I have two domains:
http://localhost:9000 / My AngularJS App created with Yeoman
http://localhost/ My PHP app created with CodeIgniter
My Angular app do $http.post to autenticate in the PHP app and save a session to indetify the user as logged, but, when i try recovery the user informations stored in the CI Session, just don't exists.
How i can allow the AngularJS app access the session and don't lose?
Assuming your PHP app is configured to support CORS, then Angular $httpProvider needs to be configured as follows...
$httpProvider.defaults.useXDomain = true;
And then to allow response cookies to be set, withCredentials must be true...
$http.post(url, {withCredentials: true, ...})
Lastly, you may have to tweak the cookie domain and path to be accessible across subdomains of your TLD. For example, if your CORS server resides at api.foo.com, then it will likely set cookies on api.foo.com by default, and your client app on awesome-app.foo.com will be denied access to these cookies. Of course for security reasons, you not want your client app to read the session cookies of the API.
Hope this helps. Good luck.
Related
I'm learning about Laravel passport package and creating a SPA using Vue.js to test it, I'm wondering about saving the Token in the client browser, If I saved it on local storage it would be accessible from Javascript and anyone run js on the browser would be able to read it !
My questions are; What is the solution for this situation ?
If I saved the token in the cookies It would be accessible too, and I read about httpOnly cookies, so How can I set the cookies to save the token from the response from the API if it's not accessible by Javascript ?
Is there a way to save the cookies from the API ?
I hope I can find answers for my Questions.
Well, there are a couple of things to understand here.
HTTP only cookie
First, HTTP cookies are set by the server using set-cookie header. In this case, you as a developer need not do anything. The browser will automatically set it for you and will send back to the server on each Ajax or non-ajax requests. It will send the cookie as long as it is not expired.
LocalStorage
When using LocalStorage for storing the token, any JavaScript code can read it (known as XSS attack if misused). But, the key thing to understand here is that other domain's JavaScript code cannot read the LocalStorage. The scope is restricted to your own site. Other website's JS cannot read it. So, if you are not using any external dependency or compromised CDN, you are safe.
Cross-site cookie
No. It is impossible to set a cross-domain cookie under any circumstances. Only other domain's server can set a cookie for itself (Unless you have some backend mechanism like Gmail + Youtube to share session). However, in case of a subdomain, the following things are allowed:
Parent domain can set a cookie for any child domain. That is example.com can set a cookie for *.example.com.
Child domain can set a cookie for the parent domain. That is xyz.example.com can set a cookie for example.com.
Of course, the rules are more complicated than that. This article should help you understand further.
I have my Ionic/angular 2 app that is running on localhost:8000 The app will run eventually on browser platform. The app is calling a RESTFull api hosted on my local machine on https://adawy/api, where adawy is my hostname and defined in both hosts file and in apache virtual hosts. The server side is Slim 3.
The API upon authentication is returning a JWT to be used with all requests.
My goal is to protect the token from cross site request forgery and cross site scripting. Saving the token in a javascript variable or in any form of local storage would make the JWT accessible from javascript.
I found that the best way is to return the JWT to as an HTTPOnly cookie. So it won't be accessible from javascript and would be sent only by the browser with any upcoming requests to adawy domain.
I had returned the token successfully as a cookie but the problem is that the cookie is not sent with any next XHR requests.
Also, I cannot see the cookie in the Cookies section in Devtools.
I know that angular can support in such matter by looking for XSRF-TOKEN cookie.
It is not working either, as you can see I set the name of the cookie to XSRF-TOKEN but yet, with any other request, this cookie is not sent.
I wonder how this would be secured as if angular has access to this cookie, so would any other script?
Here is the next request, with no cookie sent. Please ignore the header Authorization as my angular code is setting it directly.
In my angular app, I am setting the withCredentials: true option while making the last get request.
Update
I had used adawy.com and I still have the same issue.
The first response attempts to set the cookie explicitly on a top level domain Domain=.adawy; (see the Set-Cookie header) which is not allowed. Try setting it without the domain if you can and see if that works. Alternatively, try using a hostname that has a tld on it.
I'm in a situation where I need to auto-auth users between an ASP.NET website and WordPress. The idea is once you're logged into the ASP.NET website and if you browse the WP pages your logged in automagically and vice versa.
In ASP.NET I can auth users against WP database but that's all I can think of, so the question is.
-How to enable this by-directional authentication scheme?
-Zubair
I had a similar problem, where I had an ASP.net application (third party) and a PHP application (built in-house). I have modified the ASP.net application with just a few lines of code, so that it worked like this:
User logs to the ASP.net application
The ASP.net application sets a session cookie (this is automatic)
Modification: the ASP.net adds a row to the database with the session ID (which is in the cookie) and the username
The PHP application reads the ASP.net session cookie and gets the session ID
The PHP application searches the DB for the session ID and if it is found, it automatically associates the session with the username found
I also added an expiry time for the sessions, to minimize impersonation possibilies...
There are two different server side scripts and it is hard to create by-directional authentication. Since WP uses cookies, you might try to authenticate users against cookies. creating a mechanism that check if there is valid WP cookies in users machine and then read from cookies to authenticate users.
Send cookies from PHP by SetCookie() method, then read cookies from ASP.Net by reading cookies collection(since the name of the cookie changes). then Decode url.. (in ASP.Net you wil get encrypted url. special caharacters are replaced by(#-->%23 , #--->%40 etc..)
In PHP, you manage the Session on the server... accessing any of the session properties there on the server along side your web application.
How does this translate to an iPhone App? If I'm connection to web services (PHP, ColdFusion), where should I be managing sessions? Or does it work differently in this scenario?
Assuming your PHP code use cookies to track the active session (as opposed to, say, a session id request parameter), NSURLConnection handles cookies for you without any extra work, and it should work the same way it does inside a browser.
I am working on a project using zend framework, php, mysql on ubuntu.
I have created hostname test.dev on my local machine and using zend authentication. When an user is authenticated using zend authentication, I set session variable for logged in user id. I use this session variable(userid) on different pages to sure authentication.
Question:
Now I have to create a subdomain. I have created a new hostname mypage.test.dev on my local machine. Both hostnames are pointing to same directory, for example /var/www/test/public. But when I login on test.dev, I have to login again on subdomain mypage.test.dev. Even session variables of test.dev are not accessable on mypage.test.dev.
How can I login on all subdomains using one login?
Thanks.
Session variables are stored specific to each specific domain address. And so if a website is coded poorly and you login to http://mydomain.com and then later access the site as http://www.mydomain.com, you will encounter the same error.
One possible solution to this is to setup a webservice that allows you to access the other domain and retrieve any stored session variables as well as authenticate the user. So for example, if I login to test.dev and then later go to mypage.test.dev, a call will be issued to test.dev/auth-service/ by mypage.test.dev to authenticate the user and if it is successful, then return all stored session variables so that they can be stored by mypage.test.dev.
Perhaps a cleaner approach would be to always access session data only from one domain or the other and to always access it strictly through the web service so that the interface to session data remains consistent across both sites. This does present a possible performance though since it is obviously faster to simply access session directly rather than through a web service.
You are looking for this:
http://blog.pracucci.com/2008/09/24/zend-framework-and-session-cookies-across-subdomains/
After some time I have got my solution.
I added following line into config.ini
session.cookie_domain = .test.dev
then added the following line into Bootstrap.php
Zend_Session::setOptions( $this->getOption('session') );
and session variables are working for all subdomains of test.dev