Can you, using fetch or by some other means send request with HttpOnly cookie to server in React ?
I know HttpOnly means you can't access it with JS.
I'm thinking maybe you can't read it but you can send it back? I don't know.
I want this:
Request to server is made from client (ReactJS SPA)
Server responds and sets HttpOnly Cookie.
Client gets response, cookie is automatically set by browser.
With new request to that same server I want to send back that cookie. is this possible using ReactJS ?
or maybe there are some ways to bypass that, like maybe opening new window, with simple HTML, not ReactDOM ?
Thanks for your help.
Ok, I checked it out.
Cookie with HttpOnly set with true, will still be send using ReactJS, fetch or any other Request made with JS, You just Can't read it using JS, but when using HttpPost, HttpGet, or other. Browser still attaches it to request, even if it's HttpOnly.
I guess the lesson here is that browser handles setting cookies to requests, and it doesn't care if request is made by HTML, or JavaScript.
Related
I am working on my first React application which consumes a REST API. Certain information within the API isn't accessible unless authorized by logging in, and the API returns an HTTPOnly cookie as a response upon a successful POST request to the login endpoint; I'm using axios, to accomplish this. It's possible to view the cookie within the network tab of the browser and it also successfully logged to the console, but I'm unsure of how I can actually store the information returned from the API within my react app. The cookie vanishes from the browser when I leave the page after logging in. Is there a way I can implement this cookie into the React App's memory/state so it can be sent and used upon future requests in the application? I've scoured for a few days and seen various methods to access a returned JWT, but most of them include using LocalStorage which isn't secure or are from deprecated tutorials many years ago. After logging in, the JWT returned from the API will need to be sent back upon future requests, which will also be made using axios.
All help is much appreciated.
You can configure the expiry of the HttpOnly cookie. It sounds like your server is currently storing the JWTs in HttpOnly session cookies. If you are using Chrome, you can confirm this by looking at the "Expires / Max-Age" column in the Application tab. If it is a session cookie, the field will be unspecified, and the cookie disappears once you end your browsing session. If you set the expiry of the HttpOnly cookie to say a year, then the cookie persists across browsing sessions.
I am using react js for front end and spring boot for backend. Now, I have a situation where I need to get some kind of browser signature or browser specific information to store on the server so that from every new request, I can verify if user is hitting URL from the same browser or from some other browser.
I have tried serveral ways to get browser specific information at backend but not succeed. Please guide me which browser specific information, I can send get in my spring-boot URL and then store that for further verification process.
Thanks in advance!
I would try to set cookies on the client browser and track the cookie/session value on the server side.
For example you can set the cookie-
// create a cookie
Cookie cookie = new Cookie("someUniqueValueLike", uuid);
//add cookie to response
response.addCookie(cookie);
Read cookie
public String readCookie(#CookieValue(value = "someUniqueValueLike") String uuidString) {
//verify the cookie value here
}
in one of my project i am getting User identification data from reverse proxy server (Webseal) in httponly cookies and i need to retrive these cookies to retrive data from backend API,I know its not possible to read httponly cookie with any script code.
can it be done using server side renedering using express.Front End Code is written in ReactJS
Thanks
Yes you can read them in your backend make the API requests from your server and then render the response based on that.
Echoing the cookie data inside an script tag, would be also possible, but would be an dirty hack, as it defeats the purpose of the HttpOnly flag.
I have been several days trying to understand how a chrome extension is working when a HTTP request is made.
I am using YARC (Yet Another Rest Client) Chrome extension. But I guess it works same for all. Even Postman.
First thing I see is when I make the request if I am using an http traffic viewer like fiddler, I can see the host is the same I am making the request (Like www.google.com) and if I make an Ajax request or a php request the host is the same i have the script (like localhost).
The other thing is that I am making a POST request to a site to make a login that set a cookie. If I make it with the chrome extension, the cookie is set on my browser and then I could navigate normally on that page and the cookie is set and I am logged in. If I make this post with Ajax or PHP i´ts impossible to set this cookie because my host is in a different domain (localhost).
I can see I could make a submit post for this, but then I got redirected after the submit and it´s impossible to avoid that. I would like to manage the response like the extension as it was an Ajax call.
The main thing I see here is that thy host is always on same domain and this could avoid all this problems. But HOW? Looking for YARC code I can see they make this request as a regular http angularjs, it means Ajax I am almost sure. Anywhay not even trying with angularjs http I can get this to work.
What I actually would need to do is how this Chrome extension could make this and how to set this cookie when I make this POST, I mean, the Host set the cookie on their own domain, cause I can get the cookie but not to set it and I know it is impossible from a different domain.
Thanks in advance for all your help.
I have an angular js web application with play framework as server side. I am using Google plus sign-in button to authenticate users. I need to authenticate all my ajax calls in the server side. After going through documentation that's available on the net, I have couple of options and questions on each.
Hook up point: Javascript Google sign in, on successful sign in, calls back a javascript method. The id_token that's returned along with the callback needs to be verified again through the server side as recommended here. So the above mentioned options can be added at this point on the server side invocation
Use HttpOnly cookie and check it on each ajax call. Can we be assured this will prevent CSRF attacks too ?
Set a XSRF-TOKEN cookie, however it should be set as HttpOnly = false. Only then angularjs will be able to read it and set it as X-XSRF-TOKEN header in all requests originating from it. Is it safe to expose a javascript readable cookie and later rely on it being secure ?