash map, etc.) by a client (web browser, etc.) by server request. A simple non technical explanation here. Cookies are meant to be a shared state (stateful) between a client and a server.
Technically speaking, cookies are shared between client and a server by means of HTTP protocol. This protocol is nothing more thant standardized messages (with and URL, opeation code, encoding, headers and a body) that are sent over a TCP connection. Cookies are usualy shared in the headers area of an http message.
Here is a general explanation of how a server sends a cookie to a client, and vice versa. Scroll down to "Implementation".
It would really help if you can tell us how you're requesting web pages, content, etc. from a web server.
It seems that you're using a java server implementation, most likely apache tomcat, and you're using Servlets. Servlet implementation for cookie management does not differ of what I've already told you before.
Hope this helps and feel free to ask.
Currently I have got a specific problem finding a solution and I am hoping you are able to provide
some light on the matter.
The Structure of the problem:
The task at hand is to gather a client's login credentials (token) and pass this to the servlet. However I cannot seem to find a good resource to do this. I have researched a wide variety of ways. I.e SPNEGO, WAFFLE etc..., However, these seem to require some sort of active directory by my understanding, I am trying to gather the credentials from the users local machine. A clear explanation or guidance to how I can gather the windows credentials to the servlet for my specific request would be appreciated.
Diagrams are always a better way of explaining so I will provide one if you are still confused:
Windows PC (Client) ------------------------> Java Servlet -------------------------------------> IIS Server
(windows authentication) --------------> (Get Credentials) -------------------- (Check Credentials & Authenticate)
(token) (pass credentials)
Thank you in advanced to anyone who replies, I really appreciate it!.
You are wasting your time. If you only take the credentials from the users local machine then you have no way of knowing if those credentials can be trusted. You might as well just give every user administrative access to your web application.
The reason active directory (or something like it) is required is that it is not under the control of the client and is trusted by the server. For example, when using SPNEGO, the client authenticates itself to the windows domain, the client gets a token from the windows domain that it can only get if it is authenticated, the client passes the token to the server, the server can then validate that token with the Windows domain to confirm that the client is indeed who they claim to be. (Not quite that simple but you get the idea.)
There are other ways to do this - e.g. with PKI - but they all have in common a central, trusted authentication system that the server can use to validate credentials provided by the client.
My objective is to set a cookie from within a servlet called from a java client, and get the cookie when a different servlet is called from the browser.
The java client has an authenticated session with the server.
The server runs locally.
I tried suggestions from a different question and rename put an alias domain name in my hosts file.
I manually set the domain of the cookie to the alias domain, but it still won't return on the server.
request.getRemoteHost() returns 127.0.0.1 in both servlets.
Any help would be appreciated.
A cookie is held in memory (or on disk, but at a specific place) by each client. A Java client and a browser don't share cookies. Two different browsers (IE and Firefox, for example) don't share cookies either. There is no way to do what you want.