How to mark _csrf cookie as secured for gitea?
I was able to mark the ‘i_like_gitea’ cookie as secured by using the COOKIE_SECURE option,
but I am not able to mark the ‘_csrf’ cookie as secured
I've not checked it yet
but it should be fixed by PR https://github.com/go-gitea/gitea/pull/3833
Related
I have a flask API, with jwt authentication, on a httponly cookie. I installed interceptor, added the domain(with HTTPS) to the list, and enabled the requests and cookies interception.
but still,
how do I make postman send the cookie I got from logging in to the server? usually, with a simple front-end, it just happens, so I didn't think about it.
all the methods I found in postman documentation, including specifying the value with the token, but I don't have it, since I can't access the httponly cookie. (or can I?)
must I access the cookies? can it be done automatically like simply sending requests from the front-end?
any guidance will be appreciated
After a full evening of research, I did two things to make it work -
in the login request, I added a "test" script(a post-request script in postman), with the following code:
const csrf_token = pm.response.headers.get("set-cookie");
const edited_token = csrf_token.split(/[;=]/)[1];
pm.environment.set("X-CSRF-TOKEN", edited_token);
console.log(csrf_token.split(/[;=]/)[1]);
First, I got the cookie from the response, and then used a regex to separate only the token value, and set it as an environment variable. this way, I could add it as a header later, for accessing protected URLs.
The second step was to add a pre-scrit in any request with a protected URL -
in the pre-request tab, I added the following:
pm.request.headers.add({
key: 'X-CSRF-TOKEN',
value: pm.environment.get("X-CSRF-TOKEN")
});
Which only added the same token I took earlier from the "X-CSRF-TOKEN" environment variable and set it to the header.
Mission accomplished :)
I hope it will help others who bumped into this
I am looking to integrate Cookie based authentication in my FastAPI App. I want the same to work seamlessly with swagger as well.
I want to have a route (eg: /login) which sets my browser cookies. All other protected route uses Depends in the decorator to verify the key present in cookie. How do I get this to work with OpenAPI authorize button?
Important factor here is integration with Swagger/OpenAPI docs auto generated by FastAPI.
You can have a look at the fastapi-users module that implements a cookie-based authentication (it implements other user-management-related stuff as well, so it is worth a look anyway!).
According to the coookie docs:
Configuration
from fastapi_users.authentication import CookieAuthentication
SECRET = "SECRET"
auth_backends = []
cookie_authentication = CookieAuthentication(secret=SECRET, lifetime_seconds=3600)
auth_backends.append(cookie_authentication)
As you can see, instantiation is quite simple. You just have to define
a constant SECRET which is used to encode the token and the lifetime
of the cookie (in seconds).
You can also define the parameters for the generated cookie:
cookie_name (fastapiusersauth): Name of the cookie.
cookie_path (/): Cookie path.
cookie_domain (None): Cookie domain.
cookie_secure (True): Whether to only send the cookie to the server via SSL request.
cookie_httponly (True): Whether to prevent access to the cookie via JavaScript.
cookie_samesite (lax): A string that specifies the same site strategy for the cookie. Valid values are 'lax', 'strict' and 'none'.
Defaults to 'lax'.
Then you can login with a POST request on the /login endpoint and set the cookie on the browser.
I found no info on the auto-OpenAPI integration, but since login is setting the cookie on the browser, you can log in once and then use the API.
I am new to RESTful services testing and got stuck where to establish connection to end point I need to pass Cookie. I have the parameter and Value but not sure how to pass Cookie manually (not through header or Groovy script) while hitting request.
TL;DR
Cookies are nothing but a header with a name cookie and header-value in a format name=value; anothername=anothervalue; yetanotherone=yetanothervalue;, as far as an http-request is concerned
Read On
From https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cookie
The Cookie HTTP request header contains stored HTTP cookies previously
sent by the server with the Set-Cookie header.
The Cookie header is optional and may be omitted if, for example, the
browser's privacy settings block cookies.
How to send Cookie
Just like any other header. Only condition is, Header name should be cookie and Header-value should be in name=value; anothername=anothervalue; yetanotherone=yetanothervalue; format.
Curl
curl -v --cookie "USER_TOKEN=my-most-secure-session-id" http://localhost:8080/
If you want your curl to read the cookie file and send it
use curl -c /path/to/cookiefile http://yourhost/
More here : https://curl.haxx.se/docs/http-cookies.html
How to send it using SoapUI
Sending cookie as request header in SOAP UI request for rest web service
Establish User session (Login) using chrome or firefox and goto the developer tab and copy the cookie value and send that along with your soapUI request as a header. (Congrats, you are hijacking your own session)
For any test that you need to pass the cookie around, in soapUI, go to the testcase options and turn on "maintain HTTP session".
http://www.soapui.org/soapui-projects/form-based-authentication.html
This is my google chrome developer tab which shows stackoverflow page's requestheaders
Just send the http header
Cookie: name=value
To the server
I'm starting to learn Play framework with Scala and I'm trying to set the session cookie.
I have the play.crypto.secret config set and also the settings for the cookie like this
play.http {
session {
httpOnly = true
domain = "localhost"
}
}
Is it normal that I see the content of the cookie in the console without problems?
for example:
As mentioned in official Play documentation, play.crypto.secret is used for signing session cookies and CSRF tokens. That's means that you will see cookie values on a client side, but they will be encrypted with the secret key.
No, the cookie is not encrypted. It is signed, meaning that part of the cookie (or a separate cookie) contains a signature value calculated using the cookie value itself and the secret key.
I am a little surprised that this has not been asked before but currently on a project which we are using server side rendering we need call our authenticated API on initial load.
In order to fetch data in an authenticated way we need to send cookies from the server side and to do that when I simply set a header Cookie,
fetch(`${ API_SERVER }`, {
headers: {
Accept: 'application/json',
Cookie: 'User-Session-Token=' + cookie,
},
credentials: 'include',
}
and everything works fine. Just wanted to check if there is any security related issues that this might cause, because it is not the browser who sends it and we do it manually.
Cookies are first set by the server, and then the browsers send it back in each request to that domain.
If the cookie is not intended to be used by any script, you could set it to be an "HttpOnly" cookie, wich will protect you from cross-site scripting (XSS).
Set-Cookie: <name>=<value>[; <Max-Age>=<age>]
[; expires=<date>][; domain=<domain_name>]
[; path=<some_path>][; secure][; HttpOnly]
However, the cookie remains vulnerable to cross-site tracing (XST) and cross-site request forgery (XSRF) attacks.
Cookies are been replaced by json web tokens when used for security claims.
"JSON Web Tokens are an open, industry standard RFC 7519 method for representing claims securely between two parties."
See:
https://jwt.io/