In my rails app, I am using a cookie called user_session user can access my rails app using https or http they can configure it.
Problem
user_session cookie is set to http only but I want to make it as secure too.
If user access my app using http then the cookie will be in http only if he is using https then it will be set as secure cookie. I don't want to use 2 different cookies.
Configuration:
SampleApp::Application.config.session_store :cookie_store, key: '_user_session'
If I force :secure => true then this cookie is not available for the users who are all accessing in http request.
If any other details required please comment it out.
Related
I've created an application in Laravel 9 with sanctum. I am testing it via Postman. Everything is working on development server (localhost). On Production server (online) it login successfully and returns sanctum token but when I try to access protected routs with the token it returns 401 Unauthenticated.
All the routs (login and protected) are in the api.php
for login I'm using Get request without any headers.
To access protected routs I use Post request and in Authorization I select Bearer Token and provide the token created and returned after login. As Header I provided Key: Accept and Value: application/json and also tried application/vnd.api+json as value in the same.
What I've tried on production server.
Adding below lines one by one to .env
SANCTUM_STATEFUL_DOMAINS=localhost
SANCTUM_STATEFUL_DOMAINS=localhost:4200
SANCTUM_STATEFUL_DOMAINS=*.mydomain.com:443
SESSION_DOMAIN=.mydomain.com
and also change APP_URL from localhost to mydomain
but nothing works.
any help will be appreciated.
I have an admin dashboard react app that's running on admin.localhost.com:3000. I have an api server that's running on www.localhost.com:1337, and we have one react app for all clients, but each client uses it on a subdomain, for example, abc.localhost.com:4200, bcd.localhost.com:4200.
So from my admin dashboard I'm trying to log into abc as a client. The api server, when requested, verifies the admin, sets the cookie in the response for abc.localhost.com:4200 and responds with link for the client https://abc.localhost.com/home. The browser code passes the link to window.open().
However, if I check the browser tab for https:abc.localhost.com:4200, I don't see the cookie, so obviously the authentication fails.
res.cookie('token', token, {
secure: true,
domain: `abc.localhost.com:4200`,
sameSite: 'Lax',
maxAge: moment()
.add(10, 'minutes')
.valueOf(),
})
withCredentials is enabled for the client side agent, and the api server is configured accordingly.
It can't be done, server running on www.localhost.com:1337 can't set cookies for abc.localhost.com:4200. Allowing that would be apocalyptic.
I need to use Apache HttpClient (4.x) to make 3 consecutive web calls and essentially log me into my app programmatically:
An HTTP GET to a login page (http://myapp01.example.com)
The server will respond to this GET with a response cookie "JSESSIONID"
An HTTP POST to the same page (using the same JSESSIONID as a request cookie)
The server now authenticates me and validates the JSESSIONID.
An HTTP GET to a different page under the same domain (http://myapp01.example.com/fizz), again using the same JSESSIONID as a request cookie
The first GET's response will contain a cookie named JSESSIONID. The POST will then log me in to the server (sending username and password data in the POST request body). This POST will also send (Set-Cookie) the JSESSIONID cookie received from the first GET. If my logins are successful, the JSESSIONID will now be authenticated, and I am logged in. I can then make the 2nd GET call (still using the same JSESSIONID) to /fizz which is ordinarily an authenticated URL.
Can this be done in HttpClient 4? I see there is a method HttpClient.getCookieStore(). but this seems to only store cookies per GET/POST/PUT/etc.
Any ideas as to how I can get this holding cookies across multiple requests, such that any cookies returned by the server are then added to subsequent requests?
Apache HttpClient takes care of that automatically (since version 2)
I am creating an application based on Rails and AngularJS. I would like to implement an authentication system by using gem Devise.
I am wondering how to do it. I read some articles about attribute :token_authenticatable : I will have to put my token at the end of all requests I will send.
I have also read this demo project https://github.com/sectore/CafeTownsend-Angular-Rails
They have implemented a SessionService which can create and delete server session. (I suppose, I can use Devise for this job). In rails controler, they get session[:user_id] to know if user is authenticated or not...
My question : Do I need a token system or a cookies system to authenticated my requests ?
Thanks
If your server will be on the same domain as your client, ie: will only be expecting request from your angular client, and the client is hosted on the same URL as the server, then you should use cookies over ssl (for simplicity), EG:
Your site:
www.myangularsite.com/somepage
Your Server
www.myangularsite.com/someserverfunction
They both have the same domain.
However, if you plan on having your server side on a different URL, maybe as an API, then go with tokens, EG:
Your site:
www.myangularsite.com/somepage
Your Server
api.myangularsite.com/someserverfunction
or
myrubyapi.com/someserverfunction
The URL domain is different.
normally browser stores and adds authentication header automaticly after successfull authentication.
I have a XMLHttpRequest and added the authentication header for basic auth. No problem at all.
Then I try to send a second request to the same url that is basic http protected without adding manually the http request header to this request. Poorly it seems that the browser is not storing the authentication provided in request 1. My goal is to add the authentication handler transparently to every request that follows the first one (like a native browser do).
Any idea? Thanks.
Browser only storing authetication requested from user. So, if you send 1st request w/o authentication fields, browser will prompt user for auth this time, remember credentials and use it for next requests transparently.