Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Postman is not using cookie

I've been using Postman in my app development for some time and never had any issues. I typically use it with Google Chrome while I debug my ASP.NET API code.

About a month or so ago, I started having problems where Postman doesn't seem to send the cookie my site issued.

Through Fiddler, I inspect the call I'm making to my API and see that Postman is NOT sending the cookie issued by my API app. It's sending other cookies but not the one it is supposed to send -- see below:

enter image description here

Under "Cookies", I do see the cookie I issue i.e. .AspNetCore.mysite_cookie -- see below:

enter image description here

Any idea why this might be happening?

P.S. I think this issue started after I made some changes to my code to name my cookie. My API app uses social authentication and I decided to name both cookies i.e. the one I receive from Facebook/Google/LinkedIn once the user is authenticated and the one I issue to authenticated users. I call the cookie I get from social sites social_auth_cookie and the one I issue is named mysite_cookie. I think this has something to do with this issue I'm having.

like image 860
Sam Avatar asked Sep 01 '17 22:09

Sam


People also ask

Does Postman use browser cookies?

Once configured, Postman continuously captures cookies from the browser or client applications. For the domains you specify, captured cookies are automatically synced to your Postman cookie jar. You can then use the cookies when sending requests from Postman. You can't sync cookies with the Postman web app.

Why is cookie not sent with request?

If the server doesn't allow credentials being sent along, the browser will just not attach cookies and authorization headers. So this could be another reason why the cookies are missing in the POST cross-site request.

How do I pass cookies in HTTP request?

To send cookies to the server, you need to add the "Cookie: name=value" header to your request. To send multiple Cookies in one cookie header, you can separate them with semicolons. In this Send Cookies example, we are sending HTTP cookies to the ReqBin echo URL.


1 Answers

The cookie in question cannot legally be sent over an HTTP connection because its secure attribute is set.

For some reason, mysite_cookie has its secure attribute set differently from social_auth_cookie, either because you are setting it in code...

var cookie = new HttpCookie("mysite_cookie", cookieValue);
cookie.Secure = true;

...or because the service is configured to automatically set it, e.g. with something like this in web.config:

<httpCookies httpOnlyCookies="true" requireSSL="true"/>

The flag could also potentially set by a network device (e.g. an SSL offloading appliance) in a production environment. But that's not very likely in your dev environment.

I suggest you try to same code base but over an https connection. If you are working on code that affects authentication mechanisms, you really really ought to set up your development environment with SSL anyway, or else you are going to miss a lot of bugs, and you won't be able to perform any meaningful pen testing or app scanning for potential threats.

like image 190
John Wu Avatar answered Oct 14 '22 14:10

John Wu