#StackBounty: #authentication #cookies #single-sign-on Is it possible to use cookie-based single sign-on authentication scheme if sites…

Bounty: 300

According to Wikipedia, A simple version of single sign-on can be achieved over IP networks using cookies but only if the sites share a common DNS parent domain. This means that if the user has authenticated on login.foo.org, then the web-server on login.foo.org issues an authentication cookie for foo.org domain and the user is able to authenticate on sites like billing.foo.org or wiki.foo.org using that cookie. However, could the login.foo.org make a request to login.bar.org after a successful authentication and thus the user would get two authentication cookies: first-party cookie for foo.org domain and third-party cookie for bar.org domain?


Get this bounty!!!

#StackBounty: #session #cookies #user-tracking No Cookie / No IP Tracking a Visitor

Bounty: 100

Problem Statement: Track an anonymous user to persist state (or lock out of a feature after a timer) on a device that has visited a website. This would need to work with cookies disabled, across browsers, including visits in incognito mode and not prevent two different devices sharing an IP from locking each other out.

I have seen this applied in a few scenarios with the most recent being the NBC Olympics with the stream timer. This has so many uses for "free no sign-up trials" while not giving away everything or limiting features in "try before you buy". Any ideas would be appreciated!


Get this bounty!!!

#StackBounty: #google-chrome #cookies #tortoise-svn Problems with cookies and TortoiseSVN?

Bounty: 50

I use Google Chrome and I’m constantly logged off from my Google Account but also from other websites.

The other problem is that also my TortoiseSVN lose their user/password setting.

I already check each Google Chrome setting related to Cookies deletion.
Nothing helps me.

All these problems started about a month ago when I updated Windows 10.

How I can stop this confusing situation when daily I must setup all my access login/password.

Any help would be appreciated.

Regards
Michal


Get this bounty!!!

#StackBounty: #php #session #cookies #iframe #session-cookies iFrame – Hide url and session is not working

Bounty: 50

I have two domains in different servers. One page from the first server is having an iframe to point to the url in the other server. I can’t manage to work with seesions.

iFrame page code(main.php):

<!DOCTYPE html>
<html>
<head>
    <base target="_parent">
</head>
<body>
    <iframe src="http://192.168.1.10/index.php"</iframe>
</body>
</html>

My iFrame page index.php has a simple log in system that start session. So, there is a button which load the following code(process.php):

<?php
session_start();
$_SESSION['valid'] = true;
$_SESSION['timeout'] = time();
header('location:catalogue.php');
?>

On my catalogue.php and on each page, i have the following session code(check.php):

<?php
session_start();
if (isset($_SERVER['HTTP_REFERER'])) {
    if ($_SERVER['HTTP_REFERER'] == "") {
        unset($_SESSION['valid']);
        unset($_SESSION['timeout']);
        header('location:index.php');
    }
} else {
    unset($_SESSION['valid']);
    unset($_SESSION['timeout']);
    header('location:index.php');
}
if (isset($_SESSION['valid'])) {
    $timeout = $_SESSION['timeout'];
    $time    = time();
    $t       = $time - $timeout;
    if ($t > 9000) { //15*60 = 900 Second, timeout to logout
        unset($_SESSION['valid']);
        unset($_SESSION['timeout']);
        header('location:index.php');
    } else {
        $_SESSION['timeout'] = time();
    }
} else {
    header('location:index.php');
}
?>

So i have the following:

           Button press                                On load it check session                 
             to log in                                 using check.php
index.php ==============> process.php ===============> catalogue.php

I am using iframe in order to hide the real url of my web app and more user friendly domain name.

My problems:

  • is that every time i press the button in index.php to log in it redirect me to index.php and not to catalogue.php.
  • can i hide/mask url in iframe from bots/spiders.
  • any suggestion/idea for better setup is welcome.

** Update **
After some tests, i think the session is not starting(check.php). It is going to else at the bottom. I have public server and local server.

The main.php doesn’t have any session code.
Only the pages in the iframe have.
The index.php doesn’t have. If user press to log in to load the process.php(which start session) and redirect to catalogue.php.
Catalogue.php and all pages of my app, have a code(check.php) for checking session.


Get this bounty!!!

#StackBounty: #javascript #angular #session #cookies ngx-cookie gets deleted when link is opened in new tab in Angular Application

Bounty: 50

I have used a PC to serve the website via LAN connection and use the IPv4 address instead of localhost for hosting the website on LAN.

I’m using the npm package http-server for serving the dist compiled angular application.

I’m using ngx-cookie-service for manipulating cookies in the angular application.
However, the cookies get deleted when I open a page via router.navigate(). Also, the cookies don’t always get deleted as well.

So I’m kinda confused as to what is happening with the cookies.
What can be the reason?

P.S. I have not implemented session in the backend though.

Angular version : 10+
ngx-cookie-service: 11.0.2
browser: chrome 86


Get this bounty!!!

#StackBounty: #symfony #cookies Symfony 5 and cookie

Bounty: 50

i’m looking for the way to handle cookies in Symfony 5 … and there is nothing really usefull online.

To set a news cookie, i do :

use SymfonyComponentHttpFoundationCookie;
//.....
$cookie = new Cookie('email', $data['email'] ,time() + (365 * 24 * 60 * 60));
$response->headers->setCookie($cookie);
$response->sendHeaders();

And it works (don’t hesitate to tell me if i’m not using the right way).

My problem appears when i want to get that cookie.

Actually, i do :

$cookie = $request->cookie->get('code_postal');

But i got the following error : "Notice: Undefined property: SymfonyComponentHttpFoundationRequest::$cookie"

Can you help me on that ?

Thank you.


Get this bounty!!!

#StackBounty: #cookies #csrf #spring-framework Why does Spring Security unset and set the same Cookie in one Request?

Bounty: 100

In the CSRF implementation of Spring Security (https://github.com/spring-projects/spring-security/blob/master/web/src/main/java/org/springframework/security/web/csrf/CsrfAuthenticationStrategy.java#L57) they first "delete" the XSRF-TOKEN-Cookie (Line 58) and directly after that they set a new one (Line 60).

This leads to two Set-Cookie Header on the same requests:

Set-Cookie: XSRF-TOKEN=; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/abc
Set-Cookie: XSRF-TOKEN=35ed383f-4ea1-4e00-8e5d-9bc9a3740498; Path=/abc
  • Can someone explain why this is done in this way?
  • Is this a common pattern?
  • Are there any problems with browsers as they got two Headers for the same Cookie?


Get this bounty!!!

#StackBounty: #php #cookies PHP – How to set a Priority value of Cookie to High, Low or Medium?

Bounty: 50

Google Chrome - Cookie Priority

As I have more than 20 cookies on my site I want to define priority to high for cookies set by my script so that other low and medium priority cookies set by analytics and ads will be deleted automatically when count reaches more than 20. 
More than 99% of my users use google chrome so i don’t care about other browsers.
So, Is there a way to set cookie priority in php ?

Please help me out, Thanks in advance.


Get this bounty!!!

#StackBounty: #node.js #cookies #axios Perserver cookies between request AXIOS (Node.js)

Bounty: 50

$ node -v v10.15.0
"axios": "^0.19.2",

I am trying to keep cookies from response header field ‘set-cookie’ – just like browsers do.
I used to use this module (https://www.npmjs.com/package/request ) and there was an option request.defaults({jar: true}) which worked well.

For axios I reqd that {withCredentials: true} would do the job – but it DOESN’T.

Here is an example code:

axios({ url: 'https://google.com/', method: 'get', withCredentials: true })
  .then((res) => {
    console.log('res.headers = ', res.headers);
  })
  .catch((err) => {
    console.log('ERROR >>>> ', err);
  });

axios({ url: 'https://google.com/', method: 'get', withCredentials: true })
  .then((res) => {
    // console.log("res.headers = ", res.headers);
    console.log('REQUEST HEADERS: ', res.request._header);
  })
  .catch((err) => {
    console.log('ERROR >>>> ', err);
  });

The console result is the following:

res.headers = {
  date: 'Tue, 08 Sep 2020 09:42:24 GMT',
  expires: '-1',
  'cache-control': 'private, max-age=0',
  'content-type': 'text/html; charset=ISO-8859-1',
  p3p: 'CP="This is not a P3P policy! See g.co/p3phelp for more info."',
  server: 'gws',
  'x-xss-protection': '0',
  'x-frame-options': 'SAMEORIGIN',
  'set-cookie': [
    '1P_JAR=2020-09-08-09; expires=Thu, 08-Oct-2020 09:42:24 GMT; path=/; domain=.google.com; Secure',
    'NID=204=hqIOtyoskrispJi7WvceHmix8PF_tVmV6FArMX_LwcvaFRNYzTj85TZp-MXsmOXL0STJBUX0LjsUXpuPF__yx7urLiXyxFKiFsi8RpPheqyrP4XNTwrHXqXPQVqxY0KEpO_XS9ITMVrMGJ5GBSfQB4Ii63o6x4icknqZ-1k4FA8; expires=Wed, 10-Mar-2021 09:42:24 GMT; path=/; domain=.google.com; HttpOnly',
  ],
  'alt-svc':
    'h3-29=":443"; ma=2592000,h3-27=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-T050=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"',
  'accept-ranges': 'none',
  vary: 'Accept-Encoding',
  connection: 'close',
  'transfer-encoding': 'chunked',
};

REQUEST HEADERS: GET / HTTP/1.1 Accept: application/json, text/plain, */* User-Agent: axios/0.19.2 Host: www.google.com Connection: close

As you can see the first response provides many cookies to be set, but the consecutive request doesn’t send them.

How to make the axios keep the cookies between requests?


Get this bounty!!!

#StackBounty: #node.js #cookies #https setting up https cookie in nodejs

Bounty: 200

I am trying too setup a login system on my website.

Heard that nodejs cookies are a good way to do that.

Here:
https://stackoverflow.com/a/21809393/322537 I have found an example of how https servers are created.
It is my understanding that the createServer function should run every time a client makes a request.

So I have the following in my code:

var server_https=modules.https.createServer({
    key: this.ssl_key,
    cert:this.ssl_cert
    },this.respond_to_client).listen(this.port);


mconnection.prototype.respond_to_client=function(request,response){
    console.log('responded to client');
    }

The server appear to run fine as the website is up and running.
But the respond_to_client function appears to never run as nodejs’s log file never indicates the ‘responded to client’ string.

How could that be?
Could it have something to do with that I’m upgrading the https server to a websocket shortly later in the code?

update:
here is the server file:
https://openage.org/s.js
here is the connection module:
https://openage.org/c.js

and here is the chat program the are serving
https://openage.org/chat/14/?page=index

The plan is to then make cookies to identify clients and then to setup a login system. But I’m stuck at this. /:


Get this bounty!!!