Say I wanted to set up a Input Request Header as I'm calling it, I want to set up a server that needs to be visited in order to set a UID, and Token, good for an time limit before redirecting to the website that won't be accessible unless you visit the Input Request Header Server and click the button that sends the request.
What I want the requests to look like is:
GET / HTTP 2.2
Host: IRH.domain.com
IRH-Token: (__input__)
IRH-UID: (__input__)
and have the website set to Status code 400 if request doesn't have an approved Token and UID matched in the IRH server
How would I go about setting my own headers, and how would I set up a page that handles them?
Related
My backend is in Django and Frontend is in React.
I have set up CROS header and added settings as follows.
Django settings
For sending request I am using fetch and i have set credentials: 'include'.
I am using the session based authentication, So when I signin session of a user starts. Then from the parent component (from useEffect) I send a request to backend to fetch Jobs. Things work fine in this case. Below is the header of this particular request. It has COOKIE
Request header 1
when I send request from child component of react, COOKIE is not present in the header. Below is the header of this particular request.
Request header 2
I am not able to get why this thing is happening, One more difference in both the request headers is the value of HTTP_SEC_FETCH_SITE in request header.
In first request value of HTTP_SEC_FETCH_SITE is same-site whereas in second request HTTP_SEC_FETCH_SITE is cross-site. Even though request is sent through http://localhost:3000 in both cases why value of HTTP_SEC_FETCH_SITE is different.
value of HTTP_SEC_FETCH_SITE was different for these two requests beccause baseurl for first request was set to http://localhost:8000/ where as for second request it was
http://127.0.0.1:8000/.
Event though both are local servers on same port, don't know why this thing happens.
I changed both baseurl to http://localhost:8000/ and things worked. Cookie was set in both the requests.
I'm currently developing an App using Microsoft LIVE 2.0 API
Currently, I’m using these URLs as my authentication endpoints:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize
https://login.microsoftonline.com/common/oauth2/v2.0/token
However, when I sent the request to the token endpoint with the redirect URL as
https://blabla.com/accept_token.php?api_ver=wave5&csrf=AY7F6O4hF0n8yW3i2O_y6N-ky7zzfULiYV_fttLK1S3JgaeQz2GTk9FOeIGBBH5CvkfkEYCyPOCQCujcrij4KDy2wAMZyXqx24jvwZRtzOv0s9ADGYl1iFtvYtkmgeFmZEY&appdata=%7B%22use_case%22%3A1%2C%22type%22%3A1%2C%22flow%22%3A2%2C%22domain_id%22%3A12%2C%22tracked_params%22%3A%22%5B%5D%22%7D
I got errors saying the reply address does not match the reply addresses configured for the application
For the application, I set the reply address to be https://blabla.com/accept_token.php.
Is it possible that I add some parameters to the url and still make it match?
I'm pretty sure the reply url you send must match exactly the reply url registered on the application, including any query strings.
If there is variable state informaiton you need passed throughout the authentication process, you should use the state variable.
https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-code
state
A value included in the request that will also be returned in the token response. It can be a string of any content that you wish. A randomly generated unique value is typically used for preventing cross-site request forgery attacks. The state is also used to encode information about the user's state in the app before the authentication request occurred, such as the page or view they were on.
the service/backend is sending me set-cookies in a 302 redirect but i am not able to read the response header which has set-cookies. basically i want to redirect the user to login page and clear the session if Set-Cookie:redirectURL="" and it expires immediately. Not sure how to proceed.
I am afraid you can't intercept the 302 status code from JavaScript.
This is because the status 302 simple means request is not yet fulfilled and server is asking the user agent to initiate a new request for the Url specified in Location header of redirection response.
This entire redirection process is internal to the user agent and JavaScript code is notified only on completion of the request.
I've recently noticed that certain (all?) browsers do not send cookies with OPTIONS requests, but session (understandably) sends a cookie response with a new session ID in response to these. (OPTIONS requests are used to probe CORS access control headers prior to sending AJAX requests.)
My specific scenario is the following:
request https://my-domain.appspot.com
a. Receive cookie with new session ID
AJAX OPTIONS request to https://my-domain.appspot.com to probe for CORS headers (this is automatically generated by the browser)
a. Browser does not send cookie
b. Session responds with Set-Cookie header and NEW session ID
Subsequent requests to https://my-domain.appspot.com use different session ID
Because of session ID mismatch, CORS filter blocks the requests
What can I do to prevent new session ID getting created in step #2 ? Or how can I avoid my requests getting failed in the above scenario ?
You should make sure that your server treats OPTIONS requests separately and doesn't run them through the usual filters (assuming you're using a Java-based back-end). But make sure that the CORS filter adds all the Allow-* headers to their respective responses.
These requests should be treated as unauthenticated, meaning that they don't require credentials, aren't tied to a specific session and most importantly don't set any cookies that can affect your session.
Because of session ID mismatch, CORS filter blocks the requests.
This is a misconception. CORS is agnostic to any user session. It's your server authentication logic that's blocking the request due to the newly created session ID which is invalid.
I'm trying to make a POST request between two sites.
I've seen the need to change header of request on server side using the access-allow. My problem is that when I send request I can't see this modification in the response header.
If I go on directly on page the headers are change. If I sent request with GET, I can see too that the headers has been changed. Maybe there is server configuration of http which is forbidden across domain POST request?
I'm using a Ngnix server that serves Drupal sites.
As far as I know, the header you should change is the response header of the site that receive the request (or site 2). Thus, it allows the client (or site 1) to perform a CORS request, adding the header "Access-Control-Allow-Origin" and the domain of site 1 (or '*') into the response.