csrf-token

Cookie set on root domain not available to subdomain - what am I doing wrong?

戏子无情 提交于 2021-02-11 15:14:29
问题 Client hosted on subdomain.example.com makes api call to example.com to fetch a cookie. The response has a Set-cookie header and I see the cookie as being returned alright: However, I don't see the cookie saved in the Browser (Chrome, Firefox, Edge) and, as a result, is not sent as a header in subsquent API requests: Set-cookie domain attribute is set to .example.com , but as I read in MDN I think the trailing dot gets ignored. The cookie in question, by the way, is the csrf token secret set

How can I get data from a response payload <script>

我只是一个虾纸丫 提交于 2021-02-11 13:02:24
问题 Let's say I have a function that runs fetch() to send an asynchronous GET request that returns a response with the following payload: <script type="text/javascript"> var csrfToken = "ImJmMWIxZjI0ZGRmMTA1ZGVkYWQ5NThlNThlYjM3OTYzYmRhNmRiMDAiU" </script> How can I access the csrfToken variable in Vue? When I access the response body it converts that whole body into a giant string rather than running the JS and making the variable available for use. 来源: https://stackoverflow.com/questions

CSRF token on a web page with multiple forms?

房东的猫 提交于 2021-02-08 11:41:48
问题 When CSRF is enabled and a web page has multiple forms, will all the forms have the same csrf token or each form has a unique csrf token? If this is framework dependent, then how does it work in the context of spring security? 回答1: CSRF is not associated with form or something but to associated with each request. Each individual request contains new csrf token. 来源: https://stackoverflow.com/questions/64422918/csrf-token-on-a-web-page-with-multiple-forms

Google oauth2 and SPA

寵の児 提交于 2021-01-29 11:12:37
问题 I have an api and an Angular SPA that's completely separate from it, and they have different origins/hosts, I figured out the implementation to be like this: The user gets into the SPA, the SPA gets a CSRF token from the api (I'll have an endpoint that generates such tokens), the user clicks a 'sign in with Google' button that redirects him to Google's consent page (the CSRF token will be sent as a state field, also the client id will be sent), after the user's agreement Google Auth redirects

Session cookie set `SameSite=None; Secure;` does not work

旧街凉风 提交于 2021-01-27 07:20:46
问题 I added SameSite=None; Secure; to set-cookie. but the cookie was not set and I can’t log in to my site. response.writeHead(200, { 'Content-Type': 'application/json', 'Set-Cookie': 'token=' + token + '; SameSite=None; Secure; Expires=' + time.toUTCString() + '; Path=/' + '; Domain=' + hostname, 'csrf-token': csrfToken }); I reviewed the cookie in developer tools under Application>Storage>Cookies and see more details. it showed a warning message: this set-cookie was blocked because it was not

Session cookie set `SameSite=None; Secure;` does not work

半腔热情 提交于 2021-01-27 07:18:00
问题 I added SameSite=None; Secure; to set-cookie. but the cookie was not set and I can’t log in to my site. response.writeHead(200, { 'Content-Type': 'application/json', 'Set-Cookie': 'token=' + token + '; SameSite=None; Secure; Expires=' + time.toUTCString() + '; Path=/' + '; Domain=' + hostname, 'csrf-token': csrfToken }); I reviewed the cookie in developer tools under Application>Storage>Cookies and see more details. it showed a warning message: this set-cookie was blocked because it was not

Ckfinder problem, how to disable token csrf in spring boot with OAuth2 (Jhipster)

99封情书 提交于 2021-01-07 06:34:57
问题 I develop a project with Jhipster framework (Angular 10 + Spring boot) and I have need a file manager. So I was choose Ckfinder. The server side in java works well in a microservice (Before, I have generated Jhipster microservice and I have adapted with sping boot app). The client side of ckfinder is already inside the dependency. So when I test the microservice on the host "http://localhost:8090/" all works. But I want to pass by my gateway, So I test on "http://localhost:8080/service/media/