I tried to make request using fetch API, but when I do console.log(response.headers.get("Set-Cookie")) I got undefined.
Is there any way to do requests with cookie persisting across requests?
Set-Cookie can't be read programmatically. Check this out => github/fetch#receiving-cookies
Like with XMLHttpRequest, the Set-Cookie response header returned from the server is a forbidden header name and therefore can't be programatically read with response.headers.get(). Instead, it's the browser's responsibility to handle new cookies being set (if applicable to the current URL). Unless they are HTTP-only, new cookies will be available through document.cookie.
Related
Can't get past Django Rest Framework Token Authorization because I can't set withCredentials=true using OkHttp RequestBuilder. (I'm referring to this https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/withCredentials)
In javascript using axios.post this works fine. I'm having trouble converting this post request to android using OkHttp request builder.
Request builder only seems to give setter methods for Header and Body of post Request?
Tried reading through OkHttp documentation and I've also tried to send withCredentials=True as a header
Django Rest Framework backend not recognizing the token and not resolving the bearer token to a user.
If no class authenticates, request.user will be set to an instance > of django.contrib.auth.models.AnonymousUser, and request.auth > will be set to None.
I'm going to assume here that withCredentials is a query parameter.
Appending ?withCredentials=true. to the end of the URL will probably get things going for you.
An example in full might look like https://www.example.com?withCredentials=true.
With multiple parameters, it may look like https://www.example.com?withCredentials=true&otherParam=Stuff.
I have an android app that connects to a server. The app appends a cookie to each request. However, I need to suppress this cookie for a request to a specific URI.
Some more details:
Can't add an empty cookie for this URI - even if only the empty one is sent, the request must be without a cookie.
Use okHTTP3 for this request. It's ugly but it'll work.
Looked at HttpUrlConnection, CookieStore and CookieManager - could not find any API to disable sending of cookie for a connection
I prefer not to disable cookies in general but just suppress this one
I have next problem:
I auth via oauth and webview, after that i store cookies in sharedPreferences and setting it in ClientHttpRequestInterceptor.
Via logs new cookies are setting for new requests, but on server i get old cookies until i fully restart application.
Here is my JsonSpiceService:
http://pastebin.com/Wiaf6NkJ
Here is my activity where i set cookies:
http://pastebin.com/f5F0JCnd
Thank for your help.
After trying to fix this, i noticed that RoboSpice and Spring ignore setting of cookies after receiving set-cookie header. So, i send request that receives correct set-cookie header and fixed this issue.
I'm building an native Android app with Worklight 6.0.0.1 and having trouble connecting to our production Worklight Server.
The server is fronted by a DataPower appliance that handles authentication and requires us to send a particular cookie on any call to the Worklight Server.
We tried using addGlobalHeader("Cookie", "cookie-name=cookievalue") to set this cookie, but found that using this API does not play nicely with the cookies that Worklight itself uses to manage it's session.
The cookie header is properly set for the initial request to Worklight, and Worklight responds with a challenge and sets JSESSIONID and WL_PERSISTENT_COOKIE.
Then, when the Android API answers this challenge we see 2 cookie headers being sent in the follow-up request which violates norms for http headers.
Cookie: JSESSIONID=<...>;WL_PERSISTENT_COOKIE=<...>
Cookie:
Oddly, if I go through a TCPMon proxy to inspect the traffic, I can connect successfully, but if I go directly against the DataPower address, it doesn't see the header and fails to reach Worklight.
What is the correct way to inject a cookie so my cookie goes into a single cookie header along with all of the other cookies that Worklight wants?
Add global header will add headers, it was not designed for cookies. If you need to set cookies I'd suggest trying Android's CookieStore. Create you cookie with all the relevant params (value/url/expiry etc) and add it to CookieStore
http://developer.android.com/reference/org/apache/http/client/CookieStore.html
I am writing an Android app which submits a username and password to a Java Servlet hosted on Google App Engine. I am writing both the Android app. and Servlet.
The username and password are packaged into a POST request on the device and the servlet doPost() method checks the values. If the username and password are correct I request a session...creating it if it doesn't exist:
HttpSession session = request.getSession(true);
In this session I store a name value pair "logged" and "true".
Back on the android device a cookie is returned along with an HTTP status of 200 OK. This all seems fine, since the session on the server is implemented using cookies (transparent to me since I'm just using the session API).
All subsequent HTTP POSTs made by the android device package up the cookie into the HTTP POST so that it can request .jsp pages or use other servlets which inspect the session for the "logged and "true" value (i.e. protected pages).
The problem: A cookie is returned even if the following code is NOT run:
HttpSession session = request.getSession(true);
i.e. the username and password were false. This isn't such a security issue since the "logged" and "true" name value pair is never set so the application cannot use the .jsp or other servlets. However, I was using the fact that a cookie had been returned from the POST request to the device as a sign that authentication was successful.
Why am I getting a cookie even though I don't use or request the use of a session?
My current solution is to create an additional cookie in the servlet and check for this cookie on the device. HOWEVER, this cookie is not the one packaged into subsequent POSTS from the device since it is not the cookie associated with the session containing the "logged" "true" value. This seems hacky. Clearly I ave misunderstood something.
Most (or perhaps all) servlet containers will always assign a user a session cookie if they do not already have one, whether the webapp being served explicitly requests a session or not. Google App Engine is no different in this regard. You shouldn't assume anything based upon the mere existence or non-existence of a cookie other than that the device has made a request to the server and received some response back.
If you want to verify that the login was successful on the device, why not just send back a response to the login request that it can easily parse. For instance, a simple JSON-snippet like {"status": "success"} would do, or even just the literal text string "success".
Your second cookie approach definitely sounds a bit hacky. Presumably your authentication request is already sending some response back to the device (it has to be, if cookies are being sent). What do you feel that you gain from using a cookie that you don't get by just sending some status message back as part of the response?