Okay so this is my current situation.
I am trying to send an ajax request to api.mysite.com from main.mysite.com. Everything is working fine but cookies are not being sent.
Based on couple hours of research, it seems like I need to change the domain of cookie.
In my case, cookie domain is main.mysite.com, and cookie domain should be .mysite.com if I want to include cookie in ajax requests.
So my question is...how do I change the cookie domain? Or are there any other ways to do it?
My current stack is
nginx for reverse proxy |
node.js(express.js) for front end server |
python(flask) and mysql for api server |
redis for session saving
They are all running in a same box.
It depends on how you are setting cookies. One way to this is While setting a cookie, use domain attribute to set a cookie wrt .mysite.com.
Attributes of HTTP cookie
Related
I am using HAProxy(open to alternatives) as a Rotating proxy server for my python crawler. I want a persistence session in HAProxy.
But not able to do so, because HAProxy cant change the headers of an HTTPS request.
Am using this
backend bk_web
balance round-robin
cookie SERVERID insert indirect nocache
my HAProxy server is not adding this cookie to the HTTPS request.
Thanks
Session persistence is usually when you want to persist your client to a specific backend server. However, you seem to indicate that you want to use it as a rotating proxy server, so I'm not quite sure you really want session persistence.
Are you terminating HTTPS in HAProxy? You need to terminate HTTPS in HAProxy (or any proxy for that matter) in order to modify headers within an HTTPS session. Alternatively, you can use HAProxy's stick-tables for persisting TCP connections where header modification is not possible or balance source
According to the Flask Documentation, I should be able to set a cookie with a domain path for domains besides my own like this:
resp = make_request(render_template(index.html))
resp.set_cookie('cookiekey', 'cookievalue', domain='notmydomain.example.com')
I was able to set cookies for my domain with just
resp.set_cookie('cookiekey', 'cookievalue')
and they were accepted by the browser (Chrome). However, when I try to set the domain, they don't appear in the browser. Further, testing with postman reveals that the Set-Cookie headers are sent, and are correct.
Does this mean the browser is simply ignoring my request, and if so how can I get it to accept my Set-Cookie headers?
TL;DR: you can't set cookies for domains completely separate from your current domain.
Setting cookies for domains outside of your control would pose an immense security risk. The domain attribute only allows you to set cookies for either the whole domain or a subdomain. This is how, for example, a system can log you in via a subdomain such as "auth.example.org" then redirect you to "example.org".
In practice, "unified" sign-in systems are complicated: challenges are used and data might be exchanged through a backend, not relying on the browser to properly allow other subdomains to access the original cookie.
How authentication works in tornado with set_secure_cookie method?
where are these cookies get stored for multiple users ?
how can we authenticate each API calls inside the framework ?
Cookies are just HTTP headers. Nothing special. Cookies work like this:
Browser sends a request to server. This can by any request, like a regular page request, or a login form submission. For this example, let's just talk about a login request.
Server will look at the submitted username and password and make sure they are correct. Then server will set a cookie on this browser so that it can later identify the user. To set a cookie, the server will send a header called Set-Cookie along with the response. It will look like this - Set-Cookie: sessionId=username.
When the browser will get the response, it will also notice that there's a SET-COOKIE header on the response. Now the browser will save this value somewhere on your computer, it doesn't matter. What matters is after this, whenever the browser will send the request to your server, it will also send this cookie in the request headers like this - Cookie: sessionId=username.
Next time, server will also notice the Cookie header in the request. And so, it will get the username of the logged in user from there.
And that is how cookies work.
Now to answer your questions:
How authentication works in tornado with set_secure_cookie method?
You might have noticed a big security flaw in the above example. To identify the user we have set the sessionId value in plain text. Anyone can easily send a different username in the cookie and our server will treat them as that user. For example if Alice wants to hack Bob's account, all she has to do is send the session cookie like this - Cookie: sessionId=bob. And our server will treat Alice as Bob.
This is where the set_secure_cookie method comes in. It will set a signed token, instead of a plain username. Tornado will set signed cookies based on your cookie_secret setting value. This is secure because cookies are signed based on the cookie_secret which nobody knows accept you. The cookie will look like this - sessionId=slsafj7987LJflsfslfljk68686sfj. Now, Alice can't impersonate as Bob.
where are these cookies get stored for multiple users ?
Nowhere. Since the cookies are signed, Tornado will decode the value from the signed cookies as the request comes in. For example if a cookie header looks like this - Cookie: sessionId=alksjfl98798yfaslkdjf. Tornado will decode this - alksjfl98798yfaslkdjf value to extract the encoded username. It happens on-the-fly.
how can we authenticate each API calls inside the framework ?
Do the API calls require session, like user authentication so that users can see and edit their account etc? Then all you need is set_secure_cookie method.
If the API calls are independent of each other, then you should let your users use your APIs with an "access key". You will need to store these access keys in a database. Your users will send this access key with every request, in the form of an HTTP header or just a request query parameter:
# as a header
API-Access-Key: <long-random-key>
# OR as a query string
http://yourserver.com?key=<long-random-key>
So I'm currently learning the python requests module but I'm a bit confused and was wondering if someone could steer me in the right direction. I've seen some people post headers when they want to log into the website, but where do they get these headers from and when do you need them? I've also seen some people say you need an authentication token, but I've seen some other solutions not even use headers or an authentication token at all. This is supposedly the authentication token but I'm not sure where to go from here after I post my username and password.
<input type="hidden" name="lt" value="LT-970332-9KawhPFuLomjRV3UQOBWs7NMUQAQX7" />
Although your question is a bit vague, I'll try to help you.
Authentication
A web browser (client) can authenticate on the target server by providing data, usually the pair login/password, which is usually encoded for security reasons.
This data can be passed from client to server using the following parts of HTTP request:
URL parameters (http://httpbin.org/get?foo=bar)
headers
body (this is where POST parameters from HTML forms usually go)
Tokens
After successful authentication server generates a unique token and sends it to client. If server wants client to store token as a cookie, it includes Set-Cookie header in its response.
A token usually represents a unique identifier of a user session. In most cases token has an expiration date for security reasons.
Web browsers usually store token as a cookie in internal cookie storage and use them in all subsequent requests to corresponding website. A single website can use multiple tokens and other cookies for a single user.
Research
Every web site has its own authentication format, rules and restrictions, so first thing you need to do is a little research on target website. You need to get information about the client sends auth information to server, what server replies and where session data is being stored (usually you can find it in client request headers).
In order to do that, you may use a proxy (Burp for example) to intercept browser traffic. It can help you to get the data passed from client to server and back.
Try to authenticate and then browse some pages on target site using your web browser with a proxy. After that, using your proxy, examine what parts of HTTP request/response do client and browser use to store information about sessions and authentication.
After that you can finally use python and requests to do what you want.
I have a series of different domain names that I would like to all point (via URL forwarding from my domain host) to a google app engine application that reads what the forwarding URL is. So if the domain typed in was original XYZ.com, then when I am forwarded to my application, I can return what that original domain name was. I'm using the python variant. How best can I do this without coding for each and every variant?
Generally, the target of a 301/302 redirect can't determine what URL issued the redirect. If the user is redirected by client-side code, the referring page should be present in the "Referer" request header. For server-side redirects, I don't believe it's standard for user agents to populate (or override) the Referer header.
If you want to point multiple domains to your App Engine app, try configuring them as custom domains rather than forwards. With this route, the custom domain would stay in the user's address bar, and you can simply check the host header to see which custom domain the visitor is using.
If by forwarding you mean HTTP redirection, you can check the Referer header.
If you mean DNS resolving (e.g. distinguishing between your application being invoked via your own domain and .appspot.com one), there is SERVER_NAME environment variable (os.environ["SERVER_NAME"]) that stores the domain (e.g. www.example.com) used to issue the request.
If you are using a javascript redirect, that you can just check the referrer:
http://en.wikipedia.org/wiki/HTTP_referrer
but this is not a 100% solution.
If you have multiple domains parked on one appengine instance and you just want to know which one the user is viewing, you can check the host name in the request object.