PDA

View Full Version : How to control which cookies are used.


nerbert
07-26-2013, 10:21 PM
I'm working on a project that requires a separate login with a password different from the usual forum one. Since the browser automatically fills in the password input on any login form with the usual one, I want to read a cookie and fill the special password in with JavaScript. The trouble is that the password cookie is among the request cookies when the form is submitted, as well as in other pages in my project. I've looked at regular forum pages and they don't show the cookie there (showthread for instance).

So how do you control which cookies are listed in the request for various pages? The cookie for the special password is used only on the browser to fill in the password input and is not read by the server scripting.

tbworld
07-27-2013, 12:08 AM
The trouble is that "cookie" is among the request cookies when the form is submitted, as well as other pages in my project.

I lost you here. In referring to "cookie" in this sentence, what cookie are you referring to. The rest of it, I think I get what you are up to. Is this new cookie being set, being written from vBulletin or outside of vB. Anyway, trying to help..

nerbert
07-27-2013, 12:36 AM
I edited the post for clarity.

But to restate, I checked in the Chrome developer tool and I could see the password cookie listed under request cookies, so it would be available on an unsecure connection and someone could hijack with it. The cookie is set with JavaScript and read only by JavaScript, so why does the server know anything about it?

tbworld
07-27-2013, 01:00 AM
@nerbert.

1.) Is this new cookie being created under vbulletin or outside of vbulletin.
2.) Are you altering the vbulletin JavaScript to fill in this new/modified cookie.
3.) Is this being done for a dual package login?

I am asking this.. because I have just about done everything with the vbulletin password/authentication code. We use LDAP, and I modified vbulletin to handle LDAP and other external protocols we use for authentication. I am going to dinner, but then I will try to refresh my memory about all this.

Maybe a bit of psuedo code on your part, will help me grasp what you are looking for. For some stupid reason (me being the stupid one), I am missing what your looking for. I see all the vbulletin cookies on showthread.

nerbert
07-27-2013, 01:57 AM
The project I'm working on is a file manager inside the admin CP. You have to have permission to use it and it requires a special password. Here's the script I have in the login form to set the password cookie when you type it in the first time.



<script>
var password = fetch_object('fm_login_password');
window.onload = function(){setTimeout("if(PassWord = fetch_cookie('fmpassword')) {password.value = PassWord; password.focus();}", 100)}
password.form.onsubmit = function() {
var d=new Date();
d.setMonth(d.getMonth()+2);
set_cookie('fmpassword', password.value, d);
}
</script>


So the browser sets the cookie and reads the cookie and the server should never even have the value. But as I said, different pages have different sets of request cookies. This one shows up in all my file manager requests but not in regular forum pages, cookies that show in forum pages do not show in file manager pages.

If the cookie were set using PHP you could set the path but there's no way to do that when you use JS, so I would think it would show for all the regular pages and the admin cp and file manager. Since it shows only in file manager pages and requests there must be some other way vBulletin decides which cookies to send.

kh99
07-27-2013, 10:37 AM
I found this page which shows how to set the cookie domain and path from javascript: http://www.thesitewizard.com/javascripts/cookies.shtml. You might be able to limit when the cookies are sent, but I'm guessing that if you set the domain and path to something other than where the page was loaded from, it would either be an error or you won't be able to access them next time.

The automatic password fill-in feature must work based on url and password field name, maybe you can somehow change the name of the password text field when you're requesting your fm password.

nerbert
07-27-2013, 11:11 AM
I thought it should be possible to set path and domain with JS but what I read at w3schools suggested you can set only name, value and expires, and the vB function does only that much.

I'll give this a try with the path set to a non-existent page so the server never reads it. I would assume JS can get any cookie it has stored regardless what page it's on.

Thanks

kh99
07-27-2013, 11:14 AM
... I would assume JS can get any cookie it has stored regardless what page it's on.


Maybe, but it kind of seems like that would be a security risk, since you could easily write JS for your page that reads all cookies and sends them to your server.

nerbert
07-27-2013, 01:11 PM
Maybe, but it kind of seems like that would be a security risk, since you could easily write JS for your page that reads all cookies and sends them to your server.
Yes that seems to be the case. I looked at vBulletin's set_cookie() function and it does set the path to the default "/", so I wrote my own version that sets the path to "/nowhere.php". It successfully sets the cookie but my JS won't read it, and that doesn't seem to have anything to do with vBulletin's fetch_cookie() function, it seems to be built into the browser.

I don't really know what a request cookie is all about, I suppose you could compare the values sent with the values stored for some sort of security check. Somewhere vB specifies a cookie header (or fails to prevent a default one being sent). I have no idea how to change that.

Zachery
07-27-2013, 07:20 PM
Cookies are limited for security reasons (by browsers, not vBulletin). The cookie path is supposed to be a folder, like /forum/ etc. Cookies can only be set for the explicit domain (www.domain.com (http://www.domain.com), abc123.domain.com), or for a domain and all subdomains (*.domain.com) they don't work cross domains, for example if you had a cookie on www1.domain.com and then tried to use it on www2.domain.com without configuring a full cookie domain setting, then it wouldn't work.

You also can't share cookies across domain1.com and domain2.com

nerbert
07-27-2013, 08:56 PM
Is there some way to eliminate the cookie header? I don't see the point of sending cookie values to the browser and that's the only place my password cookie shows, as the password value is blanked out when the form is submitted. I'm using YAHOO ajax for all my operations

Zachery
07-27-2013, 09:37 PM
I don't get what you're asking for...

nerbert
07-27-2013, 10:20 PM
Here's what I see in my dev tool for headers when I send an ajax request

Request URL:http://xxxxxxxxxx.net/filemanager/filemanager.php
Request Method:POST
Status Code:200 OK

Request Headers
Accept:*/*
Accept-Encoding:gzip,deflate,sdch
Accept-Language:en-US,en;q=0.8
Connection:keep-alive
Content-Length:175
Content-Type:application/x-www-form-urlencoded; charset=UTF-8
Cookie:bb_lastvisit=1373594455; bb_lastactivity=0; bb_userid=1; bb_password=6c70309c0fasihfoaishu7aedbbdfa34cf7; bb_fe8adc6d804a36; bb_cpsession=90088ef658flaasjhaeiswhfiuhtihae61571 6573ec05172c4fc8; bb_fmsession=e14eaa1506aiueihjfoaijuwhrfiaa6597ecd 9d4cd
Host:xxxxxxxxxxx.net
Origin:http://xxxxxxxxxxxxx.net
Referer:http://xxxxxxxxxxxxx.net/filemanager/filemanager.php
User-Agent:Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.72 Safari/537.36
X-Requested-With:XMLHttpRequest

Form Data
securitytoken:1374966662-571d23q5rtyqo3uiht70d396a2423a97095dc88b
adminhash:7981e222c687a5780tqfju3hp095rt8c1a39795f 21
do:findfiles
dir:/home/aaaaaaaaaaaaaa/forum/admincp


Response Headers
Cache-Control:private, post-check=0, pre-check=0, max-age=0
Connection:Close
Content-Type:text/xml; charset=windows-1252
Date:Sat, 27 Jul 2013 23:11:25 GMT
Expires:0
Pragma:no-cache
Server:Apache/stuff stuff stuff
Transfer-Encoding:chunked
X-Powered-By:PHP/5.3.18

Same kind of thing when you go to a page. All the cookies are listed in the request header

kh99
07-27-2013, 11:43 PM
Well, stating the obvious, that is how cookies are supposed to work - they get sent when the domain and path of the request match. There is a "secure" attribute that is supposed to send the cookies only if you're on a secure server, so maybe if you set that it will work like you want (unless it also disallows JS access because the page wasn't loaded via a secure server).

nerbert
07-28-2013, 12:09 AM
Tried setting secure=true and it created a cookie but the JS can't read it.

There ought to be some way for a script to make a browser store something that is read only by JS and never by the server scripting, but I know only of cookies and passwords and they are interceptable.

Zachery
07-28-2013, 12:50 AM
why can't the server read it?

nerbert
07-28-2013, 01:10 AM
The server doesn't need it (but I suppose all cookies are read anyway). I want this stored on the browser and used only on the browser so it can't be intercepted.

I'll be the first to say I don't know much about all this but I would sure like to avoid having information that others can intercept.

Zachery
07-28-2013, 04:22 AM
I guess I just don't get it, its going to be sent to the server anyway.

You could try local storage available in modern browsers.

nerbert
07-28-2013, 05:32 AM
Seems to do it


var password = fetch_object('fm_login_password');
if(typeof localStorage == 'object'){
window.onload = function(){
setTimeout("if(PassWord = localStorage.getItem('fmpassword')) {password.value = PassWord; password.focus();}", 100)
}
password.form.onsubmit = function() {
localStorage.setItem('fmpassword', password.value);
}
} else {
password.value = '';
}

Thanks