Cookie forwarding

Hi all,


I am using cookies in my Web application. The other day I noticed that for
some reason Orbeon Forms does not forward my cookies when submitting a
POST request. The only cookie that gets forwarded is the JSESSIONID
cookie but the other ones that I have created by myself are not
getting forwarded at all.

I am not sure whether or not the aforementioned problem is related to
this - already fixed - bug:
http://forge.objectweb.org/tracker/?group_id=168&atid=350207&func=detail&aid=309149

I created a simple Web application (enclosed) to reproduce the problem.
Just download the latest nightly build version of Orbeon Forms and unzip
the package (contains two java classes) to the "src" (source codes)
folder. Then, make the following additions to appropriate places in the
WEB-INF/web.xml file:
  <servlet>
  <display-name>HTML Cookie servlet.</display-name>
  <servlet-name>html_cookie_servlet</servlet-name>
  <servlet-class>servlet.HTMLCookieServlet</servlet-class>
  </servlet>
  <servlet>
  <display-name>XForms Cookie servlet.</display-name>
  <servlet-name>xforms_cookie_servlet</servlet-name>
  <servlet-class>servlet.XFormsCookieServlet</servlet-class>
  </servlet>
         ...
  <servlet-mapping>
  <servlet-name>html_cookie_servlet</servlet-name>
  <url-pattern>/xforms-jsp/html/*</url-pattern>
  </servlet-mapping>
  <servlet-mapping>
  <servlet-name>xforms_cookie_servlet</servlet-name>
  <url-pattern>/xforms-jsp/xforms/*</url-pattern>
  </servlet-mapping>


To reproduce the problem, go to:
http://<server>/<context>/xforms-jsp/xforms/index.jsp
For example, http://localhost:8080/orbeon/xforms-jsp/xforms/index.jsp

...and click the "Submit XForms Form (POST)" button. As a result, only
JSESSIONID cookie gets forwarded - nothing else. If you click the "Submit
XForms Form (GET)" button, you will see that another cookie (my own) gets
forwarded along with the JSESSIONID cookie.

I also made a similar test Web page using HTML forms for comparing the
results:
http://<server>/<context>/xforms-jsp/html/index.jsp
For example, http://localhost:8080/orbeon/xforms-jsp/html/index.jsp

Could somebody test this one and possibly confirm my findings?

Kind regards


-Markku

--
You receive this message as a subscriber of the [hidden email] mailing list.
To unsubscribe: mailto:[hidden email]
For general help: mailto:[hidden email]?subject=help
OW2 mailing lists service home page: http://www.ow2.org/wws

Markku,

Markku Laine wrote

I am using cookies in my Web application. The other day I noticed that for
some reason Orbeon Forms does not forward my cookies when submitting a
POST request. The only cookie that gets forwarded is the JSESSIONID
cookie but the other ones that I have created by myself are not
getting forwarded at all.

I am not sure whether or not the aforementioned problem is related to
this - already fixed - bug:
http://forge.objectweb.org/tracker/?group_id=168&atid=350207&func=detail&aid=309149

That bug is closed, and indeed we forward only JSESSIONID (and JSESSIONIDSSO for JBoss). The rationale is that forwarding all the cookies by default isn't good for security. Could you tell us more about your case, and in particular why you would need other cookies to be forwarded?

Alex

Hi Alex,


> That bug is closed, and indeed we forward only JSESSIONID (and JSESSIONIDSSO
> for JBoss). The rationale is that forwarding all the cookies by default
> isn't good for security. Could you tell us more about your case, and in
> particular why you would need other cookies to be forwarded?

I am trying to supply the information about whether cookies are enabled
or disabled by the browser for the UI (XForms) and after that, of course,
to the user. The information is helpful, for example, is a website
requires cookies to be enabled and advises the user to enabled cookies
before (s)he can continue.

At the moment, I am trying to check whether or not cookies are enabled by
the browser by doing the following:
  * When the user requests a Web page (XForms+XHMTL) a dummy cookie will
be added to the response
  * When the user receives the response, the Web page will submit a post
request (containing all cookies if any)
  * At the server-side, I will then check whether or not the submitted post
request contains cookies and send a response to the user which says
whether or not cookies are enabled by the browser


I know that the information can be checked by using JavaScript but I would
prefer to use a declarative approach.

Even though I have disabled cookies in the browser and the response
didn't contain any cookies, I still receive the JSESSIONID cookie along
with the submitted post request. Maybe Orbeon Forms adds a new JSESSIONID
cookie when the request is getting forwarded? Anyway, for this reason, I
cannot test browser's support for cookies because I always received the
JSESSIONID cookie along with the submitted post request. That's why I
tried to test browser's support for cookies by using my own dummy cookie
but unfortunately it will not be forwarded at all.

Hope this description helps you to understand what I am after.

I would be extremely interested in hearing how to solve this issue. In
addition, I am not a security expert so it would be also nice to hear (or
get a link to an article) why it is not wise to forward cookies along with
a post request. I guess that in a traditional web application, cookies
will be forwarded anyway, right?

Kind regards


-Markku


--
You receive this message as a subscriber of the [hidden email] mailing list.
To unsubscribe: mailto:[hidden email]
For general help: mailto:[hidden email]?subject=help
OW2 mailing lists service home page: http://www.ow2.org/wws

Hi Markku,

Markku Laine wrote

At the moment, I am trying to check whether or not cookies are enabled by
the browser by doing the following:
  * When the user requests a Web page (XForms+XHMTL) a dummy cookie will
be added to the response
  * When the user receives the response, the Web page will submit a post
request (containing all cookies if any)

How is this POST done? Is this an Ajax request, or are you loading another page with a <xforms:submission replace="all">? If it is the latter, then on the target page, in xforms-model-construct-done you can use the function xxforms:request-get-header('Cookie') which will give you access to all the cookies.

Markku Laine wrote

Even though I have disabled cookies in the browser and the response
didn't contain any cookies, I still receive the JSESSIONID cookie along
with the submitted post request.

The question is: is that JSESSIONID the same as the one you got in the first request? I guess not. If this is the case, you can use this as a way to detect if the client supports cookies:

1) In the initial request, in XForms, store something in the session when the page loads with xxforms:set-session-attribute().
2) Run some JavaScript <xxforms:script> on page loads with dispatches an event, which uses xxforms:get-session-attribute() to check if the attribute set in 1 is present. If it is, then cookies are enabled, otherwise, they are not.

Markku Laine wrote

I would be extremely interested in hearing how to solve this issue. In
addition, I am not a security expert so it would be also nice to hear (or
get a link to an article) why it is not wise to forward cookies along with
a post request. I guess that in a traditional web application, cookies
will be forwarded anyway, right?

I'd have to check the code to see exactly what we are doing, but the idea is that the services you use from XForms might be external services provided by 3rd party companies, to which you want to send a minimal amount of information about the client who made the initial request. Let's say you use Google Analytics on your site. Google Analytics will set a cookie so it can track users across sessions. If you pass this information along, a 3rd party site will be able to determine how many unique visitors you have, and correlate requests with visitors across sessions. Not the end of the world, but the idea is that you don't want to pass along to services information which is most likely not going to be useful and which tells the service more about your users, and hence could compromise security or privacy.

Alex

Hi Alex,

In the code (ZIP package containing XFormsCookieServlet.java), which was
attached to my first email, I used the following for making the POST
submission:
<xforms:submission id="xforms-form-post-submission" action="<request URL>"
method="post" />

I tried the code you suggested (xxforms:get-request-header('Cookie')) but
it wasn't support in the version we are using at the moment. Even if it
would have been supported I would still like to use standard XForms syntax
i.e. without Orbeon Forms extensions. Might give it another try with the
latest nightly build version later.

Okay, I figured out what was the reason for receiving the JSESSIONID
cookie along the submitted POST request even though cookies ere
disabled by the browser.

First, if I have authored the POST submission as follows then the
submission will _NOT_ be sent at all:
<xforms:submission id="xforms-form-post-submission" replace="all"
action="<request URL>" method="post" />
<xforms:send submission="xforms-form-post-submission"
ev:event="xforms-ready" />

Second, if I have authored the POST submission as follows then the
submission will be sent as expected:
<xforms:submission id="xforms-form-post-submission"
replace="instance" instance="dummy-instance" action="<request URL>"
method="post" />
<xforms:send submission="xforms-form-post-submission"
ev:event="xforms-ready" />


In the latter submission, a (mysteriously added) JSESSIONID cookie is
sent along with the submitted POST request even though cookies are
disabled by the browser. However, if I will trigger the same submission
manually using a button instead of using the xforms-ready event then no
cookies will be forwarded/sent along with the request - as expected.

So, because Orbeon Forms does not forward my own cookies I cannot test
browser support for cookies in that way. And by checking whether or not
cookies are forwarded at all does not make work because Orbeon Forms sends
a mysterious JSESSIONID cookie always along with the submitted POST
request if it has been triggered using the xforms-ready event.

I see a couple of ways to make my code work.
1) Orbeon Forms should not add that mysterious JSESSIONID cookie when
making the POST submission using the xforms-ready event (preferable).
2) Orbeon Forms should forward all cookies when making the POST
submission (possible security issues).
3) Instead of making the POST submission I can make a GET submission
(<xforms:submission replace="instance" instance="dummy-instance"
action="<request URL>" method="GET" />), which will forward all cookies,
including my own.


I can create a new, reproducable sample web application for you by
tomorrow if needed.

Kind regards


-Markku


--
You receive this message as a subscriber of the [hidden email] mailing list.
To unsubscribe: mailto:[hidden email]
For general help: mailto:[hidden email]?subject=help
OW2 mailing lists service home page: http://www.ow2.org/wws

Markku,

Markku Laine wrote

I tried the code you suggested (xxforms:get-request-header('Cookie')) but
it wasn't support in the version we are using at the moment. Even if it
would have been supported I would still like to use standard XForms syntax
i.e. without Orbeon Forms extensions. Might give it another try with the
latest nightly build version later.

Yes, this was added recently, so you'll need a nightly build for this.

Markku Laine wrote

First, if I have authored the POST submission as follows then the
submission will _NOT_ be sent at all:
<xforms:submission id="xforms-form-post-submission" replace="all"
action="<request URL>" method="post" />
<xforms:send submission="xforms-form-post-submission"
ev:event="xforms-ready" />

Doing a submission replace="all" in xforms-ready or xforms-model-construct isn't supported yet, but you could use an <xforms:load> instead. Again, you'll need to use a nightly build for this.

Markku Laine wrote

So, because Orbeon Forms does not forward my own cookies I cannot test
browser support for cookies in that way. And by checking whether or not
cookies are forwarded at all does not make work because Orbeon Forms sends
a mysterious JSESSIONID cookie always along with the submitted POST
request if it has been triggered using the xforms-ready event.

Looks like my previous message wasn't clear enough: the point of the method I was suggesting is not to check wether the JSESSIONID is there or not, but to check if something you stored in the session is there or not. If cookies are not supported, if on a subsequent request you try to read from the session, a new session will be created and you won't be able to find what you just stored in a previous request. Does this make sense?

Alex