Are mojolicious session tokens created in a "standard" way (in a generic sense), or is this up to the individual application? If it is the former, then what is the format?
What I saw so far is a base64 encoded JSON fragment (which by itself is syntactically incomplete), followed by "---", followed by a random looking 40-digit hex-string.
I'm especially interested in the random looking token. Is it randomly generated, or is it the encoding/encryption of something?
Mojolicious session have base64 string (in the begin, first part) and sign (in the end, second part) which separated by "---".
Sign is main part of session which prevent from changes.
So, make a test:
Add to session some value. Make request which get this value in the session.
Get session and transform first part of them (make base64_decode and change value then make base64_encode and put it before "--" in cookies).
Make query to server with new cookie/session. Your new data must be invalid in session.
So, sign it is IMPORTANT part of session.
Read source code to learn more about it
Read this to know how to set secret key for sign cookies
Related
I am receiving below cookie from my source system
ExternalAccess=unixtime=1593603710&oracletime=01-jul-20
12:41:50_Hash_thNnmggU2ex3L5XXeMNfxf8Wl8STcVZTxscSFEKSxa0
At destination system [PERL based], using below code to read the cookie
my $extSysCookie = $Query->cookie('ExternalAccess');
i am getting below output
External Access cookie = unixtime=1593603710
and not able to read full value.All characters after & are getting omitted. Can anyone help?
First of all, that's not a valid cookie. Spaces are not allowed in the value of cookies. Ref.
Secondly, that's not a correctly formatted cookie for CGI.pm's ->cookie. ->cookie is designed to handle cookies created using CGI.pm's ->cookie. The cookie value in question was not created with that method, and the cookie can't be handled (correctly) by that method.
To get the desired string from ->cookie, either construct the cookie using ->cookie, or otherwise create a cookie with the URI-encoding the value you wish ->cookie to return.
For example, the desired string will be returned for a cookie with the value
unixtime%3D1593603710%26oracletime%3D01-jul-20%2012%3A41%3A50_Hash_thNnmggU2ex3L5XXeMNfxf8Wl8STcVZTxscSFEKSxa0
CGI's approach allows cookies to have multiple values, and gets around the problem of spaces being forbidden in the values of cookies.
I am using JWT token to authorize my APIs, during implementation I found header and payload in token always start with eyJ. What does this indicate?
JWTs consist of base64url encoded JSON, and a JSON structure just starts with {"..., which becomes ey...when encoded with a base64 encoder.
The JWT header starts with {"alg":..., which then becomes eyJ...
You can try on this online encoder and enter {"alg" and click on encode. The result will be eyJhbGciPSA=
I'm afraid the question, and answer above is a little too extensive/certain.
The best you can check for is (only) 'ey', as the first JSON member could be something else such as "typ" (rather than "alg"); I wouldn't recommend assuming the order of JSON members (even if they are supposed to follow a prescribed order - i.e. allowing for the possibility of real-world anomalies/a small amount of flex).
Also, as much as it is probably unlikely - as far as what is been produced by a particular implementation, there could be a (/some) whitespace following the opening (JSON object) brace character (and maybe even before it!) - I'm not sure if the standard/RFCs forbid this, but even if it's only a temporal instance of a bug (within the JWT generation process) this could in-theory occur; so you're better in only checking for 'ey' - as a quick smoke-test, before then proceeding on to a fuller/complete validation of the JWT.
(F.Y.I. I believe it may have been Microsoft 'Identity Platform' whereby "typ" preceded "alg" - if memory serves me correctly (?), but I can't swear to it / as to where I've seen this being the case - at least at one point in time.)
I am attempting to preview a track via the 7digital api. I have utilised the reference app to test the endpoint here:-
http://7digital.github.io/oauth-reference-page/
I have specified what I consider to be the correct format query, as in:-
http://previews.7digital.com/clip/8514023?oauth_consumer_key=MY_KEY&country=gb&oauth_nonce=221946762&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1456932878&oauth_version=1.0&oauth_signature=c5GBrJvxPIf2Kci24pq1qD31U%2Bs%3D
and yet, regardless of what parameters I enter I always get an invalid signature as a response. I have also incorporated this into my javascript code using the same oauth signature library as the reference page and yet still get the same invalid signature returned.
Could someone please shed some light on what I may be doing incorrectly?
Thanks.
I was able to sign it using:
url = http://previews.7digital.com/clip/8514023
valid consumer key & consumer secret
field 'country' = 'GB'
Your query strings parameters look a bit out of order. For OAuth the base string, used to sign, is meant to be in alphabetical order, so country would be first in this case. Once generated it doesn't matter the order in the final request, but the above tool applies them back in the same order (so country is first).
Can you make sure there aren't any spaces around your key/secret? It doesn't appear to strip white space.
If you have more specific problems it may be best to get in touch with 7digital directly - https://groups.google.com/forum/#!forum/7digital-api
I am building a RESTful API for retrieving and storing comments in threads.
A comment thread is identified by an arbitrary URI -- usually this is the URL of the web page where the comment thread is related to. This design is very similar to what Disqus uses with their system.
This way, on every web page, querying the related comment thread doesn't require storing any additional data at the client -- all that is needed is the canonical URL to the page in question.
My current implementation attempts to make an URI work as a resource by encoding the URI as a string as follows:
/comments/https%3A%2F%2Fexample.org%2Ffoo%2F2345%3Ffoo%3Dbar%26baz%3Dxyz
However, before dispatching it to my application, the request URI always gets decoded by my server to
/comments/https://example.org/foo/2345?foo=bar&baz=xyz
This isn't working because the decoded resource name now has path delimiters and a query string in it causing routing in my API to get confused (my routing configuration assumes the request path contains /comments/ followed by a string).
I could double-encode them or using some other encoding scheme than URI encode, but then that would add complexity to the clients, which I'm trying to avoid.
I have two specific questions:
Is my URI design something I should continue working with or is there a better (best?) practice for doing what I'm trying to do?
I'm serving API requests with a Go process implemented using Martini 'microframework'. Is there something Go or Martini specific that I should do to make the URI-encoded resource names to stay encoded?
Perhaps a way to hint to the routing subsystem that the resource name is not just a string but a URL-encoded string?
I don't know about your url scheme for your application, but single % encoded values are valid in a url in place of the chars they represent, and should be decoded by the server, what you are seeing is what I would expect. If you need to pass url reserved characters as a value and not have them decoded as part of the url, you will need to double % encode them. It's a fairly common practice, the complexity added to the client & server will not be that much, and a short comment will do rightly.
In short, If you need to pass url chars, double % encode them, it's fine.
I am reading facebook api and ran into a little confusion, and hope that you might help. I am using the Javascript SDK specifically, and on getting the request.session back from the login callback, I wonder if the field 'sig' is the same as the 'auth_token'? I know the descriptions of both are different, but I wonder if they are the same in reality. If anyone knows, I will be much appreciated. Thanks in advance.
auth_token is a token that Facebook generates for desktop applications that you must send back to Facebook again immediately when logging in.
sig on the other hand is a md5 hash of all session data combined with your application's private key. You can reconstruct the sig from the session data and compare it with the sig passed in, and if it matches the response can be considered authentic.
Consider the following keys stored as a cookie:
a=1
b=2
sig=8a80b0b971da5be75e7197576331b24e
Assume the application's private key is "hello". We can try to reconstruct the sig as:
md5("a=1" + "b=1" + "hello"); // 8a80b0b971da5be75e7197576331b24e
which equals the value of sig in this case. We constructed this by concatenating all key=value pairs in alphabetical order by key ("a" comes before "b"), then concatenate the private key and finally get the md5 of the resulting string.
I wrote a blog post for verifying the cookie set by Facebook in Rails (PHP example is already given on Facebook's website).