Hey all I was trying to create a java program which will remain logged in on server whenever i browse on website no authentication will be required even if i run the program later on i.e. my program should store some cookie file on client side and also tell the browser that this session should lasts for quite a long time. And whenever i run the program this should send the cookie details, that this is recognized and the user is logged on, to the server.
So how this should be done using HTTP protocol.
Thanks. :)
The browser (client) stores a session cookie containing a key-value pair. The key is usually JSESSIONID, and the value is a unique identifier. It is received by the client as a response of his request to the server, which initiates the session.
Whenever a request is made to the server, the browser sends that key-value pair in a special http header ("Cookie"). The server then reads that header, obtains the identifier, and finds the corresponding session.
Why don't you guys use Google before asking?
See the following:
HttpURLConnection class
HTTP cookies description
How to use HTTP Cookies in Java
Related
Currently, we are using a legacy application where the Java HttpServletRequest.GetSession() function to get the session from the Client browser where the session is set from the Browser's parent tab.
Now we need to access the same session information [example, we have Token in the session]
using our new application with decoupled Microservice architecture [ UI-React JS].
Whether we can able to access the session from Front End?
Appreciate your suggestion on this.
Thank you !
The HTTP Session is a temporary store in the backend, where you store something based on previous requests. As soon as you store something there, the backend will return a Set-Cookie header to the browser with a JSESSIONID that the browser stores for the user. For the next calls, the browser will send the same JSESSIONID cookie, and the backend will use it as a key to retrieve the previously saved data for that user's browser.
If you're migrating to a React JS application, I think there's no need to store tokens in the backend, and use cookies with only JSESSIONID in. Instead, the frontend can store all the necessary data client-side.
I think there's multiple options:
Keep it in React state (in the browser's memory)
Keep it in a Cookie that you manage via the frontend
Keep it in the browser's localStorage (less secure, I think)
I have java web application using struts 1.x. Recently my application has gone through penetration testing and our testers found some security holes. Let me explain. In my application i have 2 users called ‘Admin’ and ‘user’. First our PenTester logged to my application as ‘Admin’ and they use ‘Burp tool’ to intercept the request and copy the whole request content into notepad and then forward the request. Now My application log in as ‘Admin’. They use another browser instance to login as “user” and use burp tool to intercept the request. This time they removed the whole request content and copy back the whole request content of ‘Admin’ and then forward the request. Now my application logged in as ‘Admin’ without asking any user id/password? How to restrict this situation? I already stored userid in my session variable after successful login of each user. The moment they intercept the request and copy the ‘admin’ request content, my session variable userid also changed to ‘admin’. How to validate this situation? Your help is really appreciated.
That is not really that much of an issue since the first part "copy the whole request content" is not easily doable if you have a proper HTTPS / SSL connection. That only works if the PC the user is logged in on as an admin is compromised in which case: nothing you can do about it anyway because they can just sniff the keystrokes and get the plain password.
If on the other hand you communicate without the S, namely just HTTP then the solution is: get a certificate and switch to HTTPS.
Apart from that your application can pin a session to an IP which means if the session id / cookie is stolen and someone else uses it you can detect an IP mismatch and ask for credentials again.
To prevent direct replay attacks like copying the request and sending it again you can introduce a hash that incorporates the timestamp or alternative measures, see. How do I prevent replay attacks? . The problem however is that copying the entire request means copying the cookies as well and if the "admin" cookie is copied this measure will not prevent you from "generating" a new hash based on the now admin user.
As I understand, in authorization code flow we need to get authorization code and use it to get token after. We can get this code only when user confirms specified access. After that browser redirects us to redirect_uri and response will contain authorization code as parameter. So, the question: is it possible to get this authorization code without browser or any self made UI? Can we get it in application after correct request to, for example https://mysite.tuz/authorize ?
As you are using authorization code flow, the client requires a user agent (i.e browser or mobile app) to get the authorization code from the authorization server.
The whole purpose of using authorization code is that it can be passed via the user's web browser (user agent) instead of passing the access tokens directly via the web browser (user agent) which is not desired. Using authorization code,the Client then can directly retrieve an Access Token from the authorization server.
So the user agent is required to get the authorization code and act as an intermediary between client and authorization server.
If you do not require a browser then authorization code flow may not the correct choice. OAuth 2.0 supports several different grants i.e ways of retrieving an Access Token. Deciding which one is suited for your case depends mostly on your Client's type.
This might help you in deciding which flow to use
https://auth0.com/docs/api-auth/which-oauth-flow-to-use
You should use client credentials to obtain token without browser or any client. But if you need to use user credentials to get access token and id token of the user without browser or mobile app you need to implement you own client which will do the necessary logic for you and fetch the token for you. I already did it in java for the testing purpose. I don't know why you need to do it but you can implement your own client in almost any programming language . But in case you will decide to go this way you have to handle lot of things.
I expect your authorization server requires Proof-Key for Code
Exchange (PKCE) - so first of all before you start to communication
with server you have to create code verifier and code challenge
(google can help you with that :) in java it is quite simple)
Then you should start communication with server sending get request to url which ends with 'auth' you should send query params as: response_type (which is 'authorization_code' in your case), redirect_uri, client_id, code_verifier, code_challenge, scope, code_challenge_method (probably 'S256')
Then you receive I think two redirects from server so it is better to have some client in java which will automatically call those redirects. I used apache http client for my implementation. It has lot of features.
After successful redirect server will return login page to your client. It depends on authorization server but in this page you should put the data as username and password and submit the page. I have simply parsed the returned page and get the url for user authentication from it and simply make post request to that url with user credentials data sent in encoded form entity. In apache http client you will have all cookies from previous communication set (until you close the client) since apache http client automatically set all cookies returned in previous communication from server.
After make authentication request server will send you two redirects and you can store those redirects int http client context which you will provide for http client when you call authentication url.
In the last redirect there will be query parameter sent be server named "CODE" this is really important for you since you will use it to get token from the server
And finally you have to make one last post request to authorization server with url ended as token. So make a post request with GRANT_TYPE, REDIRECT_URI, CODE (you received in previous redirect), CLIENT_ID, CODE_VERIFIER (you have generated at the beginning);
Then authorization server will send you token and that's all
I have a Java server that consumes and produces JSON. In my Dart login form, I post to the server and the server will respond with a credential if I'm logged in (using UUID.randomUUID()).
Now every time I need to do something like update a user, I need to send along this credential. My concern is:
Since the Dart app is HTML and Javascript, will it be secure to save this in a Dart variable and then access it when I need to do some operation to the server? I understand that I should use HTTPS but I'm just wondering...
HTTPS secures just the transport between client and server. That doesn't help anything with the variable you save the value in.
If you control the server you could use a secure cookie that gets sent to the server automatically but isn't accessible from the client.
If not you won't have much alternatives.
I am trying to login and retrieve status information from a HTTPS URL via Java programming. I login through /login.cgi, providing the username and password with a POST request to that script.
The script then verifies the credentials and creates a specific cookie (with session information, user name, etc.) and then immediately calls a Location response header to /home.cgi. Which, I'm guessing, the /home.cgi script verifies the cookie information before continuing to load. Otherwise, it just reverts back to the /login.cgi page.
All of this works fine within a browser because of the way browser's handle cookies/sessions correctly. However, within Java, this is very tricky because I can not get the appropriate cookie to send as a request to subsequent pages. I can not get the correct cookie because I am unable to get the HTTP response back (which holds the correct "Set-cookie" value) in between /login.cgi creating the specific cookie and it calling Location /home.cgi.
Is there something I'm missing or is there a better way that Java can handle cookies similar to a browser? (is there a cookie store, etc?)
Thanks for the help,
Steve
Cookie management is by default not enabled in the java.net HTTP API. If you don't need any specific handling or cross-application cookie persistence (the cookies will be deleted when your application terminates), you can simple enable it with
CookieHandler.setDefault(new CookieManager());
How are you making the HTTP connections and managing cookies?
I would recommend just using commons-httpclient rather than managing this yourself. It will automatically manage cookies for you.