I'm using Windows Vista x64 with SP1, and developing an ASP.NET app with IIS7 as the web server. I've got a problem where my cookies aren't "sticking" to the session, so I had a google and found that there was a known issue with duplicate response headers overwriting instead of being added to the session. This problem was, however, suppo...
I have a PHP script that runs as a CGI program and the HTTP Authenticate header gets eaten and spit out. So I would like to implement some kind of FORM based authentication. As an added constraint, there is no database so no session data can be stored. I am very open to having a master username and password. I just need to protect the a...
As a part of the signup process for my online application, I'm thinking of tracking the source and/or search keywords used to get to my site. This would allow me to see what advertising is working and from where with a somewhat finer grain than Google Analytics would. I assume I could set some kind of cookie with this information when p...
Specifically this is regarding when using a client session cookie to identify a session on the server. Is the best answer to use SSL/HTTPS encryption for the entire web site, and you have the best guarantee that no man in the middle attacks will be able to sniff an existing client session cookie? And perhaps second best to use some sor...
JavaScript needs access to cookies if AJAX is used on a site with access restrictions based on cookies. Will HttpOnly cookies work on an AJAX site? Edit: Microsoft created a way to prevent XSS attacks by disallowing JavaScript access to cookies if HttpOnly is specified. FireFox later adopted this. So my question is: If you are using AJ...
After reading Jeff's blog post on Protecting Your Cookies: HttpOnly. I'd like to implement HttpOnly cookies in my web application. How do you tell tomcat to use http only cookies for sessions? ...
Inspired by this CodingHorror article, "Protecting Your Cookies: HttpOnly" How do you set this property? Somewhere in the web config? ...
How can I set the cookies in my PHP apps as HttpOnly cookies? ...
I am working on a small intranet site for a small company, where user should be able to post. I have imagined a very simple authentication mechanism where people just enter their email address, and gets sent a unique login url, that sets a cookie that will always identify them for future requests. In my template setup, I have base.html,...
I got a little curious after reading this /. article over hijacking HTTPS cookies. I tracked it down a bit, and a good resource I stumbled across lists a few ways to secure cookies here. Must I use adsutil, or will setting requireSSL in the httpCookies section of web.config cover session cookies in addition to all others (covered here)? ...
The job at hand: I want to make sure that my website's users view a page before they start a download. If they have not looked at the page but try to hotlink to the files directly they should go to the webpage before the download is allowed. Any suggestions that are better than my idea to send out a cookie and - before the download sta...
Okay, here is the 411 - I have the following event handler in my Global.asax.cs file: private void Global_PostRequestHandlerExecute(object sender, EventArgs e) { if (/* logic that determines that this is an ajax call */) { // we want to set a cookie Response.Cookies.Add(new HttpCookie("MyCookie", "true")); } } Tha...
By default tomcat will create a session cookie for the current domain. If you are on www.example.com, your cookie will be created for www.example.com (will only work on www.example.com). Whereas for example.com it will be created for .example.com (desired behaviour, will work on any subdomain of example.com as well as example.com itself...
Hi I am trying to find a way to read the cookie that i generated in .net web application to read that on the php page because i want the users to login once but they should be able to view .net and php pages ,until the cookie expires user should not need to login in again , but both .net and php web applications are on different servers ...
I'm making a small web application in Seaside. I have a login component, and after the user logs in I want to send along a cookie when the next component renders itself. Is there a way to get at the object handling the response so I can add something to the headers it will output? I'm trying to avoid using WASession>>redirectWithCookies...
I have done a bit of testing on this myself (During the server side processing of a DWR Framework Ajax request handler to be exact) and it seems you CAN successfully manipulate cookies, but this goes against much that I have read on Ajax best practices and how browsers interpret the response from an XmlHttpRequest. Note I have tested on...
Simple example: I want to have some items on a page (like divs or table rows) and I want to let the user click on them to select them. That seems easy enough in jquery. To save which items a user clicks on with no server-side post backs, I was thinking a cookie would be a simple way to get this done. Is this assumption that a cookie is...
You're building a web application. You need to store the state for a shopping cart like object during a user's session. Some notes: This is not exactly a shopping cart, but more like an itinerary that the user is building... but we'll use the word cart for now b/c ppl relate to it. You do not care about "abandoned" carts Once a cart i...
My domain (let's call it www.foo.com) creates a cookie. On another site (let's say, www.myspace.com), my domain is loaded within an iFrame. On every browser (Firefox, Opera, Camino, Safari, etc...) except for Internet Explorer, I can access my own cookie. In IE, it doesn't give me access to the cookie from within the iFrame. Is there a...
Can a cookie be shared between two sites on the same top level domain? Say www.example.com and secure.example.com ? We are looking into implementing a cache for non-secure content, and need to segregate secure content to another domain. What parameters does the cookie need? I'm using asp.net ...