I am using react js for front end and spring boot for backend. Now, I have a situation where I need to get some kind of browser signature or browser specific information to store on the server so that from every new request, I can verify if user is hitting URL from the same browser or from some other browser.
I have tried serveral ways to get browser specific information at backend but not succeed. Please guide me which browser specific information, I can send get in my spring-boot URL and then store that for further verification process.
Thanks in advance!
I would try to set cookies on the client browser and track the cookie/session value on the server side.
For example you can set the cookie-
// create a cookie
Cookie cookie = new Cookie("someUniqueValueLike", uuid);
//add cookie to response
response.addCookie(cookie);
Read cookie
public String readCookie(#CookieValue(value = "someUniqueValueLike") String uuidString) {
//verify the cookie value here
}
Related
Can you, using fetch or by some other means send request with HttpOnly cookie to server in React ?
I know HttpOnly means you can't access it with JS.
I'm thinking maybe you can't read it but you can send it back? I don't know.
I want this:
Request to server is made from client (ReactJS SPA)
Server responds and sets HttpOnly Cookie.
Client gets response, cookie is automatically set by browser.
With new request to that same server I want to send back that cookie. is this possible using ReactJS ?
or maybe there are some ways to bypass that, like maybe opening new window, with simple HTML, not ReactDOM ?
Thanks for your help.
Ok, I checked it out.
Cookie with HttpOnly set with true, will still be send using ReactJS, fetch or any other Request made with JS, You just Can't read it using JS, but when using HttpPost, HttpGet, or other. Browser still attaches it to request, even if it's HttpOnly.
I guess the lesson here is that browser handles setting cookies to requests, and it doesn't care if request is made by HTML, or JavaScript.
I have a web application in production environement. When the user logout from the website and hits the back button it's should not take him back to the site. Once the user logout all the cache should be erased. I browsed throw some sites, but I didn't get the proper solution. I am not getting how to implement the technique. Any help/advice greatly appreciated.
Currently what I have done in my backend:
app.use(function(req,res){
res.setHeader("Cache-Control", "no-cache, no-store, must-revalidate");
res.setHeader("Pragma", "no-cache");
res.setHeader("Expires", "-1");
});
On the browser side
Local Storage to Manage Session
//To clear everything Or get your item and set it to null
localStorage.clear();
Session Storage to Manage Session
//To clear everything Or get your item and set it to null
sessionStorage.clear();
Cookies to Manage Session
$cookies.remove("userInfo");
NOTE : I would recommend you to use cookies with a Random CSRF Token to protect your clients from CSRF by storing a randomly generated session key in SessionStorage.
As you currently do not have a session maintained in the back-end I would like you to read this thread :
How to end a session in ExpressJS.
And this https://expressjs.com/en/advanced/best-practice-security.html
I have two web apps, one for the Web UI in AngularJS and one for the REST webservices in Java. Both are deployed on separate domains.
The applications uses cookie for authentication. Whenever user enters a valid username and password, server returns a http only cookie back containing the token and that cookie is passed across all requests. I have enabled CORS on both apps, thats why the session cookie is working properly.
Now, I am trying to add CSRF protection for this. I was trying to use the csrf cookie where in the server will send the csrf cookie(not httponly) as part of REST response and the UI will read the value from the cookie and pass that in a csrf token header for the other REST calls.
The problem with this approach I am facing is that since the server is in different domain, I cannot read the cookie using $cookies in AngularJs. Is there a way to read a value of that cookie?
If not, then can I implement CSRF in some other way?
I also tried to implement the creation of the csrf cookie on the Web UI itself in the browser but the browser does not send the cookie to the webservice as its in different domain.
So, my question is how to implement csrf protection for this kind of situation?
You were on the right track with this:
I also tried to implement the creation of the csrf cookie on the Web UI itself in the browser but the browser does not send the cookie to the webservice as its in different domain.
The CSRF cookie isn't meant to be "sent" to the server, it is meant to be read by the client and then supplied in a custom HTTP request header. Forged GET requests (triggered by HTML tags such as <img src="">) from other domains cannot set custom headers, so this is how you assert that the request is coming from a javascript client on your domain.
Here is how you can implement the idea you were working on, imagine you have api.domain.com and ui.domain.com:
1) User loads the Angular client from ui.domain.com
2) User posts authentication information from Angular client to api.domain.com
2) Sever replies with an HttpOnly authentication cookie, called authCookie, and a custom header e.g. X-Auth-Cookie, where the value of this header is a unique value that is linked to the session that is identified by the authCookie
3) The Angular client reads the X-Auth-Cookie header value and stores that value in a XSRF-TOKEN cookie on its domain, ui.domain.com
So now you have:
XSRF-TOKEN cookie on ui.domain.com
authCookie cookie on api.domain.com
4) User makes a request of a protected resource on api.domain.com. The browser will automatically supply the authCookie value, and Angular will automatically send the X-XSRF-TOKEN header, and will send the value that it reads from the XSRF-TOKEN cookie
5) Your server asserts that the value of X-XSRF-TOKEN is linked to the same session that is identified by the value of the authCookie
I hope this helps! I've also written about token authentication for Angular, Token Based Authentication for Single Page Apps (SPAs) (Disclaimer: I work at at Stormpath)
Angularjs has built-in support for CSRF but unfortunately it doesn't work cross domain, so you have to build your own.
I managed to get it working by first returning a random token in the headers and cookies on the first request. In order to read the header you need to add it to Access-Control-Expose-Headers. This is then added to all posts
$http.get('url').
success(function(data, status, headers) {
$http.defaults.headers.post['X-XSRF-TOKEN'] = headers('XSRF-TOKEN');
});
Then on the server you can compare the cookie value with the value in the header to ensure they are the same.
$http docs : Angular provides a mechanism to counter XSRF. When performing XHR requests, but will not be set for cross-domain requests.
This is a small lib put together might help you https://github.com/pasupulaphani/angular-csrf-cross-domain
Trying to get all cookies in the current page using Chrome driver with java .
Please help me to retrieve all cookies in the page once after close browser and trying to open new browser with old cookies.
Using the WebDriver API available at:
http://selenium.googlecode.com/svn/trunk/docs/api/java/org/openqa/selenium/WebDriver.Options.html
Get all cookies for current page and parse to Collection of cookie Objects:
driver.manage().getCookies();
//TODO Parse results to Cookie Objects and Do what you want
Getting cookies from all domains
In automated tests there might be instances where we have to validate cookies of a website.
Webdriver has simple and powerful API to retrieve cookies of current page domain. Here is the sample code to read cookies:
public Dictionary<string, string> GetAllPageCookies()
{
return _driver.Manage().Cookies.AllCookies.ToDictionary(cookie => cookie.Name, cookie => cookie.Value);
}
i have an angularJS which you start like this:
> http://localhost:8000/app/index.html#/test/864/38383838383
last number is a token which authenticates the user. it works fine. if i start my app with a valid token, i geht a cookie/JSESSIONID from the server which i can use for my other http requests. if the user starts the app again with the same token, you get an error because the token is invalid. also ok. my question now is ... if i start the app with an valid token and i get an JSESSIONID ... and if i start the app again with the same token in a second browser tab/window ... is it possible to check/get the JSESSIONID from the other tap/window without making the authentication-process again?
best regards
I think you should remove the JSESSIONID from URI and store it in a cookie. Browser will send all the cookies set for a domain with each request, so your server code will know that it is the same session.
You do not have to do anything AngularJS-specific for this to work. Just configure session tracking mode to COOKIE in your server-side code.