Starting with the description of what is happening.
Say I have an API www.domain.com/login and once the user login it redirects to www.someOtherDomain.com and while redirecting the response sent to someOtherDomain has a set-cookie header, having a cookie with a domain (.domain.com). This cookie is for persisting the login session of the user on a domain (www.domain.com). But the cookie is not being set up and hence no login session is being created.
What I want to do:
I want to set the cookie on the same domain where the login page is hosted (here it would be www.domain.com) and then redirect to the someotherdomain.com.
additionals:
I am using org.springframework.web.servlet.view.RedirectView for redirection and for setting the cookie I am using HttpServletResponse response
How can this be achieved in java spring boot?
Related
I have a use case where the user should be authenticated via /oauth/authorize by entering his username and password into a custom login form which is posted directly without redirecting the user to a providers login page. Authorization code flow seems fitting but how can I alter the flow to skip the redirect to login page? Which are the Spring Oauth2 extension points to customize?
You can have two requests instead of one. You do a POST to your login endpoint as an XMLHttpRequest and on success you direct the user to the /oauth/authorize endpoint.
If you own the client server you might also consider the Resource Owner Password Credentials flow.
I use Dojo to make XHR requests to a Java Servlet and I can't figure out how to get the value of the JESSIONID cookie returned to me in the response header.
I need the session ID so I can use it within another web application (Flex) whose requests should use the same HttpSession (within the servlet) as for the initial web page requests.
My servlet container is Tomcat7 and I already configured the config.xml of my webApp with the useHttpOnly="false" setting so that the cookie should be available. However I just can't figure out how to extract it, dojo/cookie only gives me the cookies for the current page, not the HTTP request I just made.
Thanks.
Why do you think you need to access the cookie yourself? The browser is responsible for handling cookies automatically. From the spec:
If the user agent supports HTTP State Management it should persist, discard and send cookies (as received in the Set-Cookie response header, and sent in the Cookie header) as applicable.
Also, it is forbidden to attempt to retrieve the Set-Cookie header of an XHR request response.
In short: You can’t do what you are doing, and you shouldn’t have to. Flash uses the cookies from the browser when making requests, so long as it is properly configured. So, assuming the XHR sets the cookie first, Flash should also send it.
I am stuck with a jsession id problem. I am using Tomcat 7, Spring framework 3.1.1, security with Spring Security.
Our application has a login page with an url like : defaultSubdomain.theSite.com/login.html. Some of our users have their own subdomains, so their login page url are : subdomainForUser.theSite.com/login.html.
The problem is, if one of them use the default login url :
he will be log in, an HttpSession will be created on the server and a JSESSIONID cookie will be created on defaultSubdomain.theSite.com on client, then
our server makes the browser redirect to the welcome page of user's subdomain and makes the browser recreate the JSESSIONID cookie with javascript.
In a filter:
//if client is on the wrong subdomain
HttpServletResponse.sendRedirect(url);
return;
But after that, client still needs to log in again. Is there any way to achieve what I try to do (with a coding approach and not configuring tomcat)?
I made some research and we could use
<Context sessionCookieDomain=".theSite.com" sessionCookiePath="/">
but it implies having one configuration for dev, one for test and one for prod which is not acceptable.
Thanks!
I am newbie to both Spring and Shiro. I have some questions on Session Management.
I saw a question which gives quite a good introduction to Session Management.
But what I did not understand is, how does Shiro communicate with the client to pass the session information, and how will the client authenticate itself again over the subsequent requests. Does Shiro pass a session ID automatically, without me having to code for it?
Does browser automatically store the session IDs and send it (may be over HTTPS) with subsequent requests?
How does the session logout communicated to the client? And how does the client understand that it has to login again?
Thanks!
The session ID is stored as a browser cookie.
The session ID cookie is
removed from the browser when the user logs out (and the session is invalidated on
the server). Requests made after the cookie is dropped will appear
to Shiro to be coming from an anonymous user, so Shiro will redirect the browser to a login page if they try to request a URL that requires you to be logged in.
I got this following error when my website was being audited. I have developed my website using jsp, servlets, java classes.
Missing HttpOnly Attribute in Session Cookie
Security Risks
It is possible to steal or manipulate customer session and cookies, which might be
used to impersonate a legitimate user, allowing the hacker to view or alter user records,
and to perform transactions as that user
Causes:
The web application sets session cookies without the HttpOnly
attribute
Remediation Tasks:
Add the 'HttpOnly' attribute to all session cookies
I am passing java security token as hidden parameter while clicking on submit button. How can i add this HttpOnly attribute in that token?
The HttpOnly attribute is set on Cookies, and these are (usually) passed from the server to the client, not from the client to the server. HttpOnly is not an attribute you can set on a form or form parameter. Here the client is the browser and the server is the Java EE server running your Java application.
Cookies are usually created by a server, passed to the browser and then passed back. Now it is possible to create and manipulate Cookies using JavaScript which can be helpful but can also be a security hole. So an HttpOnly Cookie is only accessible by the server, or in other words it is not accessible from client side JavaScript which protects your site from some forms of XSS attacks. So the Browser will store and return an HttpOnly Cookie but it will not alter it or allow you to create it on the client; an HttpOnly Cookie must be created on the server.
If you're using JSP it's likely your server is automatically creating a Cookie to manage sessions for you; this is the cookie on which you need to set the HttpOnly attribute. The method to set HttpOnly on your SESSIONID Cooke will be container specific.
were you able to set the "HttpOnly" attribute in session cookies?
i found this code to do this on https://www.owasp.org/index.php/HttpOnly
<session-config>
<cookie-config>
<http-only>true</http-only>
</cookie-config>
<session-config>