Firefox extension/addon does not store cookies - cookies

I'm working on an browser extension that authenticates with a remote server via XMLHttpRequests. In Firefox (59.0.2) I have the problem that the session cookie send by the server is not stored in the browser. When looking at the network traffic I get a Set-Cookie response from the server for every request:
Set-Cookie JSESSIONID=node01abks2u96hf84wt0i1uqwsb9879.node0;Path=/
but it seems that the cookie is never accepted or stored in the extension.
When looking at Chrome (where the extension is working) my extension includes this cookie in the request:
Cookie: io=jCX1X9rlaOhCqE0nAAAB JSESSIONID=node01abks2u96hf84wt0i1uqwsb9879.node0
However, this is not the case in Firefox. Why is Firefox is not including the cookie in the request? and why is it not storing the cookie?

Related

Coldfusion cookie issue

I'm having issues deleting client cookies with the cfcookie tag, I'm setting the value to "" AND changing the expiration date to now.
But I think it's resetting the cookie in the same page that it deletes it.
Is there a application (or addon for chrome,firefox) that can tell me where it's giving me cookies?
There's Fiddler, an application that logs all HTTP(S) traffic between your computer and the Internet.
1) Run Fiddler.
2) Open your site on the browser you use.
3) Look at the request and response headers on Fiddler. Any cookie set or delete will be there.
Other references:
Fiddler Can Make Debugging Easy. [September 12, 2006]
Fiddler Proxy and HTTP Debugging Tool [December 17, 2010]
As tiangoinu said, use Fiddler for Windows, or if you're on a mac, check out Charles Proxy.
As to your specific question, verify that you're not doing a redirect after you delete the cookie. In order for the cookie to be deleted on the client, the necessary HTTP headers need to be passed to the browser, and sometimes a cflocation will prevent those headers from being sent.
Yes, look at HTTPLive Headers for FireFox. Or some other type of intercept proxy to put between the browser and the server. You can then see the HTTP headers and try to determine where the cookies are being set (or at least how often).

safari and firefox does not send cookie when send http request to remote server with the same sub domain name but chrome does

I have two servers, a.example.com and b.example.com
The cookie with domain .example.com was set in a.example.com/admin
I visit a.example.com/admin page, and in this page, a http request was send to b.example.com
I had a packet capture and just found that the cookie was not send when I use safari and firefox browser, but in chrome, the cookie was send.
so I was wondering way this happen, and does there exist any method by which the safari and firefox can send the cookie?
Check this link, it may help you figure this out: https://discourse.mozilla-community.org/t/webextension-xmlhttprequest-issues-no-cookies-or-referrer-solved/11224/15
It seems that either you need to enable 'third party cookies' or you need to wrap XMLHttpRequest. Also, make sure the website is listed in the permissions section of your manifest file: https://developer.mozilla.org/en-US/Add-ons/WebExtensions/manifest.json/permissions

PHONEGAP/WP8: FileTransfer not sending session cookies

The server I'm using sends the session id with a http-only cookie.
To make this working on WP8, I already enabled cookies in the internet explorer settings of the device. This works well for all my AJAX-requests.
But now i have to download a file from the server, therefore I'm using the file-transfer plugin, but i always get HTTP Status 401 - Http Request not attached to a session
Is there any way to fix this issue, so that the cookie header containing the JSESSIONID is sent with the download request?

Safari doesn't save cookies on custom https port

I have a web application that i'm looking to access by https on port 444.
In Safari, when accessing it, my initial request logs me in successfully (i can see the authentication success message in custom HTTP response headers).
But the site does not display successfully, because the request for the CSS file associated with the page fails with Access Denied.
Upon inspection of the headers, i can see that a session is assigned to the first request (for the page, with the Set-Cookie response header), and a new session has been assigned for the CSS request (also with the Set-Cookie response header). No cookies show up in the Web Inspector. My assumption is that the cookie from the first request is not being saved and so the server is assigning a new session.
When accessing the site on the standard https port (443), the behavior is as expected, as it is when accessing it on port 444 with Firefox. I'm on OSX Mountain Lion.
Any thoughts much appreciated!

Selenium IDE: How to detect secure cookies on page loaded with http://?

I am using Firefox 22 and Selenium IDE 2.2.0.
I have loaded a page in firefox using the HTTP protocol (not HTTPS). I know for sure that the page has set a secure cookie (as a result of an embedded AJAX request). I can verify this using the browser internal url chrome://web-developer/content/generated/view-cookie-information.html - because among other cookies that page shows a cookie like this:
Name WC_AUTHENTICATION_5122759
Value 5122759%2cDKppXa7BAqnZ0ERDLb0Wee%2bXqUk%3d
Host .testserver.dk
Path /
Expires At end of session
Secure Yes
HttpOnly No
However, when I run assertCookie in the Selenium IDE I can only see the unsecure cookies. I.e. all cookies - except then one above - are detected by Selenium IDE:
Executing: |assertCookie | glob:WC_AUTHENTICATION_* | | yields this set of visible cookies:
[error] Actual value 'JSESSIONID=0000uCQdh2FZ0ZA8z-O5zcGoUtD:-1;
WC_PERSISTENT=lT8Z5tbkQrvLhNm%2bGyCj%2bh4yPAU%3d%0d%0a%3b2013%2d07%2d05+13%3a18%3a18%2e807%5f1373023098807%2d3048%5f10201%5f5122827%2c%2d100%2cDKK%5f10201;
WC_SESSION_ESTABLISHED=true;
WC_ACTIVEPOINTER=%2d100%2c10201; WC_USERACTIVITY_5122827=5122827%2c10201%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cy6bjcrZgvCVe5c52BBKvcItxyF5lLravpDq9rd9I0ZmRfRNxcC2oG13Eyug3kKgbtLOHVLxm9T76%0d%0a%2fGJFLp5bOrkPoNqmc38TIr%2fO7eU%2fbd7Mfny2kQg7v6xGweYoRkXYgAEz91rH0QavFhlOjpd12A%3d%3d;'
did not match 'glob:WC_AUTHENTICATION_*'
So does anyone know how can I use the Selenium IDE to verify the presence of secure cookies on a page loaded with http:// (not https://) ?
Sadly, what you are doing is breaking the specifications. A secure cookie is suppose to be only available if the connection is secure. Hence, if you are connecting with HTTP, you can't see it.
However, if this is just on your test machine (not your end user), you can modify the response from the server using Fiddler. With Fiddler, you can program something like, if you see this cookie, add another cookie, or strip the secure flag.
EDIT:
Some background information about Selenium and cookies:
Selenium works through the browser with JavaScript as part of the page. Because it is essentially a part of the page, it has to follow all the same rules as the page. This means that it still has to abide by the security rules on cookies. A secure only cookie can only be read on a secure connection, thus Selenium cannot read a secure cookie if it's not on a secure connection.
The place where HTTP request comes in is that cookies are a part of the HTTP header. Both the request (from the browser) and the response (from the server) have an HTTP header. Cookies are present in both.
You want to verify if the server has set the cookie, so you want to inspect the HTTP response from the server for the presence of the cookie. Because of security restrictions, however, you cannot from Selenium. These security restrictions are enforced by the browser. All reputable browsers enforce these policies, since without these policies, the end user's credentials will be easily compromised.
This is where Fiddler comes in. Fiddler inspects the HTTP data at a lower level, before the browser gets to it. Thus, you can use Fiddler to manipulate the data before it gets to the browser to give some kind of indication that the cookie was present.

Resources