I want to set session cookie to "secure", but I want to be able to access the app with http on some test boxes and https in upper environments.
I am setting JSESSIONID to cookie-secure=true this way:
weblogic.xml:
<session-descriptor>
<cookie-http-only>true</cookie-http-only>
<cookie-secure>true</cookie-secure>
</session-descriptor>
HTTPS requests work fine, but every request on non-ssl protocol yields a new JSESSIONID. Is there some other setting I can use to conditionally set cookie-secure ?
It's not necessary to make the JSESSIONID cookie secure. If the Auth Cookie Enabled flag is checked which is the default in the weblogic console.
Setting AuthCookieEnabled to true, causes the WebLogic Server instance to send a new secure cookie, _WL_AUTHCOOKIE_JSESSIONID, to the browser when authenticating via an HTTPS connection. Once the secure cookie is set, the session is allowed to access other security-constrained HTTPS resources only if the cookie is sent from the browser.
Thus, WebLogic Server uses two cookies: the JSESSIONID cookie and the _WL_AUTHCOOKIE_JSESSIONID cookie. By default, the JSESSIONID cookie is never secure, but the _WL_AUTHCOOKIE_JSESSIONID cookie is always secure. A secure cookie is only sent when an encrypted communication channel is in use. Assuming a standard HTTPS login (HTTPS is an encrypted HTTP connection), your browser gets both cookies.
for more info please see
http://docs.oracle.com/cd/E23943_01/web.1111/e13711/thin_client.htm#autoId4
Related
My VB.Net Windows form desktop application needs to complete an OAuth2 authorization to access online data from Intuit (QuickBooks Online). I am able to successfully (1) obtain the URL of the authorization web page, (2) redirect the user to that page, (3) receive the authorization code in the HTTP request from the URL redirect using HPPTListener when the URL is "localhost" and finally (4) retrieve the access token.
However, to use this app in production, the redirect URL cannot be "localhost" and must be https, not http. When I set the HTTPListener to monitor an https URL (e.g. https://www.stinsonsolutions.com, my web site), it does not receive any HTTP request like it does when set to monitor "localhost".
I saw one post suggesting opening a certain port in my Firewall, But since this app will be deployed to other users, that solution would not work. Is it not possible to listen to an https URL outside my app with HTTPListener, or am I missing a step? If it is not possible with HTTPListener, what can I use in my desktop application to receive the HTTP request sent to a https redirect URL?
Thanks.
Just noticed that with Kerberos authentication, client browser always gets a 401 response first (with WWW-Authenticate: Negotiate header) and in next request actual kerberos token is sent for authentication (handled internally by browser).
For first time its fine, but for every subsequent request why this process is repeated ? Once client knows that server support kerberos why dont client stores a cookie to indicate that every time I need to send auth token ?
I understand that the NTLM protocol is designed like this, but want to understand why ?
HTTP is stateless. Unless the server tells the client it should persist a state (via server cookie), the client should never assume anything about the server's intent.
More to the point it's wrong to assume that either party can always do Kerberos. The server originally said it wanted to Negotiate, and Negotiate contains a set of available protocols in preferred order (Kerberos, NTLM, etc.). A client can do Kerberos when it has line of sight to a KDC, but it can do NTLM in any/most circumstances, and it prefers Kerberos.
Additionally, once the client is authenticated the server may respond with a session cookie. The browser doesn't understand the contents, so it has no idea what happened. The server must then always indicate to the browser that it needs to auth up again (via 401 + WWW-Auth).
I'm currently playing around with SignalR and websockets. From my research, it seems, as websockets do not support custom headers, there's basically only two ways to authenticate a websocket connection during token based authentication.
1) Passing the token in the query string
2) Storing the token in a cookie which then gets passed to the server when WithCredentials is set to true
The first method isn't great practice - even through websocket communication is encrypted, query strings may be logged by servers etc.
The second method I have got working on my local machine but it doesn't work once deployed because my client and server reside on different domains. So basically, I have an Angular site that has one domain (eg. client.com) and a WebAPI site that alls CORS with a completely different domain (eg. server.com). On my browser, if I'm on client.com, I cannot set a cookie that gets sent to server.com on a request.
What is a good way to authenticate websockets when client and server sit on different domains?
The WebSocket Protocol specification doesn't specify any particular way for authentication. You need to perform the authentication during the handshake phase and for that you can use any HTTP authentication mechanism like Basic, Digest, etc.
Further you could look into JWT token based authentication. Angular app can store the token in local storage and send it as a Transport header during the handshake request to the server. If the token is invalid, server can terminate the WebSocket connection upgrade request and the Angular app can re-direct the user to login page.
The SecureRequestCustomizer allows us to get the certificate(s) in the HTTP request. This setting is active for the whole jetty server (all URLs). So as soon as one requests any page from the server, the browser will ask what certificate to use.
Is it possible to have only a specific URL request the client certificate?
I would like to have a dedicated /webapp/login-cert URL that would trigger the browser popup to pick a certificate.
I wish to setup an HTTPS proxy and have HTTP clients send requests securely to the proxy. For example, a browser can initiate a HTTP GET request which should be an encrypted request to the proxy and the proxy then removes the encryption and then passes the request to the end-site. Squid proxy can be set up to work like this (info here).
I have set up such a HTTPS enabled proxy. But I am unable to write my own HTTP clients to work with it. The same link above mentions that chrome is the only browser that supports such a proxy. I tested Chrome and it was able to work with such an HTTPS proxy.
I wish to gain an understanding of how such a proxy works so that I can write my own HTTP clients.
As I understand it, it's a connection to regular HTTP proxy BUT this connection is made over TLS. The client indeed needs to support this scheme explicitly and existing clients as-is can't be tuned up (without extra coding).