My objective is to set a cookie from within a servlet called from a java client, and get the cookie when a different servlet is called from the browser.
The java client has an authenticated session with the server.
The server runs locally.
I tried suggestions from a different question and rename put an alias domain name in my hosts file.
I manually set the domain of the cookie to the alias domain, but it still won't return on the server.
request.getRemoteHost() returns 127.0.0.1 in both servlets.
Any help would be appreciated.
A cookie is held in memory (or on disk, but at a specific place) by each client. A Java client and a browser don't share cookies. Two different browsers (IE and Firefox, for example) don't share cookies either. There is no way to do what you want.
Related
I know how to get cookies value from HTTP request with that way
> httpReq.getheader()
but now i want to access and get cookies values that set in browser wherever and use it in java classes without sending HTTP request?
is it possible ?
It is not possible ... unless your Java code is actually running in the web browser. The Java Tutorials include a page on Accessing Cookies in an Applet or JNLP application.
However, if your Java code is running in the web, then you have a problem because:
most browsers have already dropped support for Java plugins,
Oracle has deprecated browser-side Java as of Java 9.
If your Java code is server-side, then the HTTP request is the only way that information (such as cookies) is passed from the client (browser) to server. The server cannot send requests to the browser. The best it can do is send an HTTP reply that causes the browser to send another request. (Or open a WebSocket ...)
I'm endeavouring to locate and inspect a cookie created by a server process and returned to a client. The client is accessing the server via specialized interface (ie - not a web browser). I am able to inspect the server code but at present I can not make changes to it. I do know the value of the [name] parameter being passed to the Cookie-constructor. I tried searching the client file system for anything containing the [name] value with no luck. My guess is that the [name] parameter is not included in the file name. I've also checked the java hidden directories for them to no avail. Finally, I attempted to find the file via local temporal search thusly:
sudo find / -mtime -.1 ! -path "*/sys/*" ! -path "*/proc/*"
Any thoughts on how I can find this little guy?
Without REST client specifics, I can only tell you that a Cookie it nothing else than plain text. A Cookie is usually stored (in memory, files, cache, hash map, etc.) by a client (web browser, etc.) by server request. A simple non technical explanation here. Cookies are meant to be a shared state (stateful) between a client and a server.
Technically speaking, cookies are shared between client and a server by means of HTTP protocol. This protocol is nothing more thant standardized messages (with and URL, opeation code, encoding, headers and a body) that are sent over a TCP connection. Cookies are usualy shared in the headers area of an http message.
Here is a general explanation of how a server sends a cookie to a client, and vice versa. Scroll down to "Implementation".
It would really help if you can tell us how you're requesting web pages, content, etc. from a web server.
It seems that you're using a java server implementation, most likely apache tomcat, and you're using Servlets. Servlet implementation for cookie management does not differ of what I've already told you before.
Hope this helps and feel free to ask.
I've got two servers, lets call them server 1 and server 2. There is a web application on server 2, that, lets say, shows posts. This application is available on http://www.2.com/showPosts and everybody can access this page. This application also enables to remotely add posts. To do that you have to go to page http://www.2.com/addPost and fill a form.
What I'd like to do is to restrict access to this second page (/addPost) to only one single machine, that is server 1, so that only I can enter this page and fill this form, and everyone else gets 404. How to accomplish that?
edit:
Thank you for your answers. I've done some more reading based on them and now can make my question a little more precise. What I exactly need to do is to authenticate a client by server, whis is the opposite of one-way ssl authentication, where you authenticate a server by a client. I think that any kind of ip based authentication is way too weak and I need some kind of a certificate.
You could use a .htaccess file in the root directory:
<Directory AddPost>Allow from www.1.com</Directory>
This only lets www.1.com access the page. If AddPost is a file, use <Files AddPost></Files>.
Hope this helps!
Protect your http://www.2.com/addPost with a cerificate only present in the Browser on the one single machine.
ServletRequest#getRemoteAddr() returns you the IP of the client that sent the request. You could filter such requests by matching client's IP. For the other clients you can for example redirect to predefined 404 error page.
You can also restrict the addPost address to localhost-only, and establish an ssh tunnel for update purposes.
I suppose you are using Apache Web Server, then you can configure a virtual host and set an access rule to deny from all, allow from server1. Here the documentation.
If it is a Tomcat server you can define a filter in web.xml that will filter request only from allowed source.
I have a web application which is accessible to users through proxy sevlet - part of bigger web application. Communication between browser and bigger application is encrypted by ssl. From my embedded application I would like to set a secure cookie which indicates users' session. Communication between proxy servlet and my web application is not encrypted, so when I set session id cookie it doesn't have secure flag. My application is running on tomcat and response from this tomcat is proxy'ied to client's browser by proxy servlet.
Will this cookie be secure and unable to hijacked by others, despite the fact that is not indicated as secure? Can browser send back cookie in not secured connection in that situation?
edit:
I will specify a little bit more architecture of that sollution to make it clear:
There are 2 web applications, each one has its own session:
1) one is accesible directly to users and communication between it and browser is encrypted by SSL. (application X)
2) second is not accesible to users, but is proxy'ied by servlet from application X (application Y) Servlet is also proxy'ing http headers.
Architecture looks like on this diagram:
client browser| <-SSL-> |Application X (proxy servlet) | <-internal network, no SSL -> |application Y
I would like to set cookie in client browser from application Y that indicates session. Cookie header is taken from application Y to X and set into the client's browser, but unfortunately this header doesn't have secure flag. I'm not sure wheter it will be send back by browser in secure connection or not.
This really isn't a good way to secure your web app because the most important area of communication (between the browser and however they get to your app) is not encrypted. That is the area most likely to be snooped on by others. Cookies are inherently insecure without SSL because without SSL there is no way to encrypt them. They're just part of the HTTP transaction (and thus are only as secure as the rest of it).
Sessions are pretty much inherently safe from tampering if the HTTP transactions happen over SSL because the cookie only contains a fairly unique ID code pointing to a storage compartment on the server for the user's information in the servlet container.The only way someone can hijack that is they can intercept the cookie and make their browser use that cookie. Again, SSL is your best bet there.
Now, you could use something like a nonce to add additional security on top of SSL. There are plenty of apps out there that use them if you want to look at live examples.
It seems like the user's web browser connects to your web proxy server remotely via HTTPS, and your web proxy server connects to your application locally via HTTP.
You may still be able to set the cookie as secure by manually setting the secure option for the cookie, or manually creating the cookie header. Generally, a web/application server ignores settings on outgoing cookies. Instead, it's generally up to the browser to enforce the rules.
It's important to send the cookie with the secure option to the browser, so the browser knows not to send the cookie back unless it's over HTTPS, thus preventing eavesdropping. You should also include the httponly option for the cookie.
Adding a nonce would not provide any additional protection here because if the victim can be convinced to send the request out unencrypted, the attacker will be able to capture both the cookie and the nonce.
This is not to say that nonce's aren't good on their own to prevent replay attacks, even over HTTPS, but it wont prevent session hijacking.
i need to send a request to a website when a user submits their url, i tried using curl but it uses server ip which i dont want i have seen a website that is doing a similar job by using applet, users need to open a popup which contains the applet after they leave it open allow it to run it uses a port and then uses the localhost ip like so 127.0.0.1:64653 to send request and basicly curl by the user ip. i decompiled the applet the website was using and they were using java.net.ServerSocket and some other java code but i do not know anything about java. I would to know how this can be done.
I think you are really confused.
a user does not have a URL.
there is a IP address that
represents the browser end of the
connection to the web server he/she
is connected to (actually, there
could be more than one) but this
does not allow something else to
establish a connection to the
browser. So it is not a URL.
the IP address + port number
that the browser has are transient.
In 2 minutes time, the very same
IP/port could denote a different
user, possibly even on a different
machine.
127.0.0.1 is a "special" IP
address that says "this machine".
It cannot be used for communication
with another machine.
notwithstanding all of the
above, web browsers do not accept
incoming HTTP connections from web
servers or anything else. The HTTP
protocol (which is what the web
works on) distinguishes between the
roles of "client" and "server", and
specifies that a client connects to
a server and not the other way
round. A web browser is always an
HTTP client, by convention and also
for security reasons.
So when you say ...
i need to send a request to a website when a user submits their url
... it simply does not make any sense. Please explain what you are tying to achieve ... not how you are trying to achieve it ... and we might be able to help.