My application has a PHP server and a client (a JS single-page app). They are separate projects and deployed in different domains. The client consumes a RESTful API exposed by the server.
This application is to be integrated with a third party which handles authentication, so users cannot login directly. Our server just receives an SSO token (which comes appropriately signed so that we verify its integrity).
We also enforce security at the transport layer for all requests.
What I'd like to do is, once the SSO token is verified, start a session of my own and then redirect the user to the client. I thought that once the session was created the browser would automatically send the right Cookie header in the asynchronous API calls, but it doesn't seem to be the case.
Is this deliberately disabled due to security reasons?
You must set withCredentials to true for cross-origin XHR requests to include cookies.
The CORS response must also say Access-Control-Allow-Credentials: true (which is why widthCredentials defaults to false).
I thought that once the session was created the browser would automatically send the right Cookie header in the asynchronous API calls
Not for cross-domain requests for CORS-enabled ressources (which seems to be the case here, if I understand your described setup correctly.)
To make that happen, you need to set the withCredentials flag.
Related
So I am trying to implement Google Login in my application. On the client side I have an android App and a web app which interact with the restful API server in PHP (Cartalyst Sentinel 2.0 for authentication).
I am facing multiple issues.
REDIRECT URI
//setting up google api client
$client = new Google_Client();
$client->setClientId($CLIENT_ID_WEB);
$client->setClientSecret($CLIENT_SECRET_WEB);
$client->setRedirectUri($redirectUri);
$client->setScopes(array('https://www.googleapis.com/auth/userinfo.email','https://www.googleapis.com/auth/userinfo.profile','https://www.googleapis.com/auth/plus.me'));
To instantiate the client I need to provide redirect Uri. Now in the case of the client being webApp there seems to be no issue as I am providing the same redirect URI at the client and server end. But when it comes to android there is no REDIRECT URI. I read somewhere that 'postmessage' as redirect uri works but didn't for me. Without the redirect URI the client throws error of "invalid json token"
Any help on this ?
cartalyst_sentinel cookie as null in the requests from web client.
There seemes to be no issue in case of normal login(api.domain.xyz/login) through credentials. But when at the server end I login the client from a different route(api.domain.xyz/blabla/google/login) the value for the cartalyst_sentinel cookie goes null even though the set cookie headers were sent as response headers.
Set-Cookie header being sent(There are two, which worries me but it works this way as well in case of native login)
The cookie is becoming null in the requests which follow after login
I have read a lot by now about these issues and have tried n number of methods but none seem to be working.
There were only two things that seemed a bit valid.
The case of redirect URI can be sorted out by instantiating the google api client with config file(google json or developer key maybe).
The case of missing cookie is due to cross domain cookies or maybe due to login being done through a nested route(sounds silly I know, but found somewhere in google).
Any help appreciated.
I have an Angular app making $http requests to a PHP server. Once a valid login request has been submitted to the server, PHP creates a JWT and
sets the token cookie using PHP's setcookie() function with the httponly flag set to true. This flag allows only the server to read the cookie. On each subsequent Angular $http request, the cookie is validated by PHP using $_COOKIE.
My question is would setting the cookie in PHP for only the server to read be safe enough from CSRF or would I need to have Angular create an additional XSRF token to be sent on each request to be evaluated as well?
I read the following Stormpath article but got a little lost on why he was setting a xsrfToken in the JWT payload. My guess was to have Angular create an XSRF token to match against.
Thanks for any advice/input.
CSRF attacks work by exploiting the fact that your authentication cookie is sent by the browser to the server automatically with each request. Normally, a JWT isn't passed to the server using a cookie, it's instead passed in the authentication header of your http request (it may be stored in a cookie on the client side but the cookie isn't used to pass the JWT to the server). Since you need to set the authentication header for each request, a CSRF attack cannot authenticate its malicious request since the browser isn't automatically sending an authentication cookie with each request. This is why JWTs help prevent CSRF attacks.
That said, if you store your JWT in a cookie and transfer the cookie back and forth, extracting the token to check authorization policies, then you are just as susceptible to CSRF attaks as standard cookie authentication. In this case you can add anti-forgery tokens to your requests to ensure that any HTTP requests that your server receives have come directly from your website.
I am currently learning about OAuth2, and I am slightly confused about one part of it. Does the OAuth2 server compare the domain in the JWT with the domain in the request header?
What prevents someone from ripping a bearer token out of a JS app and then using it to make fraudulent API requests? Even if HTTPS is used, the token sent back from OAuth2 still has to be stored before it can be used in subsequent requests, thus making it vulnerable. What am I missing?
Edit: what if I create an oauth2 token from a non-browser client and there is no domain name to match against?
Nothing prevents it from being used. That's why you store it safely or you don't store it at all.
Now I have a web server written with php. And there some php script files for database accessing. I'm writing a Qt app to send get/post request to the remote php scripts. However, it's not convenient to verify user identity for each request. So, I want to use session control on the web server. But I don't know how to do in Qt application.
As Orangepill and PLB said, the solution is Passing cookies to the request url, you may refer to QNetworkAccessManager::setCookieJar.
Steps
Instantiate the QNetworkAccessManager object and call setCookieJar for it.
Send POST request to the authenticate page which activates a session. Then you will have cookies got from the page in the cookieJar.
Send requests to the pages under the domain will with the session alive.
Is PHP able to maintain a session with devices that aren't using a browser to communicate with the server? I know that any application is capable of adhering to the HTTP protocol, but for languages like Actionscript3 and Java that consist of HTTP request classes in their frameworks, do they send the necessary parameters for PHP to hold a session like it does with a browser?
Any HTTP client library can support cookies (which is how PHP maintains session token state across requests by default). Some will handle cookies automatically, some will require it to be turned on in a preference, some will just provide an API to access the headers (which include the cookies).