How to validate if the cookie was created by the server?

Asked

Viewed 78 times

0

Summary: I have a webservice with Quarkus(Jax-rs) and Vue.js, I do a validation basic Authentication and then I create a cookie httpOnly encrypted...

When I receive a new request I cannot check if this cookie is httpOnly, as the returned is not a javax.ws.rs.core.NewCookie and yes a javax.ws.rs.core.Cookie

@Provider
open class RequestSecurity : ContainerRequestFilter {
    [...]
    override fun filter(requestContext: ContainerRequestContext?) {
        [...]
        if (requestContext.uriInfo.path != "/login") {
            val cookie = requestContext.cookies[cookieSuffix] // meu problema ta aqui
            if (!cookie.isHttpOnly) {
                requestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).build())
                return
            }
        } else {
            val cookie = NewCookie(
                    cookieSuffix,
                    encrypt(),
                    "/",
                    null,
                    null,
                    3600,
                    false,
                    true
            )

            requestContext.setProperty("cookieCriptografado", cookie)
        }
    }
}

@Provider
class ResponseSecurity : ContainerResponseFilter {
    override fun filter(requestContext: ContainerRequestContext?, responseContext: ContainerResponseContext?) {
        val cookieProperty = requestContext?.getProperty("cookieCriptografado")
        if (cookieProperty != null && cookieProperty is NewCookie) {
            responseContext?.headers?.add(HttpHeaders.SET_COOKIE, cookieProperty)
        }
    }
}

Requests on the Vue.js side

    doLogin({ commit }, loginData) {
      commit('cleanError');
      commit('loginStart');
      axios({
        url: urlLogin,
        method: 'POST',
        withCredentials: true,
        auth: loginData
      })
        .then(response => {
          const user = response.data;
          commit('loginStop');
          commit('updateUser', user);
          localStorage.setItem('user', JSON.stringify(user));
          router.push('/');
        })
        .catch(error => {
          let message;
          if (error.message.includes('401')) {
            message = 'Erro na busca dos dados.';
          }
          commit('loginStop', message);
        });
    },

    doVerifyUser({ commit }, next) {
      commit('verifyUserStart');
      axios({
        url: urlCheck,
        method: 'GET',
        withCredentials: true
      })
        .then(_ => {
          let user = JSON.parse(localStorage.getItem('user'));
          if (user) {
            commit('verifyUserStop');
            commit('updateUser', user);
            next();
          } else {
            next('/login');
          }
        })
        .catch(_ => {
          commit('verifyUserStop');
          next('/login');
        });
    }

Header of the Response

[Content-Type=application/json,Set-Cookie=QKSESSION="1sCF7zOIQXw3wDoRg90oaQ==";Version=1;Path=/;Max-Age=3600;HttpOnly]

Header of the request

[Accept=application/json, text/plain, */*,Accept-Encoding=gzip, deflate,Accept-Language=pt-BR,pt;q=0.9,en-US;q=0.8,en;q=0.7,Connection=keep-alive,Cookie=QKSESSION="1sCF7zOIQXw3wDoRg90oaQ==",Host=10.0.11.68:8080,Origin=http://localhost:8081,Referer=http://localhost:8081/,User-Agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.79 Safari/537.36]
  • Normal cookies are not stored in the back end but on the front, so use document.cookie (javascript and Vue) will already know if stored, now if it is session (cookie also) will have to test in a request.

  • Yes Guilherme, cookies are stored on the front end, but when you add httpOnly, javascript does not have access to the cookie...

  • Carlos any future HTTP request will send in the req headers such cookie, ai checks with another server side request, no?

  • Yes, as I asked the question (request header)... this would be a request that returns the cookie... but does not return me if the cookie is httpOnly.

  • But that’s what I’m talking about is for you to print the server-side cookie and return it as a BODY from an HTTP response.

No answers

Browser other questions tagged

You are not signed in. Login or sign up in order to post.