I am trying to login and retrieve status information from a HTTPS URL via Java programming. I login through /login.cgi, providing the username and password with a POST request to that script.
The script then verifies the credentials and creates a specific cookie (with session information, user name, etc.) and then immediately calls a Location response header to /home.cgi. Which, I'm guessing, the /home.cgi script verifies the cookie information before continuing to load. Otherwise, it just reverts back to the /login.cgi page.
All of this works fine within a browser because of the way browser's handle cookies/sessions correctly. However, within Java, this is very tricky because I can not get the appropriate cookie to send as a request to subsequent pages. I can not get the correct cookie because I am unable to get the HTTP response back (which holds the correct "Set-cookie" value) in between /login.cgi creating the specific cookie and it calling Location /home.cgi.
Is there something I'm missing or is there a better way that Java can handle cookies similar to a browser? (is there a cookie store, etc?)
Thanks for the help,
Steve
Cookie management is by default not enabled in the java.net HTTP API. If you don't need any specific handling or cross-application cookie persistence (the cookies will be deleted when your application terminates), you can simple enable it with
CookieHandler.setDefault(new CookieManager());
How are you making the HTTP connections and managing cookies?
I would recommend just using commons-httpclient rather than managing this yourself. It will automatically manage cookies for you.
Related
Currently, we are using a legacy application where the Java HttpServletRequest.GetSession() function to get the session from the Client browser where the session is set from the Browser's parent tab.
Now we need to access the same session information [example, we have Token in the session]
using our new application with decoupled Microservice architecture [ UI-React JS].
Whether we can able to access the session from Front End?
Appreciate your suggestion on this.
Thank you !
The HTTP Session is a temporary store in the backend, where you store something based on previous requests. As soon as you store something there, the backend will return a Set-Cookie header to the browser with a JSESSIONID that the browser stores for the user. For the next calls, the browser will send the same JSESSIONID cookie, and the backend will use it as a key to retrieve the previously saved data for that user's browser.
If you're migrating to a React JS application, I think there's no need to store tokens in the backend, and use cookies with only JSESSIONID in. Instead, the frontend can store all the necessary data client-side.
I think there's multiple options:
Keep it in React state (in the browser's memory)
Keep it in a Cookie that you manage via the frontend
Keep it in the browser's localStorage (less secure, I think)
I have java web application using struts 1.x. Recently my application has gone through penetration testing and our testers found some security holes. Let me explain. In my application i have 2 users called ‘Admin’ and ‘user’. First our PenTester logged to my application as ‘Admin’ and they use ‘Burp tool’ to intercept the request and copy the whole request content into notepad and then forward the request. Now My application log in as ‘Admin’. They use another browser instance to login as “user” and use burp tool to intercept the request. This time they removed the whole request content and copy back the whole request content of ‘Admin’ and then forward the request. Now my application logged in as ‘Admin’ without asking any user id/password? How to restrict this situation? I already stored userid in my session variable after successful login of each user. The moment they intercept the request and copy the ‘admin’ request content, my session variable userid also changed to ‘admin’. How to validate this situation? Your help is really appreciated.
That is not really that much of an issue since the first part "copy the whole request content" is not easily doable if you have a proper HTTPS / SSL connection. That only works if the PC the user is logged in on as an admin is compromised in which case: nothing you can do about it anyway because they can just sniff the keystrokes and get the plain password.
If on the other hand you communicate without the S, namely just HTTP then the solution is: get a certificate and switch to HTTPS.
Apart from that your application can pin a session to an IP which means if the session id / cookie is stolen and someone else uses it you can detect an IP mismatch and ask for credentials again.
To prevent direct replay attacks like copying the request and sending it again you can introduce a hash that incorporates the timestamp or alternative measures, see. How do I prevent replay attacks? . The problem however is that copying the entire request means copying the cookies as well and if the "admin" cookie is copied this measure will not prevent you from "generating" a new hash based on the now admin user.
I am planning to do automated testing of post requests with various parameters on a link. The problem that I face is the link has a sso authentication. When I do a normal post in vbscript or java it directs me to the sso page.
Any idea how it can be done?
since you are working with http-post, I assume that SSO is performed by using Cookies.
In that case, everything you have to do is add those Cookies to your request.
This is done by adding a Header with name 'Cookie' to your request.
This headers value may be of the format 'CookieName=CookieValue'.
In case you have multiple Cookies, you can either add multiple Cookie Headers, or separate them by using a ';'.
In case you fetch those Cookies with a previous request, you can get a hold of the Cookies by evaluating the 'Set-Cookie' Header.
Additional Informations about basic Cookie Handling may be found here
In case you use Apaches HTTP-Components, you can also use its integrated Cookie Store to automatically add Cookies to new Requests.
A good example as how to basically use Apaches HTTP-Client can be found here
The part of how to use Cookies can be found in section 3
I'm developing an environment with 2 webapps deployed in Tomcat 7. One authenticate users using form, openid, remember me cookie or x509 cert. This one works as expected and use the Remember me cookie to authenticate properly when generated.
The problem resides in the second one (the client):
When the login request comes back to the client from the first one, I don't see any cookie. I'm pretty sure they are in the same domain (localhost) and the cookie path is "/" but the browser (firefox) is not sending the cookie to the client.
If I want to use the generated remember me cookie to authenticate in the client, do I need to include all remember me cookie stuff from Spring's security?
Is the remember me cookie a good approach? Do I need something like siteminder or other better approaches?
Thanks in advance. Answers will be voted
Check the cookie information when it is sent back from the server (use Firebug to monitor the network traffic if you're using Firefox).
Check the domain and path, and also whether the cookie is flagged as secure. If the remember-me cookie is issued over a secure connection it will be marked as secure and the browser won't send it over HTTP.
If this is the case, you have to explicitly override it (though you're better to use HTTPS throughout). There's a use-secure-cookie attribute in the remember-me namespace element which you can set.
i want to login into an web-application and want to perform some search operation after login. I am using httpclient for this and i am able to login and fetching the data of that page but i didn't get anyway to perform post operation say searching of any user account after login. As it is asking for login again. Please provide any way or idea to do this?
When you login into a site the server usually sends you back a cookie containing your session id, or the jsessionid header. Try sending this jsessionid and its value back to the server in the post-login operation.
This may not work, because the server can force you to use cookies. This is just an idea of the scenario often found around there.
Its not httpclient, but there is a browser automatization framework called selenium.
look here for an explanation how to use cookies in java, using the java.net APIs http://www.hccp.org/java-net-cookie-how-to.html
I have had a scoping issue with a session cookie not being visible in the past. You "may" have the same issue.If you know the session cookie is being created after you have logged in successfully, try adding a call to setDomainMatchingStrict(false)
import com.meterware.httpunit.cookies.CookieProperties;
WebConversation wc = new WebConversation();
CookieProperties.setDomainMatchingStrict(false); // <- the important bit