How to get jsessionid shown in browser console in worklight. I have tried document.cookie, but it was invain. I am able to get only WL_PERSISTENT_COOKIE value here.
var sessionId = document.cookie;
Edit:
Pls see http://i.stack.imgur.com/VMm5p.png
On giving document.cookie, I am getting the value of WL_PERSISTENT_COOKIE. But I need the value of JSESSIONID.
JSESSIONID in Worklight is flagged as HttpOnly.
This is a security feature that prevents JavaScript access of a cookie, therefore reducing risks of XSS attacks.
They may be workarounds I don't know about.
Read more: https://www.owasp.org/index.php/HttpOnly
Related
I want to automate requests on a website and when doing so, I need a session cookie in order to identify myself.
When checking the network tab, I can clearly see the session cookie, but when checking the Application tab, this cookie is not shown. After accessing this website with selenium and calling driver.get_cookies() with Python, I only get the cookies shown in the Application tab.
I need to do this with selenium because this way it's possible to login. Only using requests will not work.
I do not have many clues on how to get that cookie and have almost 0 experience in this field, hence my question.
I would like to use a SameSite=Strict cookie to mitigate CSRF for GET-requests.
The cookie consists of a randomly generated string, and is set the following way:
"Set-Cookie: CSRF_TOKEN=random_string; Path=/; SameSite=Strict; Secure"
I'd expect the cookie not to be sent back to the server, if
I click a link embedded in a site on a different domain
I click a link somewhere else (e.g. in an email) which causes a new browser-tab to open
I paste the url to my site into the address bar of a new tab (see comments)
But all of the tests above failed, i.e. the cookie always got sent to the server.
Is this expected behavior?
NOTES:
My page is accessed through its IPv4-address, no domain name is associated to it.
I am using http basic authentication.
I tested this in Google Chrome 96, Microsoft Edge 96 and Firefox 94.
Regarding point 2, actually cookies are sent when SameSite is Strict and following a link in an Email, so long as the Email client is a standalone application and not browser-based. If it is browser-based, it is a cross-domain link and blocked for that reason. But following a link in an Email does count as a first-party request, ditto following a link in another application like Word. I made a short YouTube video demonstrating it as it does seem to cause confusion.
Regarding 1, that definitely should not result in the cookie being sent. To confirm SameSite really is set to Strict on your cookie, open the browser's developer tools and look at your cookie and check the attribute is set as you expected.
I'm trying to call my /auth/user endpoint to get the current user that's logged into my website. But because of the new Chrome update I need to somehow set 'sameSite' and 'secure'. Anyone know of how I can get around this? Am I doing something wrong with cookie-session?
The cookie gets sent by express just fine, but it doesn't come with sameSite and secure settings that I specify in the cookie-session settings (see image). I tried with express-session as well, but for some reason the sameSite and secure settings never propogate to cookie used for oauth.
Btw, the authentication works on localhost addresses, but when I deploy from frontend and backend with heroku, I encounter the issue where I need to set sameSite. Would setting up a proxy or something get around the sameSite issue?
I am working on the same issue. SameSite=None needs the cookie to be secure
https://www.chromestatus.com/feature/5633521622188032
Eventhough I have set "secure: true" I am still seeing the cookie not being created on Chrome, but I do see it on Edge
After 3 days trying to figure It out. I finally found a way around this issue, It's not a fix, I'm quite sure PassportJS will come with a solution for that eventually, but for now It allowed me to get the user from the authentication.
Since we are not being able to get the user from the cookie, but the information is in the server session, the way to get this information is to add to the 'server.js' a route to get the user directly from the server session:
app.get('/api/getUser', (req, res) => {
res.json(req.session.user);
});
For some reason, I suppose the lack of cookie somehow, using the req.session inside of a router is returning undefined, but If used inside 'server.js' (or your server index file) It gets the session.
If you need the req.user._id or some other sensitive information for other requests, I would recommend returning a jwtToken with this information to the frontend (in res.json), then save the token directly in localStorage and pass the token in the body of your requests, is not the ideal, but It's the safer way I could think to keep the ids safe.
I hope It can help you!
My application has a microsoft authentication on it before logging into it & I have recorded script but when I am running it, it is showing me access denied error everytime.I have set authentication manager but still same error. See image attached.
I have tried HTTP Authentication Manager & provided login username & password.
Most probably your application uses OAuth therefore it is neither something you can really record and replay nor handle with the HTTP Authorization Manager.
Depending on your application setup you will either need:
To perform correlation of the query parameters
Or to pass the relevant Authorization Bearer token via HTTP Header Manager. The process of obtaining the token can be different depending on your application login chain implementation, check out How to Run Performance Tests on OAuth Secured Apps with JMeter article to get a couple of ideas regarding bypassing 3rd-party provider login challenge in JMeter tests.
Check if you can provide the auth credentials as parameter of the requests.
for example www.abc.com?username=abc&password=abc. Replicate the same with Jmeter
Use Fiddler (or you can get away with browser dev tools if you don't mind searching manually) and log in manually via your browser.
Check the request(s) that are submitted to Microsoft for tokens/GUIDs and search for where the browser got those strings from (it'll be in one of the previous requests' responses' bodies or redirect URLs. In Fiddler you can use the find function on responses, browser dev tools you'll have to find it manually).
You can then use a JMeter Regular Expression Extractor post-processor (or any of the other post processors you prefer) to extract that string from the earlier request into a variable.
In your login request you can then use the value of that variable (if you used regular expression post-processor with a capture group the first group's value will be ${variable_g1}
You'll probably have an anti-forgery value that you can extract from the HTML of the login page which needs to be submitted with the username and password and then in the response you'll get a cookie set and potentially JWT token in the response body/URL.
I've recently upgrated to 0.1.1 from 0.13, and after a few hiccups it seems to be working. I can login to my app using most browsers (IE9-11, FF, Chrome) when running in development on my local machine.
When I deploy to a staging environment on heroku I'm seeing some strange behaviour on IE (9-11). Basically it looks like the bearer token is never being set. After looking through the code for ember-simple-auth I can see that it uses the ajax prefilter function to add the bearer token prior to a call back to the server. When I look in the Network tools on IE the token isn't there, so I always receive a 401 and am transitioned back to the index page.
I can see the login call to retrieve the token working, it just is never added to any subsequent calls.
I've looked for bugs with jQuery, IE and prefilter but haven't turned anything up. The code on staging is minified and concatenated, which makes debugging somewhat problematic.
Any suggestions on what to try next much appreciated.
I've tracked this down to an issue with HTTPS and ports in ember-simple-auth. Details can be found in this issue.