Anyone worked with SameSite attribute?

I have a requirement to set this attribute to strict.

I see it can have 3 values - none, strict, lax.

Thing is it varies based on the user-agent used, and I am not able to understand how to account for that!

I used this irule on the VS and saw from curl and chrome dev tools that the value for the website is set to none, but the requirement we have is to make it strict..!

https://github.com/f5devcentral/irules-toolbox/blob/master/security/http/cookies/samesite-attributes.tcl

Any thoughts?

๐Ÿ‘︎ 2
๐Ÿ“ฐ︎ r/f5networks
๐Ÿ’ฌ︎
๐Ÿ‘ค︎ u/thenetworkking
๐Ÿ“…︎ Sep 01 2021
๐Ÿšจ︎ report
Are Secure, HttpOnly, SameSite HTTP Cookies the best way to protect tokens sent to the client?

are there any other ways to guard tokens in the client?

๐Ÿ‘︎ 11
๐Ÿ“ฐ︎ r/webdev
๐Ÿ’ฌ︎
๐Ÿ‘ค︎ u/MRK-01
๐Ÿ“…︎ Feb 19 2021
๐Ÿšจ︎ report
X-XSRF-TOKEN not being sent automatically by Axios

I read in Laravel's Sanctum docs that I should call the /sanctum/csrf-cookie/ once and use the response token for subsequent calls to the API. It written that Axios send this token automatically, but I guess it's only if you're within the same domain. I am now sending requests from `localhost:3000` to localhost:8080 which might be the reason Axios does not send it automatically in the header.

On my React page, I call the /sanctum/csrf-cookie/ with the following code:

       useEffect(() => {
            axios.get('http://localhost:8080/sanctum/csrf-cookie').then((response) =>
                console.log(JSON.stringify(response))
            )
        }, []);

and I do see the XSRF-TOKEN cookie generated:

Set-Cookie: XSRF-TOKEN=long-value-here=; expires=Wed, 08-Sep-2021 15:14:28 GMT; Max-Age=7200; path=/; domain=localhost; samesite=lax

But then when I send subsequent POST requests to my API, for example on http://localhost:8080/api/register, I do not see this token in the request headers.

I only see Cookie: laravel_session= but not Cookie: XSRF-TOKEN=

How can I then save the token on the first call and send it on subsequent requests?

๐Ÿ‘︎ 5
๐Ÿ“ฐ︎ r/reactjs
๐Ÿ’ฌ︎
๐Ÿ‘ค︎ u/Stackerito
๐Ÿ“…︎ Sep 08 2021
๐Ÿšจ︎ report
Weekly Discussion for Nightly builds for 2021-06-19 - 2021-06-25

Please use this thread to discuss the latest nightly builds.

If you aren't already using Firefox Nightly, you should join us on the wild side. We get the newest features first, and developers generally listen when we give feedback (since they are generally still working on the features, instead of hearing about it months later once it hits stable).

Download Firefox Nightly!

Don't reuse your old profile folder - Firefox Nightly uses different profiles than stable or beta by default, so you can run Nightly and other versions concurrently. You can use Firefox Sync to keep your settings in sync across release channels.

Things to try out in Nightly

Please do not edit about:config unless you are willing to deal with bugs. Please do not post about issues to Mozilla Support; If you have issues, report them to Bugzilla instead.

Proton

Firefox is releasing a new UI update called Proton, following the last visual update in 2017 (Photon).

If you want to file bugs related to Proton, please see the documentation. You can report bugs without an account.

Fission

You can try out Fission!

  1. Set fission.autostart to true
  2. Restart Firefox
  3. You will see a new processes listed as webIsolated= in the Remote Processes section in about:support

Report bugs in Fission to the Fission meta-bug.

Software WebRender

You can try out the software fallback for WebRender for devices that will not get accelerated WebRender support. This will replace the existing Basic renderer in future versions of Firefox, as WebRender continues to be rolled out to more of the Firefox population.

  1. Set gfx.webrender.all to true
  2. Set gfx.webrender.software to true
  3. Restart Firefox

Developers are looking for issues with stability, painting glitches or errors, and noticeable performance issues with page interaction and scrolling. If you are experiencing performance issues, please include a Firefox profile in your report.

Report bugs in soft

... keep reading on reddit โžก

๐Ÿ‘︎ 12
๐Ÿ“ฐ︎ r/firefox
๐Ÿ’ฌ︎
๐Ÿ‘ค︎ u/AutoModerator
๐Ÿ“…︎ Jun 19 2021
๐Ÿšจ︎ report
Django + Chrome - constant notifications about SameSite settings and cookies

My django project (in development, currently) constantly generates these 'hidden' (but unfoldable) errors in Chrome, sometimes in the thousands per page-reload, due to loading youtube videos in iFrames:

"Indicate whether to send a cookie in a cross-site request by specifying its SameSite attribute"

I've found all sorts of confusing, conflicting information online about how to handle this. Some people say to use these settings in settings.py:

CSRF_COOKIE_SECURE = True

SESSION_COOKIE_SECURE = True

CSRF_COOKIE_SAMESITE = 'None'

SESSION_COOKIE_SAMESITE = 'None'

However, doing so just flat-out doesn't work for me, including leading to multiple other concerns:

  1. the 'secure' settings only work in production, because django in dev uses http, and both secure settings above require https
  2. my project uses Django 2.2 (not by choice, this is a work gig) and if you try to set the samesite settings above to None, Django throws a ValueError and the project crashes on load.
  3. I've seen multiple posts saying the above settings, if used in production, are simply not secure and should be avoided.

All of which leaves me a bit bewildered. Chrome had recent-ish changes that result in this error occurring specifically with Django. I'm using Django 2.2 by requirement of this gig. But even if I used a newer version and could set the above samesite settings to 'None', would that be a good idea? It's also not clear to me if this issue is purely a development thing, or would also be happening in production.

Do I just live with the errors in dev and not worry about it? Is there some other approach to removing them? What exactly will happen in production if all these errors occur in dev?

Any clarification and help with further steps would be much appreciated.

๐Ÿ‘︎ 5
๐Ÿ“ฐ︎ r/django
๐Ÿ’ฌ︎
๐Ÿ‘ค︎ u/mholloway808
๐Ÿ“…︎ Sep 07 2021
๐Ÿšจ︎ report
No audio playback on Google meet using my earphone on firefox, works on chrome

My earphone gets detected fine in chrome, but in firefox on google meet, Under Mic it shows correct earphone name but under Speaker it shows "System Default" and no sound comes to the earphone. Works fine on youtube while listening to music. Can anyone help? OS: windows 10 Screenshot

About support logs below:

Application Basics

Name: Firefox Version: 91.0.2 Build ID: 20210823123856 Distribution ID: Update Channel: release User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 OS: Windows_NT 10.0 19043 Launcher Process: Enabled Multiprocess Windows: 1/1 Fission Windows: 0/1 Disabled by default Remote Processes: 9 Enterprise Policies: Inactive Google Location Service Key: Found Google Safebrowsing Key: Found Mozilla Location Service Key: Found Safe Mode: false

Crash Reports for the Last 3 Days

Firefox Features

Name: Add-ons Search Detection Version: 1.0.1 ID: [email protected]

Name: DoH Roll-Out Version: 2.0.0 ID: [email protected]

Name: Firefox Screenshots Version: 39.0.1 ID: [email protected]

Name: Form Autofill Version: 1.0.1 ID: [email protected]

Name: Picture-In-Picture Version: 1.0.0 ID: [email protected]

Name: Reset Search Defaults Version: 2.1.0 ID: [email protected]

Name: Web Compatibility Interventions Version: 24.2.0 ID: [email protected]

Name: WebCompat Reporter Version: 1.4.2 ID: [email protected]

Remote Features

bug-1680034-rollout-shirley-feature-roll-out-81-to-83-release-81-83: active bug-1690367-rollout-moving-webrtc-networking-functionality-into-i-release-87-100: active bug-1693420-rollout-sponsored-top-sites-rollout-release-84-100: active bug-1719759-rollout-mozilla-tiles-service-in-release-release-90-90: active rollout-monitor-v2-1505837: active

Remote Processes

Type: Web Content Count: 4 / 8

Type: Privileged About Count: 1

Type: Extension Count: 1

Type: Preallocated Count: 1

Type: GPU Count: 1

Type: Socket Count: 1

Add-ons

Name: Amazon.com Type: extension Version: 1.3 Enabled: true ID: [email protected]

Name: Bing Type: extension Version: 1.3 Enabled: true ID: [email protected]

Name: Bitwarden - Free Password Manager Type: extension Version: 1.52.0 Enabled: true ID: {446900e4-71c2-419f-a6a7-df9c091e268b}

Name: Checker Plus for Gmail Type:

... keep reading on reddit โžก

๐Ÿ‘︎ 2
๐Ÿ“ฐ︎ r/firefox
๐Ÿ’ฌ︎
๐Ÿ‘ค︎ u/rogue_of_the_year
๐Ÿ“…︎ Aug 25 2021
๐Ÿšจ︎ report
CSRF, CORS, and HTTP Security headers Demystified blog.vnaik.com/posts/web-โ€ฆ
๐Ÿ‘︎ 105
๐Ÿ“ฐ︎ r/programming
๐Ÿ’ฌ︎
๐Ÿ‘ค︎ u/anyfactor
๐Ÿ“…︎ Apr 30 2021
๐Ÿšจ︎ report
Cookie Security SameSite question & deployment advice.

I was doing a project where I deployed my frontend on netlify and backend on heroku. Since I'm on the free plan for heroku I couldn't get the same url address as my frontend and thus I was violating the same origin policy.

This meant that my cookies weren't being set until I used the sameSite=none option. I was wondering if what I was doing was safe. For reference, I have the following cookieOptions. I am passing in the JWT token within the cookie! If someone managed to get it they'd essentially be able to log in as the user:

const cookieOptions = {expires: new Date(Date.now() + process.env.JWT_COOKIE_EXPIRES_IN * 24 * 60 * 60 * 1000),
httpOnly: true,secure: req.secure || 
req.headers["x-forwarded-proto"] === "https", //only when we use https
sameSite: "none", //not a good idea best to do everything on heroku!};

I also wanted some advice as to the best deployment option to choose. Right now I'm using netlify and heroku. Not only is the above cors/cookie problem technically an issue but heroku doesn't give the server IP address so for mongodb we have to whitelist access to the server for everyone. I'm also situated in SEA whereas heroku is only in EU and U.S regions.

Do you think it would be better to use something like digital ocean + dokku for deployment vs heroku only vs heroku + netlify, cost considerations included. Given that I'm fairly new to all this, I was wondering what extra things I'd need to do regarding OS maintenance if I choose to use DO (Digital Ocean) and dokku/anything else that would otherwise be covered with heroku.

I'd really appreciate any help :) Constantly second guessing my decision/fairly insecure about this whole thing esp since I want to release this website to the public.

Thanks for reading.

๐Ÿ‘︎ 8
๐Ÿ“ฐ︎ r/node
๐Ÿ’ฌ︎
๐Ÿ‘ค︎ u/Jordanoer
๐Ÿ“…︎ Apr 21 2021
๐Ÿšจ︎ report
Django rest framework, Axios post request: Forbidden (CSRF cookie not set.)

I'm studding/writing session authentication with Django rest framework and VueJs/Quasar.

I have a problem with posting login request to Django api - I'm having a valid CSRF token that I'm attaching in a header but still I'm getting this server error "Forbidden (CSRF cookie not set)" I went through lots of materials but nothing would help me, seem also that this is common problem for cases like mine when working with cross domain.

Definitely need help, wasted already more than a day on this issue itself - Thanks!

Client code:

  1. Axios

​

const axiosInstance = axios.create({
  baseURL: 'http://127.0.0.1:8000/api/',
  timeout: 5000,
  headers: {
      'Content-Type': 'application/json',
      // 'Accept': 'application/json'
  }
});
axiosInstance.defaults.withCredentials = true;
axiosInstance.defaults.xsrfCookieName = 'csrftoken'
axiosInstance.defaults.xsrfHeaderName = 'X-CSRFToken'
  1. Axios post request to Django login

​

    axiosInstance.post(
        "login/",
        { username: getters.getUsername, password: getters.getPassword },
        {
          headers: {
            'X-CSRFToken':  dispatch("getCSRF"),
            'Content-Type': 'application/json',
            'X-Requested-With': 'XMLHttpRequest'
          }
        }
      )
      .catch(error => {
        let log = `ERROR: [ login(), "Wrong username or password" ] LOGGED: [ ${error} ]`;
        console.log(log);
        commit("setErrorState", log);
      });

Server code: 3. Django login view

@require_POST
def login_view(request):
    print(request.headers)
    data = json.loads(request.body)
    username = data.get('username')
    password = data.get('password')

    if username is None or password is None:
        return JsonResponse({'detail': 'Please provide username and password.'}, status=400)

    user = authenticate(username=username, password=password)

    if user is None:
        return JsonResponse({'detail': 'Invalid credentials.'}, status=400)

    login(request, user)
    return JsonResponse({'detail': 'Successfully logged in.'})
  1. Django setting file:

    from pathlib import Path

    BASE_DIR = Path(file).resolve().parent.parent SECRET_KEY = ')[email protected]$iw&l0&t3$f0(t#_bibuos$c9h1&78#)dgqwa6'

    DEBUG = True

    ALLOWED_HOSTS = []

... keep reading on reddit โžก

๐Ÿ‘︎ 3
๐Ÿ“ฐ︎ r/django
๐Ÿ’ฌ︎
๐Ÿ‘ค︎ u/bytefan
๐Ÿ“…︎ May 22 2021
๐Ÿšจ︎ report
NVX REST API

I am having trouble understanding the documentation on the rest api for NVX

I have an open ticket with crestron but have not received a response in multiple days, despite many sessions of being on hold and passed around to engineers who are not specialized in this

I am experienced with HTML, javascript, css, etc

I was not experienced with node js but am starting to be..

https://sdkcon78221.crestron.com/sdk/DM_NVX_REST_API/Content/Topics/Authentication.htm

listed in this it says

  • Authentication is only required if you are using a library to access the web service. If the component is built into the Crestron Web UI framework, authentication is handled automatically via HTTPONLY cookies described below.

I don't understand what the 'automatic' authentication is, it seems like a nice option since I have tried using their 'sample' javascript and it has not worked for me, though I might be doing it wrong...

I have run into samesite issues when attempting to save cookies returned by the server after successfully authenticating with fetch() and xmlhttprequest written in <script> sections of my html page, hosted on a simple node js server on localhost

then i thought maybe I am supposed to be doing this part in a node js server

i set the code into my node server and it seems to have worked, once i added the rejectUnauthorized: false, but I don't see any json being returned.

Postman is the only place i've been able to get proper json returned after authenticating with POST on /userlogin and then following with a GET on /Device/DeviceInfo/

when I try in my browser i get a 200 response after authentication, but then following with a get of deviceinfo it does a 301 redirect back to userlogin

when checking cookies i see that the cookies refuse to be saved because the server response header did not have samesite, so it defaulted to lax. from what i understand I cannot edit the server's settings.

I haven't tried websocket, as i'm not experienced with it, but i figured given my background in web development using my own web servers, this could be easy, but without controlling the server myself I'm unsure how to do this.

my only idea is perhaps i'm supposed to use node js as an intermediary server to deal with authentication cookie storage and set up functions to pass get/post actions from the html UI, but the difficulty is that I need to do this for hund

... keep reading on reddit โžก

๐Ÿ‘︎ 5
๐Ÿ“ฐ︎ r/crestron
๐Ÿ’ฌ︎
๐Ÿ‘ค︎ u/schiz0yd
๐Ÿ“…︎ Jun 11 2021
๐Ÿšจ︎ report
Having problems logging into & using Disney+ on my Roku, Surface tablet & smartphone.

I keep getting meggages with "error code 83" on devices that I am not logged into & "error code 90" on devices that are already logged in. I'm thinking it might be a problem with my router\IP address as I have tried restarting some of my devices & that didn't fix it. Could the problem be on my end, or are others having this problem? The app does work on mobile.

๐Ÿ‘︎ 7
๐Ÿ“ฐ︎ r/DisneyPlus
๐Ÿ’ฌ︎
๐Ÿ‘ค︎ u/Route66Fan
๐Ÿ“…︎ Dec 26 2020
๐Ÿšจ︎ report
Azure Web App and cookies

Hi,

I don't get cookies together with Azure Web Apps. If I'm running my app locally everything is working well. But If I'm deploying my app in Azure. I don't get my cookie set.

This is what I'm trying to do, and what is working locally:

User navigates to https://myazurewebapp.com/?name=username

appย =ย Flask(__name__)
app.secret_keyย =ย "xXWhq.t5SSYjG6LR3fbQ_PWGsFurdawRgSh+"
@ app.route("/",ย methods=["GET",ย "POST"])
def home():

currentuserย =ย request.args.get('name')
respย =ย make_response(redirect("/"))
resp.set_cookie('Name',ย currentuser,ย samesite='None',ย secure=True)
......more code........

What some how works is if I'm accessing https://myazurewebapp.com/setcookies?name=username

@ app.route('/setcookie')
def setcookie():
currentuserย =ย request.args.get('name')
print(f"setcookie:ย {currentuser}")
#respย =ย make_response(f"cookieย hasย beenย set")
respย =ย make_response(redirect("/"))
resp.set_cookie('Name',ย currentuser,ย samesite='None',ย secure=True)
print(request.cookies.get('Name'))
return resp

This is setting the cookie for a sec. But the cookie disappears as soon as the site is doing the redirect. But if I'm visiting https://myazurewebapp.com/?name=username afterwards. The cookie appears again.

Don't know what I'm doing wrong.

Appreciate any help!

๐Ÿ‘︎ 3
๐Ÿ“ฐ︎ r/flask
๐Ÿ’ฌ︎
๐Ÿ‘ค︎ u/alex543212345678
๐Ÿ“…︎ Jun 30 2021
๐Ÿšจ︎ report
Ho to set samesite=none when using a reverse proxy in HTTP or equivalent

I am trying to setup an application in an iframe but can't get cookies trou. how can I use samesite=none in HTTP or equivalent. the ap is offline, doesn't have internet access so I don't worry about security

๐Ÿ‘︎ 2
๐Ÿ“ฐ︎ r/nginx
๐Ÿ’ฌ︎
๐Ÿ‘ค︎ u/erik_b1242
๐Ÿ“…︎ Jun 19 2021
๐Ÿšจ︎ report
Android 12- Features That You Need To Know

Android 12 is here! Google releases a major software update each year to its android mobile operating system. In 2020, it released Android 11. In 2021, itโ€™s announced Android 12 and is now available in the form of a developer preview. With this initial build, users can now install the OS on compatible devices. Google is improving and presenting a host of features in its most recent iteration of Android. Changes to media handling and notification support, improvements to privacy and haptic feedback and more polished notification UI all make the cut. Letโ€™s see the major confirmed features of Android 12.

Features of Android 12-

1. Easy Wi-fi Sharing-

In Android 11, if you want to share your current Wi-Fi connection with anybody, you can create a QR code easily. But in Android 12, you can avoid barcode scanning and just click the โ€œNearbyโ€ button you can below the QR code. This will use Androidโ€™s Nearby Share feature to transmit the Wi-Fi credentials to whom you like. While scanning the QR code is quite simple, this new feature allows you to share the connection data to multiple individuals without handling your phone around for everyone to scan. That is certainly more helpful!

2. More Screenshot Markup Optionsโ€“

With a Pixel device, if you capture a screenshot, you can markup that shot with paintbrush-like tools. With Android 12, you can add text, Emoji and stickers to your screenshots using the same tool. This is not a big change but, it may prevent users from needing a third-party app to do the same thing.

3. Improved Cookie Management-

Android 12 is adding support for SameSite cookie behaviors to WebView. The SameSite feature enables developers to announce in the case a cookie must be restricted to a specific site. This inclusion must enhance the cookie management of Android 12 across various applications and OS. The top Android browsers already support this feature.

4. AVIF Image Support-

Android 12 launches AVIF image support. It is an image format that promises improved image quality over JPEG without penalty for larger file sizes. The format uses open-source video codec AV1, that was first introduced to Android 10.

5. Compatible Media Transcoding-

Though HEVC is growing in popularity, the video compression standard is not supported by all apps. Now, Google is ready to introduce a transcoding layer to Android 12 that will pet unsupported apps to take advantage of video compression. Video capture apps that donโ€™t sup

... keep reading on reddit โžก

๐Ÿ‘︎ 41
๐Ÿ“ฐ︎ r/androiddev
๐Ÿ’ฌ︎
๐Ÿ‘ค︎ u/SolaceInfotech
๐Ÿ“…︎ Mar 01 2021
๐Ÿšจ︎ report
For what reasons 'withCredentials: true' is not working for store cookies in the browser?

For some reason the http cookies sent from my server aren't store but I can see the Set-Cookie in the response header.

I tried changing the cookies to:

response.cookie('myCookie', myCookie, {
    httpOnly: true, // I tried with false
    maxAge: COOKIE_EXPIRATION,
    secure: false, // I tried with true,
    sameSite: none, // I tried the default
  });

Also I change my chrome://flags/ :

  • SameSite by default cookies: Disabled
  • Cookies without SameSite must be secure: Disabled

At the end I solved my problem creating a proxy: https://angular.io/guide/build#proxying-to-a-backend-server

But still, why was not possible to store the http cookies sent from by server? Is that related to the broswer and not the Frontend/Backend?

๐Ÿ‘︎ 2
๐Ÿ“ฐ︎ r/angular
๐Ÿ’ฌ︎
๐Ÿ‘ค︎ u/NeoCiber
๐Ÿ“…︎ Apr 29 2021
๐Ÿšจ︎ report
Can't delete __cfduid with greasemonkey

I run document.cookie="__cfduid=;Domain=.domain.com"; in greasemonkey but the cookie remains (unchanged).

Note: the only difference is value, path, httpOnly, isSecure and sameSite

๐Ÿ‘︎ 2
๐Ÿ“ฐ︎ r/firefox
๐Ÿ’ฌ︎
๐Ÿ‘ค︎ u/userDG999
๐Ÿ“…︎ Apr 14 2021
๐Ÿšจ︎ report
Software Security Fundamentals

Plan for security from the start.

Keep it simple to keep the attack surface minimum.

Model possible threats.

Ask what can go wrong.

Any user input is an attack vector.

Never trust any input, always validate, always sanitize

Libraries and network calls are attack vectors.

Use well-known tried and tested libraries only,

and keep them updated

use HTTPS, donโ€™t allow HTTP access to secure pages

Enforce strong passwords,

never keep plain-text passwords,

do not encrypt passwords,

hash them with a salt

Write exploit code to test your patches

Donโ€™t try to roll your own security solutions, itโ€™s a community effort

Log suspicious activity,

like failed login attempts,

invalid input,

statistically rare or unexpected events

Avoid security through obscurity

Do not hide secrets in code,

make sure they wonโ€™t end up in public repos

Be aware of buffer overflow attacks

Consider all cases, allow, disallow, exception

No system is 100% secure, security is an example of โ€œunknown unknownsโ€

authentication

Use 2-factor auth

Add exponential delay to repeated login attempts

Lock account after repeated failed login attempts

authorization

Use authorization levels.

Least privilege, never grant more access than required.

Separation of privileges, so your system is not all or nothing

Use allow-lists, not block-lists

SQL

Parametrize SQL queries to prevent SQL injection

Cookies

They are mainly used for managing sessions, tracking, and personalization

Prepend with __Host- to restrict cookie on a specific domain (no subdomains)

Prepend cookies with __Secure- to prevent them from being overwritten.

__Host- prefix is stricter than __Secure

Expires
set an expiration

Secure header make cookies HTTPS

HTTPOnly header to prevent JavaScript access

SameSite to prevent sending the cookie via cross-origin requests

document.cookie = "_Host-username=Jane; Secure; HttpOnly; Path=/; SameSite=Strict"; 

Cross-site request forgery CSRF

CSRF is forgery of a valid request.

It is possible to forge a fake request if

  1. the only mechanism to track user session is a cookie,
  2. all request parameters predictable

To prevent it, we need at least one unpredictable parameter, a CSRF token.

This token is a large random value, unique per user & per user session.

Make sure your forms have CSRF tokens.

CSRF tokens should not be sent within cookies.

Use SameSite
header to

... keep reading on reddit โžก

๐Ÿ‘︎ 54
๐Ÿ“ฐ︎ r/learnprogramming
๐Ÿ’ฌ︎
๐Ÿ‘ค︎ u/weownnothing
๐Ÿ“…︎ Feb 19 2021
๐Ÿšจ︎ report
Is this a CORS issue? JS beginner here.

I'm trying to connect with the Unsplash API, using a fetch request, and storing results in a variable. Weird thing, I could see the photos array pull up in my console, however it stopped working randomly and whenever I console log now, i get this issue: "Indicate whether to send a cookie in a cross-site request by specifying its SameSite attribute"

I tried to combine the apiUrl with the proxyUrl = ('https://cors.anywhere-herokuapp.com/'), But im still getting the issue.

๐Ÿ‘︎ 2
๐Ÿ“ฐ︎ r/learnprogramming
๐Ÿ’ฌ︎
๐Ÿ“…︎ Jun 08 2021
๐Ÿšจ︎ report
Cross site cookies, need help

Hi guys, Iโ€™m trying to resolve an issue with cookies and sessions for about a 2 weeks. Iโ€™m pretty desperate tbh. I be developed an app in react and node js. Iโ€™ve published my front end to netlify and back end to Heroku. And all of sudden cookies and sessions stopped working.

I create a session with its own cookie but it is not received in front end. No warnings nothing.

Cors origin is set to my front end url and credentials are set to true.

In my Axios call I set withCredentials to true. Iโ€™m calling to https://myapp2.heroku.com

In express-session I have sameSite none and secure true. Iโ€™ve tried to specify domain also to https://myapp.netlify.app but that didnโ€™t help.

When Iโ€™m looking at logs on Heroku the session isnโ€™t persisting and no cookies are coming from front end after another http request.

On local host everything works perfect. Could that be by different domains?

๐Ÿ‘︎ 2
๐Ÿ“ฐ︎ r/webdev
๐Ÿ’ฌ︎
๐Ÿ‘ค︎ u/aethernal3
๐Ÿ“…︎ Jan 28 2021
๐Ÿšจ︎ report
Acronis Cyber Platform: Recent updates (Dec'2020)

Hello r/Acronis, below are the most recent updates concerning Acronis Cyber Platform.

This is a new type of content here, so please share your feedback if you'd like to see such updates in the future.

New Releases

  1. Acronis Cyber Cloud 20.12 includes Active Protection support for Linux environments, viewing and management of quotas for multiple devices in Cyber Protection console, proper handling of SameSite cookie attribute and other improvements. Learn more
  2. Acronis Cyber Infrastructure 4.0 Update 1 includes support of quota multiplier, improvement of backup gateway logging to track TLS connection properties, support of network QoS policies for virtual machines, and other improvements and fixes. Learn more
  3. ConnectWise Control 1.1 release introduced improved support for Acronis Cyber Protect Cloud, integrated link to drive trials via ConnectWise marketplace, new permissions management, agent deployment improvements based on partnersโ€™ feedback. Please watch a demo video on YouTube or see the release notes.
  4. Acronis plugin for WHM and cPanel 1.6.1 includes stability improvements for metadata collection during backup. Learn more

Strategic Initiatives

  1. As a part of Cloud Distributor marketplaces initiative, we are happy to announce that Acronis Cyber Cloud is now integrated with PAX8 and ALSO cloud marketplaces, which allows to automate onboarding and billing of Acronis partners through PAX8 and ALSO.
  2. One of the goals of Acronis Cyber Infrastructure and Data Center operability initiative is streamlining Acronis Cyber DC deployment. On 22nd December 2020 we announced the availability of a new cloud data center in Eschen, Liechtenstein. Learn more (German).

Partner Updates

  1. GoDaddyโ€™s brand Velia went live with Acronis Cyber Protect Cloud on 15th December 2020. Acronis offering is now available on Velia server marketplace.
  2. Jan-Jaap Jager delivered Acronis Cy
... keep reading on reddit โžก

๐Ÿ‘︎ 5
๐Ÿ“ฐ︎ r/acronis
๐Ÿ’ฌ︎
๐Ÿ‘ค︎ u/bagaudin
๐Ÿ“…︎ Jan 13 2021
๐Ÿšจ︎ report
Any ideas why browser is not accepting cookie from a docker container but does when running locally?

I have a node.js app (graphql and passport) using express-session and redis.

When I run the app locally the browser takes the cookie fine, and sends it back to the server on subsequent requests, therefore being "logged in".

But when I run the same app as a dockerized version and click "log in" I can see the "Set-Cookie" in the response header (in chrome)

but It doesn't log me in, and when I go see the application -> storage -> cookies there is no cookie stored, despite Set-Cookie being sent from the server....

I tried reading through "express-session" docs, and their "specs" page:

https://www.npmjs.com/package/express-session https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-03#section-4.1.2.7

and I suspect that it's something to do with a cookie security, httpOnly, or sameSite settings but after reading through their instructions it seems like the default settings should work, so I'm not sure what the problem could be.

// const redisClient = redis.createClient({ host: "127.0.0.1", port: 6379 }); // localhost auth DOES work
const redisClient = redis.createClient({ host: "redis", port: 6379 }); // docker

app.use(
  session({
    name: "omgqid",
    store: new RedisStore({
      client: redisClient,
      disableTouch: true,
    }),
    // cookie: {
    //   maxAge: 1000 * 60 * 60 * 24 * 365 * 10, // 10 years
    //   httpOnly: true,
    //   sameSite: "lax", // csrf
    //   secure: process.env.NODE_ENV === "production", // cookie only works in https
    // },
    genid: (req) =&gt; {
      //console.log("genid req: ", req.headers);
      return uuidv4();
    },
    secret: SESSION_SECRET,
    resave: false,
    saveUninitialized: false,
  })
);

Been playing around with it but can't get it to work. Any suggestions?

๐Ÿ‘︎ 21
๐Ÿ“ฐ︎ r/node
๐Ÿ’ฌ︎
๐Ÿ‘ค︎ u/fastpenguin91
๐Ÿ“…︎ Nov 27 2020
๐Ÿšจ︎ report
JWT - How do we trigger "/token" route to get a refresh token?

I am following this tutorial:

https://github.com/hnasr/javascript_playground/blob/master/jwt-course/jwt-final/jwtAuth.mjs

A lot of tutorials implement the "/token" route to generate a new refresh token. How do we trigger "/token" so that we can get a new refresh token? For example, once my access token expires, how do I call "/token" to get a refresh token?

The "/token" generally route looks like this:

app.post("/token", async (req, res)=&gt; {

    const token = req.body.refreshToken;
    const user = await validateToken(token, JWT_REFRESH_SECRET)
    
    if (user === null) {
        res.sendStatus(403);
        return;
    }
    //now that we know the refresh token is valid 
    //lets take an extra hit the database 
    const result = await pool.query("select * from jwt_auth where token = $1", [token])
    if (result.rowCount == 0)
        res.sendStatus(403);
    else
    {
      //sign my jwt 
      const payLoad = {"name": user.name,
      "role": user.role }
      //sign a brand new accesstoken and update the cookie
     const token = jwt.sign(payLoad, JWT_SECRET , { algorithm: 'HS256', expiresIn: '30s'})
     //maybe check if it succeeds..                          
     res.setHeader("set-cookie", [`JWT_TOKEN=${token}; httponly; samesite=lax`])  
     res.send({
         "message": "Refreshed successfully in successfully"
     })
    }
})

If it helps, here's the login route:

app.post("/login", async (req, res) =&gt; {
    try { 
    const sql = "select * from jwt_auth where username = $1"
    const result = await pool.query(sql,[req.body.user]);
    
    
    //fail
    if (result.rowCount === 0)
        res.send({"error": "Incorrect username or password"})
    else {
        //compare salted password
        const saltedPassword = result.rows[0].password  ;
        
        const successResult = await bcrypt.compare(req.body.password, saltedPassword)
     
        //logged in successfully generate session
        if (successResult === true) 
        {
            //sign my jwt 
            const payLoad = {"name": result.rows[0].username,
             "role": result.rows[0].role }
            const token = jwt.sign(payLoad, JWT_SECRET ,
... keep reading on reddit โžก

๐Ÿ‘︎ 26
๐Ÿ“ฐ︎ r/node
๐Ÿ’ฌ︎
๐Ÿ‘ค︎ u/badboyzpwns
๐Ÿ“…︎ Dec 11 2020
๐Ÿšจ︎ report
Download GoogleDrive video shared with my account

Hi guys maybe this is a noob question but I haven't been able to find the answer. When I try to download a video that was shared with my account I get the "Unable to extract OpenGraph title" error, but I suspect that it's because youtube-dl doesn't have authorisation to view the video in the first place. Is there a way to input my credentials so the video can be accessed? I installed youtube-dl with pip in windows and just checked for updates.

Console output.

C:\Users\Administrator&gt;youtube-dl --verbose https://drive.google.com/file/d/1MLjJ4HLyGBnY2QO1efOwlv8-7doETe2b
[debug] System config: []
[debug] User config: []
[debug] Custom config: []
[debug] Command-line args: ['--verbose', 'https://drive.google.com/file/d/1MLjJ4HLyGBnY2QO1efOwlv8-7doETe2b']
[debug] Encodings: locale cp1252, fs utf-8, out utf-8, pref cp1252
[debug] youtube-dl version 2020.11.19
[debug] Python version 3.8.3 (CPython) - Windows-10-10.0.17763-SP0
[debug] exe versions: none
[debug] Proxy map: {}
[GoogleDrive] 1MLjJ4HLyGBnY2QO1efOwlv8-7doETe2b: Downloading webpage
ERROR: Unable to extract OpenGraph title; please report this issue on https://yt-dl.org/bug . Make sure you are using the latest version; see  https://yt-dl.org/update  on how to update. Be sure to call youtube-dl with the --verbose flag and include its complete output.
Traceback (most recent call last):
File "c:\users\administrator\appdata\local\programs\python\python38-32\lib\site-packages\youtube_dl\YoutubeDL.py", line 797, in extract_info
ie_result = ie.extract(url)
File "c:\users\administrator\appdata\local\programs\python\python38-32\lib\site-packages\youtube_dl\extractor\common.py", line 532, in extract
ie_result = self._real_extract(url)
File "c:\users\administrator\appdata\local\programs\python\python38-32\lib\site-packages\youtube_dl\extractor\googledrive.py", line 179, in _real_extract
default=None) or self._og_search_title(webpage)
File "c:\users\administrator\appdata\local\programs\python\python38-32\lib\site-packages\youtube_dl\extractor\common.py", line 1122, in _og_search_title
return self._og_search_property('title', html, **kargs)
File "c:\users\administrator\appdata\local\programs\python\python38-32\lib\site-packages\youtube_dl\extractor\common.py", line 1110, in _og_search_property
escaped = self._search_regex(og_regexes, html, name, flags=re.DOTALL, **kargs)
File "c:\users\administrator\appdata\local\progr
... keep reading on reddit โžก

๐Ÿ‘︎ 6
๐Ÿ“ฐ︎ r/youtubedl
๐Ÿ’ฌ︎
๐Ÿ‘ค︎ u/M-y-P
๐Ÿ“…︎ Nov 19 2020
๐Ÿšจ︎ report
Load Balancer Sticky Sessions "SameSite" attribute

I am getting warnings from my browser about the load balancer sticky session cookies:

> Cookie โ€œHCLBSTICKYโ€ will be soon rejected because it has the โ€œSameSiteโ€ attribute set to โ€œNoneโ€ or an invalid value, without the โ€œsecureโ€ attribute. To know more about the โ€œSameSiteโ€œ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite

Is there a plan to set the SameSite cookie (or have an option to), or to make it secure?

๐Ÿ‘︎ 2
๐Ÿ“ฐ︎ r/hetzner
๐Ÿ’ฌ︎
๐Ÿ‘ค︎ u/lindymad
๐Ÿ“…︎ Mar 08 2021
๐Ÿšจ︎ report
Canโ€™t seem to get session cookies working

Iโ€™m trying to build a website alongside an API, the site is hosted on Vercel and the API is hosted on Heroku. SSL should be configured properly for everything, as it all passes through cloudflare. The website utilizes Discordโ€™s OAuth2 for user authentication (tl;dr user authorizes on discord, I get a code, I POST request to discord for token)

Relevant libraries being used: Axios, Express

Problem: At first connection, my website client sends a GET request to the api for a session ID. The API generates a session and sends it to the site via cookies: res.writeHead(200, { "Set-Cookie": hikariSid=${sessionData[0]}; Expires=${expiration}; HttpOnly; });

The cookie appears to be saved correctly as when my client makes a post request to my api with the code for discord, I am able to read the session ID in the request under req.cookies.hikariSid

However, when my client tries to make a second request, this time a GET, the session ID cookie is no longer sent and the server only sees undefined when trying req.cookies.hikariSid.

Iโ€™ve tried changing the HttpOnly; Secure; SameSite flags on the cookie, Iโ€™ve tried changing CORS Policies, Iโ€™ve tried setting a domain on the cookie, Iโ€™ve set up Axios to use withCredentials: true, but nothing seems to fix the issue. Itโ€™s as if the browser simply deletes the cookie after it uses it once. And expiration is set to be an hour after the session is initiated (Iโ€™ve checked this through Postman)

The website is hikari.pundora.org and the API is api.pundora.org so Iโ€™m tempted to assume there might be some cross origin issues involved but Iโ€™m not getting any CORS errors in any console.

The endpoint for grabbing a session ID is GET https://api.pundora.org/api/auth/session

Any help with a nudge in the right direction or some code would be greatly appreciated! Hopefully Iโ€™ve explained everything clearly~

Update: variable clarification - sessionData[0] is a string, and expiration is a Date object with Date.now() + 3600000

๐Ÿ‘︎ 2
๐Ÿ“ฐ︎ r/webdev
๐Ÿ’ฌ︎
๐Ÿ‘ค︎ u/Pundoraa
๐Ÿ“…︎ Jan 22 2021
๐Ÿšจ︎ report
Chrome - Cookie Legacy SameSite Policies - Group Policy?

Chrome has had some updates and we need to use the following as one of our applications now doesn't work properly due to the change

https://www.chromium.org/administrators/policy-list-3/cookie-legacy-samesite-policies

I can't find a setting similar to this in our Chrome GPO, do we need to update the ADM files or does the setting have to be rolled out another way?

Also the main users are actually on Android Chrome which obviously won't hit a GPO, so can the setting be configured via MDM too?

๐Ÿ‘︎ 5
๐Ÿ“ฐ︎ r/sysadmin
๐Ÿ’ฌ︎
๐Ÿ‘ค︎ u/k6kaysix
๐Ÿ“…︎ Nov 23 2020
๐Ÿšจ︎ report
Spring '20 Release Notes - Abridged Edition

The Salesforce Discord Collective Presents:
THE SPRING 20 RELEASE NOTES - ABRIDGED
Bug Fixes & Various Impro.... wait this isn't the app changelog.


CRITICAL STUFF

GENERAL STUFF

  • In-App Guidance can now be [set by profile](h
... keep reading on reddit โžก

๐Ÿ‘︎ 174
๐Ÿ“ฐ︎ r/salesforce
๐Ÿ’ฌ︎
๐Ÿ‘ค︎ u/Windyo
๐Ÿ“…︎ Jan 02 2020
๐Ÿšจ︎ report
SameSite cookie from flask not being added since we have an old version of Flask

I have a flask app running on my server, we're using uwsgi.

Flask version: 0.11.1

Problem: Cookies returned from our flask app do not contain SameSite=None; , I tried editing our flask config file by adding these:

SESSION_COOKIE_SECURE=True,
SESSION_COOKIE_HTTPONLY=True,
SESSION_COOKIE_SAMESITE='None'

but that didn't work since our version of flask does not support SameSite.

In our nginx config:

server {
    ...
    uwsgi_pass &lt;local_ip&gt;;
    include uwsgi_params;
    proxy_cookie_path / "/; SameSite=None; Secure";
}

proxy_cookie_path didn't work since we are using uwsgi_pass instead of nginx proxy_pass

Finally, the cookie in the response is handled by flask sessions, so I am not setting the value manually. Thus weren't able to use respnse.set_cookie()

I dug into the code of flask and have reached the dump_cookie() function where the Set-Cookie header is being added, but wasn't able to come up with a fix.

Is there a way to edit the uwsgi cookie from the nginx config? Or to edit the cookie of Flask's session?

๐Ÿ‘︎ 3
๐Ÿ“ฐ︎ r/flask
๐Ÿ’ฌ︎
๐Ÿ‘ค︎ u/riadrifai22
๐Ÿ“…︎ Aug 26 2020
๐Ÿšจ︎ report
MAJOR Windows 7, Windows 8.1, Windows Server 2008 R2 and Windows Server 2012 R2 updates for 1/14/20 (Windows 7 End of Life)

Via the Microsoft Support website (8.1/2012 R2, 7/2008 R2):

For Windows 8.1 and Windows Server 2012 R2:

  • Addresses an issue with evaluating the compatibility status of the Windows ecosystem to help ensure application and device compatibility for all updates to Windows.
  • Addresses an issue in which netdom.exe fails to correctly identify trust relationships when an unconstrained delegation is explicitly enabled by adding bitmask 0x800 to the trust object. The bitmask setting is required because of security changes to the default behavior of unconstrained delegations in Windows updates released on or after July 8, 2019. For more information, see KB4490425 and the article, 6.1.6.7.9 trustAttributes.
  • Addresses an issue to support new SameSite cookie policies by default for release 80 of Google Chrome.
  • Security updates to the Microsoft Scripting Engine, Windows Input and Composition, Windows Media, Windows Storage and Filesystems, and Windows Server.

For Windows 7 and Windows Server 2008 R2:

  • Addresses an issue with evaluating the compatibility status of the Windows ecosystem to help ensure application and device compatibility for all updates to Windows.
  • Security updates to the Microsoft Scripting Engine, Windows Input and Composition, Windows Storage and Filesystems, and Windows Server.

>Starting on January 15, 2020, a full-screen notification will appear that describes the risk of continuing to use Windows 7 Service Pack 1 after it reaches end of support on January 14, 2020. The notification will remain on the screen until you interact with it. This notification will only appear on the following editions of Windows 7 Service Pack 1:

>* Starter.

>Note The notification will not appear on domain-joined machines or machines in kiosk mode.


**As of this update, Windows 7 support has ended, bringing with it a conclusion

... keep reading on reddit โžก

๐Ÿ‘︎ 62
๐Ÿ“ฐ︎ r/windows
๐Ÿ’ฌ︎
๐Ÿ‘ค︎ u/wickedplayer494
๐Ÿ“…︎ Jan 14 2020
๐Ÿšจ︎ report
November 2019 .NET/ASP.NET Documentation Update

TLDR; This is a status update on the .NET documentation. If you want me to do more of those (once a month), please let me know in the comments!

Comment: If you have suggestions, please let me know in the comments. Any product feedback will be forwarded to the proper product team.

Hi everyone!

So the .NET Core 3.1 has finally released in the last few days, so expect lots of things related to this.

This update covers everything that happened since November 1st through December 4th. Although not everything has yet been updated for 3.1, expect a lot more coming next month!

If you still don't know me, my name is Maxime Rouiller and I'm a Cloud Advocate with Microsoft. For this month, I'm covering three major products:

You'll find a nice legend below that explains and highlights articles that I think deserves special attention.

Legend

  • ๐Ÿ“ข: Major/Main article that everyone will want to read
  • ๐Ÿ’ฅ: Important/Must read.
  • โœจ: Brand new page

Note: It's not because a page doesn't have an icon that it isn't important. Everything here is either brand new or significantly modified.

Themes this month

  • .NET
    • System.Text.Json documentation
    • C# 8.0 Updates
    • C# 8.0 Spec updates
    • New C# landing page
    • New API docs
    • SameSiteMode updates
  • ASP.NET
    • React to identified problems with the 3.0 release
    • Article updates for 3.0
    • SameSiteMode updates

.NET

JSON

API docs

We've added documentation for 444 APIs.

SameSiteMode updates:

.NET Core

Compatibility

  • โœจ [Breaking
... keep reading on reddit โžก

๐Ÿ‘︎ 100
๐Ÿ“ฐ︎ r/csharp
๐Ÿ’ฌ︎
๐Ÿ‘ค︎ u/MaximRouiller
๐Ÿ“…︎ Dec 06 2019
๐Ÿšจ︎ report
Chrome Login Fix / Cant log in

When logging in with Google Chrome (I use google account login) many have had issues. For me the issues were due to a new thing that chrome enforces with cross site settings.

A quick temporary fix (Note that this will disable a security feature and do at own risk etc). go to chrome://flags/#same-site-by-default-cookies and disable it then restart chrome. This fixed the issue for me. I based this off of this post https://stackoverflow.com/a/60592944 as the error I got was a SameSite warning. A solution for the Devs is something like "response.setHeader("Set-Cookie", "HttpOnly;Secure;SameSite=Strict");" depending on the language and webserver. read more here: https://web.dev/samesite-cookies-explained/

Hopefully this helps someone.

๐Ÿ‘︎ 8
๐Ÿ“ฐ︎ r/thingiverse
๐Ÿ’ฌ︎
๐Ÿ‘ค︎ u/Epsilum-Design
๐Ÿ“…︎ Aug 17 2020
๐Ÿšจ︎ report
Firefox refuses to load this one particular site

I'm using Firefox on my mac but I've tested it on my Windows computer and the behavior is the same. It will not load https://paulswoodwork.net. That's a site I'm working on for a friend. MS Edge will load it, Safari will load it, but FF will not. FF will load any other site with no problem.

What I've tried so far:

  1. Uninstalled/reinstalled FF
  2. Cleared ALL cache/cookies/history/etc with the "everything" setting
  3. Cleared my local cache on my machine (again, it doesn't work on the Windows machine either
  4. Signed out of my FF browser and then back in
  5. Disabled all addons(I only had two anyway)

I'm at my witt's end!!!!! lol... Please send help :) Version 86.0 64 bit on mac

**UPDATE** As I tabbed back, it FINALLY loaded. That took the time it took me to post this message, about 2-3 minutes to load.

Application Basics
------------------

Name: Firefox
Version: 86.0
Build ID: 20210222142601
Distribution ID:
Update Channel: release
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:86.0) Gecko/20100101 Firefox/86.0
OS: Darwin 19.6.0 Darwin Kernel Version 19.6.0: Tue Jan 12 22:13:05 PST 2021; root:xnu-6153.141.16~1/RELEASE_X86_64
Rosetta Translated: false
Multiprocess Windows: 1/1
Fission Windows: 0/1 Disabled by default
Remote Processes: 4
Enterprise Policies: Inactive
Google Location Service Key: Found
Google Safebrowsing Key: Found
Mozilla Location Service Key: Found
Safe Mode: false

Crash Reports for the Last 3 Days
---------------------------------

Firefox Features
----------------

Name: DoH Roll-Out
Version: 2.0.0
ID: [email protected]

Name: Firefox Screenshots
Version: 39.0.0
ID: [email protected]

Name: Form Autofill
Version: 1.0
ID: [email protected]

Name: Web Compatibility Interventions
Version: 19.0.0
ID: [email protected]

Name: WebCompat Reporter
Version: 1.4.0
ID: [email protected]

Remote Processes
----------------

Type: Web Content
Count: 1 / 8

Type: Extension
Count: 1

Type: Privileged About
Count: 1

Type: Preallocated
Count: 1

Add-ons
-------

Name: Amazon.com
Type: extension
Version: 1.3
Enabled: true
ID: [email protected]

Name: Bing
Type: e
... keep reading on reddit โžก

๐Ÿ‘︎ 6
๐Ÿ“ฐ︎ r/firefox
๐Ÿ’ฌ︎
๐Ÿ‘ค︎ u/Pleaseclap4
๐Ÿ“…︎ Mar 05 2021
๐Ÿšจ︎ report

Please note that this site uses cookies to personalise content and adverts, to provide social media features, and to analyse web traffic. Click here for more information.