I am trying to communicate to a RESTFul API using MATLAB. the API uses session cookie to remember the user. My MATALB is 2015b and as long as I know, it does not support the new HTTP Interface.
my problem is that using the webread and webwrite functions in MATLAB, the session cookie is not attached to the request and therefore each time server generates a new session.
I tried to use urlread2 to read the session cookie and generate a new one with the same content, for sending back to the server, but the session cookie is HTTPOnly and therefore my generated cookie is not valid for the server.
Can anyone help me with an idea or solution? does MATLAB 2016b forward the session cookie automatically (using HTTP interface)?
I was able to find a solution to this problem:
first problem is to get the cookie info in MATLAB. versions earlier than 2016b are probably not able to do it, so I had to use for it:
[output,extras] = urlread2('http://www.example.com/','GET');
cookie = extras.firstHeaders.Set_Cookie; % make sure to get the content of the right session cookie
now that we have the cookie, let's add it to the |weboptions| like this:
opts = weboptions('KeyName','Cookie','KeyValue',cookie);
and now simply every time that you use |webread| or |webwrite| , attach the |opts| to it:
response = webread('http://www.example.com/',opts);
But using this method, it is very easy to do XSS attacks on websites that use HTTPOnly cookies for session management! unlike all the web browsers, matlab allows you to edit or create HTTPOnly cookies! more info here
Related
I'm trying to hook up a Strapi backend to a SvelteKit frontend, and stuck on how to persist user login state so that everything doesn't just reset on refresh, or when navigating to a new page. I've tried:
Storing the jwt and user object issued by Strapi in localStorage and initializing the Svelte store with it. Seemed like I was getting close, but a) I couldn't do export const user = writable(localStorage.user) because that code was running in the browser, and I couldn't wrap it in an if (browser) {...} because import and export can only appear at the top level. Also tried a function in hooks.js to read the contents of localStorage and update the store, but it seems that functions getting called from there run on the server, even if it's the same function that works to access localStorage on login... and plus b) from what I gather, storing jwt's in localStorage is insecure.
Storing the jwt and user object in an http only cookie. Cookies and http headers seem really confusing, and I had a hard time manipulating them to store the jwt and put it in each header. But I think what really stumped me was essentially the same SSR issue of never knowing essentially how to successfully interface between the client and server. I.e. if (browser) {...} never seemed to work, or I couldn't get it to, anyway. (Happy to provide more code details on what I tried here if needed. It's a mess, but it's saved in git.)
I know this is a thing every app that has users needs to do, so I'm sure there's a way to do it in SvelteKit. But I can't find anything online that explains it, and I can't figure it out from the official docs either.
So am I missing something easy? (Probably.) Or is there a tricky way to do this?
For a SvelteKit SPA authenticating to Strapi, here's the happy path flow I would use:
SvelteKit page /routes/login.svelte collects the username (identifier) and password and a button's on:click handler posts those values via fetch to your own /routes/auth.js:post() endpoint. Why? Because now your server's endpoint is handling the login on behalf of the user so you can set an httpOnly cookie in the response.
In your auth.js endpoint post() method, you will want to do a few things:
Use fetch to post identifier and password to Strapi authentication (http://localhost:1337/auth/local) to get the JWT (response.body.jwt)
Use fetch to get user info from Strapi (http://localhost:1337/users/me). In the get, add a header called 'Authentication' with a value of 'Bearer ' + the JWT you just received from Strapi in the previous step
Return the user info from the response from Strapi and pass it back to your client in the response.body
Set a header httpOnly cookie with the value of the JWT.
Back on the client in the last part of the login button's on:click handler, take the user info from res.json() and put it in a writeable store called user or in the SvelteKit session store...
import { session } from '$app/stores'
...
const loginClickHandler = async () => {
...
const fromEndpoint = await res.json()
session.set({ user: fromEndpoint.user })
}
At this point, you have the user information persisted client-side and the JWT as an httpOnly cookie that can't be read or modified by client-side JavaScript code. Each request you make to your own server's pages or endpoints will send the JWT cookie along.
If you want to logout, call an endpoint on your server (/auth/logout) that sets the existing jwt cookie to have an Expires based on the current date/time:
response.headers['Set-Cookie'] = `jwt=; Path=/; HttpOnly; Expires=${new Date().toUTCString()}`
You would also want to clear the user object in your store (or the session store).
The main takeaway for the above example is that your client would never directly talk to Strapi. Strapi's API would be called only by your SvelteKit server's endpoints. The httpOnly jwt cookie representing your session with Strapi would be included in every request to your server's endpoints to use/validate with Strapi's API (or delete if expired or the user logged out).
There are lots of other approaches but I prefer this one for security reasons.
I have a flask API, with jwt authentication, on a httponly cookie. I installed interceptor, added the domain(with HTTPS) to the list, and enabled the requests and cookies interception.
but still,
how do I make postman send the cookie I got from logging in to the server? usually, with a simple front-end, it just happens, so I didn't think about it.
all the methods I found in postman documentation, including specifying the value with the token, but I don't have it, since I can't access the httponly cookie. (or can I?)
must I access the cookies? can it be done automatically like simply sending requests from the front-end?
any guidance will be appreciated
After a full evening of research, I did two things to make it work -
in the login request, I added a "test" script(a post-request script in postman), with the following code:
const csrf_token = pm.response.headers.get("set-cookie");
const edited_token = csrf_token.split(/[;=]/)[1];
pm.environment.set("X-CSRF-TOKEN", edited_token);
console.log(csrf_token.split(/[;=]/)[1]);
First, I got the cookie from the response, and then used a regex to separate only the token value, and set it as an environment variable. this way, I could add it as a header later, for accessing protected URLs.
The second step was to add a pre-scrit in any request with a protected URL -
in the pre-request tab, I added the following:
pm.request.headers.add({
key: 'X-CSRF-TOKEN',
value: pm.environment.get("X-CSRF-TOKEN")
});
Which only added the same token I took earlier from the "X-CSRF-TOKEN" environment variable and set it to the header.
Mission accomplished :)
I hope it will help others who bumped into this
I am attempting to Login to my app with JMeter Script.
I have Cookie Manager and a Cache Manager added
My Thread Group script
GET on main login page (/app) to return session id and form fields
and cookie
POST of completed form fields with cookie (/posthandler) with "follow redirects
What happens is
POST sends initial cookie (from GET) and form fields and logs in ok
the session is established (I see a record in our app database)
the response is a redirect with a new cookie
JMeter redirects (GET) to the session url (/app?session=xxxxx)
this goes with "[no cookies]" (according to request panel)
As that request arrives without the new cookies - the app issues a second redirect back to the login page.
So is there a way to force the GET Redirect after the POST response to send the cookie?
My theory is that JMeter is that, because of the different URI path for the POST and redirect GET, JMeter is not sending the cookie.
I have tried
various Cookie Manager settings (standard, default, compatibility).
followed this Understanding and Using JMeter Cookie Manager and set check.cookies=false.
and advice SO - JMeter: Login flow involving URL redirection not working including making sure there was an init
My problem was self-inflicted !
I was running against a different environment than usual which had a different context root e.g. /test/app rather than /app. For this I amended my ${Domain} User parameter with "my.domain.com/test" rather than adjust all the Path settings.
For requests sent this approach appeared to work as the ${Domain}+${Path} resolved to the correct URL - but the Cookies created by the server were for ${Path} (as in /test/app) and JMeter was seeing this differently (as in /app).
I have now introduced a ${CtxRoot} User variable (set to /test/) and prepended this to all my Path values - and my Login is now working.
Requirement : Our application needs to support same user opening our web application as separated session.
The problem is not how to use cookies in angular 2, but how can sever get cookie from HTTPServletRequest object when angular 2 application makes a rest call to server.
Implementation: Server side restful application has one filter to set user's browser session in cookie and then in HttpServletResponse. Angular client is making one call upon application bootstrap, which is going through server filter to set user's browser session in cookie.
Problem statement: angular client is making first rest call which goes through server filter to set the browser session cookie. When i open chrome developer tool, i do see that rest api response has "set-cookie" which has cookie set by server, but when i open the application tag in developer tool, i do not see any cookie set.
After that if I make any other rest call through angular application, it does not send the cookie in either request or request headers. Now, our application rest api depends on this cookie value to be present in HttpServletRequest and now it is failing.
Can someone please guide me here? I must have done something wrong on angular 2 application side, which i am not able to catch.
I have tried passing "withCredentials =true", but no change.
Another thing I noticed, if i make "GET" request, then i do see cookie in request header, but for "POST" request, I do not see anything for cookie.
Please advice.
server side code to set cookie
String uniqueId = RandomStringUtils.randomAlphanumeric(32);
Cookie userSessionCookie = new Cookie("userSessionId", uniqueId);
if (getDefaultDomain() != null) {
userSessionCookie.setDomain(getDefaultDomain());
}
httpServletResponse.addCookie(userSessionCookie); httpServletResponse.addHeader("Access-Control-Allow-Credentials", "true"); httpServletResponse.addHeader("access-control-allow-methods", "GET, POST, PUT, PATCH, DELETE, OPTIONS");
httpServletResponse.addHeader("Access-Control-Allow-Headers", "Content-Type, token,withCredentials");
angular 2 post request which expects server to get cookie from HttpServletRequest
renderFF() {
//prepare renderFInput object
var fcRenderInput = {};
let headers = new Headers({ 'Content-Type': 'application/json' });
let options = new RequestOptions({ headers: headers, withCredentials: true
});
this._http.post('/api/v1/render/feature/fc',fcRenderInput,options)
.subscribe((res) => {
console.log(res.json());
});
}
Just a suggestion if this is about only one browser and multiple tabs, in this case you can use the local storage while setting some flag in it. Also when you try to open the same application in the new tab. you check if the flag is there and user is trying to open the same web application in some other tab of the same browser. You also need to delete the local storage you had set after some point.
I hope if you can get some trick to solve this issue :)
I am writing a mobile iOS application, which communicates with a Pyramid app on the backend. I am currently using Pyramid's built-in AuthTktAuthenticationPolicy.
I've met some speed bumps while attempting to authenticate via a mobile client (iPhone). For starters, how would I send and retrieve the auth_tkt cookie that is set by Pyramid.
I understand how this works with a web browser, but, if I want to send this "auth_tkt cookie" in the HTTP response, how can I accomplish this? How do I actually get the auth_tkt secret string. For example, what if I'd like to return it in the JSON body or a custom header of my choosing rather than as the cookie set by Pyramid's remember function?
Secondly, in future requests sent by the client what header do I set with the auth_tkt secret string so that Pyramid recognizes it and appropriately authenticates the client?
Using the Pyramid Helper Classes here, it looks like you can create your own auth_tkt and access it as well. Example from docs:
token = AuthTicket('sharedsecret', 'username',
os.environ['REMOTE_ADDR'], tokens=['admin'])
val = token.cookie_value()
The headers is a webob ResponseHeaders object, it derives from webob multidict. You can get it value by using this:
set_cookie = request.response.headers['set-cookie']
You can refer this link: webob multidict