To give some more context:
We have an fb app which gets served under:
domain.com/fb/
and we have the normal site which gets served under
domain.com
Our fb app serves domain.com/fb/ in an iframe and is accesiable via:
apps.facebook.com/ourappname/
I'm currently having an issue with only IE, which caused request.user to be an anonymous user, even when the user is logged in (Only in IE) everything works fine in all other browsers. The reason for the request.user to be an anonymous is that the session cookie is not being set. I verified this by inspecting the cookies in IE and also django-debug-toolbar showed me that.
So how can I fix this issue?
The P3P headers are set:
response['P3P'] = 'CP="IDC CURa ADMa OUR IND PHY ONL COM STA"'
return response
They are also added by apache itself so kind of double just wanted to make sure it worked.
It's known security behavior of IE with iframe web sites. This could help:
Cookie blocked/not saved in IFRAME in Internet Explorer
Related
I am having an issue where my users cannot log out in Safari, unless they close the tab entirely. Additionally, this DOES work in Safari if Private Mode is on. Safari also does not persist the session/cookie between tabs.
I am setting a cookie that holds some session data (user ID, name, etc) and have a log out button that calls the same Python backend that sets the initial cookie with that data.
Set:
resp = make_response(redirect('https://mydomain.c0m'))
resp.set_cookie('my-account', json.dumps(user_data), domain='.mydomain.c0m')
return resp
Remove:
resp = make_response(redirect('https://mydomain.c0m'))
resp.delete_cookie('my-account', domain='.mydomain.c0m')
return resp
This works perfectly in a Chromium or Firefox browser and if Safari is in private mode. My /login endpoint is called- the cookie is created. The /logout endpoint is called, the cookie is gone.
In Safari, I cannot even see the cookie in the local storage tab. Logging in works and returns the user_data as expected. Logging out does not work. It calls the Python backend, returns 200, but nothing has effectively changed until I kill the entire browser.
This is the cookie, as viewed through Edge (Chromium):
Safari:
Created, then deleted the cookie by calling the /login and /logout endpoint in Safari. In the same tab, the user session cookie keeps existing. I have access to the user profile and can use the data in the cookie to modify the profile. The "logout" button face also does not change (this changes depending on whether or not the cookie is present and has data)
The session does not appear to be shared between tabs. Logging into one open tab does not log in the other. An established session in one tab will not persist in a new tab.
Firefox:
Created, then deleted the cookie by calling the /login and /logout endpoint in Firefox. In the same tab, the session is properly started or ended. I no longer haver access to the user profile and the "logout" button face changes to "login". The session state being established or ended is shared between tabs.
Chromium:
Created, then deleted the cookie by calling the /login and /logout endpoint in Edge. In the same tab, the session is properly started or ended. I no longer haver access to the user profile and the "logout" button face changes to "login". The session state being established or ended is shared between tabs.
I am working on a project in which i am working on a signup/login module. I have implemented the sessions in webapp2 python successfully. Now i want to implement the remember me feature on login. I am unable to find anything which can help me. I do know that i have to set the age of session. But i do not know how. Here is my session code.
def dispatch(self):
# Get a session store for this request.
self.session_store = sessions.get_store(request=self.request)
try:
# Dispatch the request.
webapp2.RequestHandler.dispatch(self)
finally:
# Save all sessions.
self.session_store.save_sessions(self.response)
#webapp2.cached_property
def session(self):
# Returns a session using the default cookie key.
return self.session_store.get_session()
Config:
config = {}
config['webapp2_extras.sessions'] = {
'secret_key': 'my-super-secret-key',
}
Kindly help me.
First in case you don't know the difference between sessions and cookies
What is a Cookie? A cookie is a small piece of text stored on a
user's computer by their browser. Common uses for cookies are
authentication, storing of site preferences, shopping cart items, and
server session identification.
Each time the users' web browser interacts with a web server it will
pass the cookie information to the web server. Only the cookies stored
by the browser that relate to the domain in the requested URL will be
sent to the server. This means that cookies that relate to
www.example.com will not be sent to www.exampledomain.com.
In essence, a cookie is a great way of linking one page to the next
for a user's interaction with a web site or web application.
.
What is a Session? A session can be defined as a server-side storage of
information that is desired to persist throughout the user's
interaction with the web site or web application.
Instead of storing large and constantly changing information via
cookies in the user's browser, only a unique identifier is stored on
the client side (called a "session id"). This session id is passed to
the web server every time the browser makes an HTTP request (ie a page
link or AJAX request). The web application pairs this session id with
it's internal database and retrieves the stored variables for use by
the requested page.
If you want to implement something like "remember me" you should use cookies because data stored in session isn't persistent.
For setting and getting cookies in webapp2:
response.headers.add_header('Set-Cookie', 'remember_me=%s' % some_hash)
request.cookies.get('remember_me', '')
I strongly recommend you to read this article that has explained this stuff thoroughly.
I am having a weird problem with Django. I set certain cookies on the client, but those cookies do not appear in the Django request.
The cookies properly appear in the client as follows:
"class_year_only=yes; email_status=yes; exit_status=yes; class_year_only_status=yes; nmstat=1448946715685; __utma=96992031.1943662208.1449612961.1449621554.1449704668.3; __utmz=96992031.1449612961.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); csrftoken=Oe2A6Qn7pwUshDEFAhyNa4dtGRajVe4S"
However, the Django request only shows the following cookies:
"{'csrftoken': Oe2A6Qn7pwUshDEFAhyNa4dtGRajVe4S, '__utma':96992031.1943662208.1449612961.1449621554.1449704668.3, '__utmz':96992031.1449612961.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none), 'nmstat':1448946715685}"
Why aren't the other cookies being sent?
I figured out the problem. I needed to set path to /. The path in the client side cookie, used a subdomain which was the cause of the problem. Not sure why, as the subdomain was correct.
In order to see this possible error you need to open two browsers and some plug-in to get/set cookies.
If you create a new project in django 1.7 and access to the admin site (/admin), and login succesfuly in the first broser and get the sessionid and csrftoken cookies and set them into the second browser login page and set a random user and password, you obtain a CSRF error and if you go back in the browser you are logged in.
how can avoid this?
I suppose, you can obtain same result just by copying sessionid cookie to another browser and navigating /admin. You don't need csrftoken to reproduce this issue. It's called sessionid stealing and all frameworks I know are vulnerable to this type of attack.
To avoid it, set SESSION_COOKIE_SECURE = True (default False) to protect your sessionid cookie from man-in-the-middle attacks. You will also need to install ssl certificate on your production server. Then configure it to redirect all http:// requests to https://. S in https stands for secure, this means all traffic between client and server is encrypted, and no one between client and server (client's ISP, server's hosting provider, proxies, etc) can read any data is sent. Including session cookie value.
And use SESSION_COOKIE_HTTPONLY = True (default) to protect session cookie from stealing via XSS. HTTPONLY means that this cookie will be sent with each http request, but won't be accessible from client's browser via javascript. So if some malware javascript managed to run in client browser, it will not have access to session cookie anyways.
Good tutorial on configuring secure django server can be found here: https://security.stackexchange.com/a/8970
Using a mix of GAE, Python and JS I have successfully made a application connecting to facebooks API. Only one snag: In my app - the first thing i check is if a facebook cookie exists:
cookie = facebook.get_user_from_cookie(self.request.cookies,
FACEBOOK_APP_ID,
FACEBOOK_APP_SECRET)
if cookie:
{render index.html}
else:
{render login.html}
In my login-handler i again check for a cookie (same codestructure) to avoid having people who does have a cookie accessing this page. This works as designed.
Only problem is that when a cookie does exist, there seem to be some delay in detecting this. So, the log goes:
cookie not found in index-handler, redirecting to login-handler
login-handler draws login-html
cookie found in login-handler, redirecting to index-handler
index-handler draws index-html
This is clearly visible to end-user, the loginscreen draws and then, a second or so later, the correct indexscreen is drawn.
What can be the cause of this delay? I'm wondering if its caused if the cookie is being transferred to the server? If so, how to code around this?
Cookie fbsr_<application_id> will be set only after user is authenticated on Facebook, redirected back to your application and Javascript API method FB.init() is executed with cookie: true.
FB.init({
appId : '<application_id>',
status : true,
cookie : true,
//...
In other words, cookie is not set immediately after user is redirected back to your application.