5

I'm preparing some diagnostic tool. It operates on the website in the iframe - only by javascript.

Now what I need is to get rid of session cookie in the website that I have in my iframe. I just need to be logged out after performing some operations.

Unfortunately I cannot just drop the session cookie from javascript because it's mark with httpOnly flag. I did not found any way to open iframe in incognito mode either.

Now the rules for achiving this are following:

  • I can add any file to target website server
  • I can run any javascript on website domain
  • I can force user to use specified browser (it does not have to be cross-browser solution)
  • I can NOT modify website code
  • The solution have to be server and programming language independent

Any ideas for the workaround?

Łukasz W.
  • 9,538
  • 5
  • 38
  • 63
  • So, who create these sessions on the server? – Kerem Aug 09 '12 at 09:13
  • User of my diagnostic app who use the server through the iframe.. – Łukasz W. Aug 09 '12 at 14:00
  • 1
    Client-side script can't delete `httpOnly` cookies, but the browser—and, by extension, browser plugins—can do this just fine. You won't have to change your code that much (Chrome plugins use HTML/JS), the interface can be much nicer (no iframe, integrated with the browser) and you have access to some powerful features. Would you accept a solution along those lines? – Jordan Gray Aug 09 '12 at 14:03
  • It seems to be the best answer I get.. it fits to my requirements.. please put it as answer, not as comment.. I'll verify if it's true that I will have that much possibilities while running scripts from plugin and if you're right then I'll accept your answer.. Thanks – Łukasz W. Aug 10 '12 at 09:32
  • 1
    @ŁukaszW.pl Sorry, your response didn't pop up in my alerts, so I never saw it. :) Anyway, start with Google's [Chrome extension tutorial] and move on to their (http://developer.chrome.com/extensions/getstarted.html) [cookies API sample extension](http://developer.chrome.com/extensions/samples.html#4daa6becd0899a54776d9cf7f09613ed1a9f4d77). Also, here's how to [use jQuery in an extension](http://blog.michael-forster.de/2009/08/using-jquery-to-build-google-chrome.html) in case you need it. Good luck! – Jordan Gray Aug 14 '12 at 10:01
  • 1
    @JordanGray - the good news is that I wrote this extension and it works great, so many thanks to you.. – Łukasz W. Aug 16 '12 at 09:23

7 Answers7

2

You just cant manage httpOnly cookies from javascript.

But I think that you want to analyze the page, but also with js. So why use iframe ?

You can fetch content of page that is to be analyzed from outside of html or javascript:

  • do ajax request to your application proxy
  • use html5 websockets as proxy server. I assume that websocket server is your. Websockets have also cross-domain ability.

You then just need to parse fetched DOM (i saw something builtin for this). And let analyzing to begin.

Zaffy
  • 16,801
  • 8
  • 50
  • 77
  • I need to give user possibility to operate on the page, like going throught it... performing actions on the page in iframe.. not just analyze it's content... – Łukasz W. Aug 09 '12 at 13:51
  • @ŁukaszW.pl you can. Do it as normal proxy (i.e. hidemyass.com). Just copy that content and display it. Is that problem ? – Zaffy Aug 09 '12 at 15:30
  • doesn't normal proxy converts all links on page to target the proxy? Its way to much to handle.. urls in code, urls's in related scripts... big chance to mess something up and it have to be reliable.. – Łukasz W. Aug 09 '12 at 15:37
  • @ŁukaszW.pl yes but you havent to. You dont want to grant anonymous access. Links will be original. you will just need to prefix it with the http url of it. i.e: site: google.com link: logo.png you need to do this: http://google.com/logo.png – Zaffy Aug 10 '12 at 09:58
  • True, it can be simple task.. There are just two issues with that: 1) I cannot access localhost that way, because the requirement for that tool is that the applications are not always hosted in public space... 2) As far as I know the proxy has problems with https sites? – Łukasz W. Aug 11 '12 at 09:29
  • @ŁukaszW.pl if you have just hosting and not for example vps it doesnt matter. you will just use application proxy that. You will request it with ajax i.e. GET proxy.cgi and that program will do the work. 2) Its not true. You can use library such as curl that will do the stuff from following redirecting to ssl really easy. – Zaffy Aug 11 '12 at 10:23
  • 1
    Two answers was really great... yours and Jordan's about writing chrome extension, but since he decided not to put it as answer then I'll accept yours... I will try both ways, test them and choose one of them.. Thanks for help.. – Łukasz W. Aug 11 '12 at 10:28
2

As far as I understand -

Given that - You will have a website with user login/logout implemented in it.

So if you can have some way for your diagnostic app to have the logout url of target website as a config var or some setting (by putting some js or file in the server) then this job can be very simple. Just let your diagnostic app load that logout url when needed.

kewlashu
  • 1,099
  • 10
  • 18
  • thats my plan if i'll give up :( – Łukasz W. Aug 09 '12 at 15:42
  • yes that will be a simple no-nonsense approach ..... just curious for your reasons to have this approach as your last option? – kewlashu Aug 09 '12 at 15:52
  • I want to make it as universal as it can be (sometimes there is no simple logout link, or there are other session info that cannot be dropped like that).. Also I want user to make as little configuration as he can.. – Łukasz W. Aug 09 '12 at 18:31
1

If you simply want to prevent cookies being used in the iframe you could try using the sandbox attribute.

Seems like a very similar question to:

Disable Cookies Inside A Frame/Iframe

Hope I am understanding your question correctly.

Community
  • 1
  • 1
backdesk
  • 1,781
  • 3
  • 22
  • 42
  • Good shot, but sandbox does not seem to separate cookies between host site and iframe... It can prevent other actions, but not this one.. – Łukasz W. Aug 02 '12 at 19:26
1

You have JavaScript so just AJAX request to your server and tell it to unset the session variable.

John
  • 1
  • 13
  • 98
  • 177
  • As I said it will be diagnostic tool and right now I do not know what application will I get in the iframe, so I can not determine what request should I make. More bad news is that I do not really know what platform will it be so I cannot create for example, my own php script dropping session cookies. – Łukasz W. Aug 07 '12 at 18:10
0

Say IFrame references url: example.com/iframe.html.

Have it refer to cookieless.example.com/iframe.html instead and have a serverside reverse proxy rule setup that picks up that request and points it back to example.com/iframe.html.

Depending on how you set cookies serverside (i.e: '.example.com') cookies will only be set on www and root-domain

Geert-Jan
  • 18,623
  • 16
  • 75
  • 137
  • But then I will have problem with same origin policy, because I need to modify iframe content with js. Also I'm not worrying about having same cookies on page and iframe... What I need is to drop session between some js code sequences so I have clean cookies and session before next sequence... – Łukasz W. Aug 04 '12 at 18:37
  • @ŁukaszW.pl I think this is good approach. Just think... when the 'cookie deletor' site'll redirect user, your iframe addr will change and your origin and policy will match. Missed I something ? – Zaffy Aug 09 '12 at 09:18
  • And then you will be back with your cookies from original page. Also I can't add subdomains to application in the iframe.. just upload some files on it's server which I don't know what will it be.. – Łukasz W. Aug 09 '12 at 13:55
0

I think you will need some kind of server side proxy that records the cookie header value, and then resets this header value at a later stage based on a value in the request.

This shouldn't be too hard to write in any language, on IIS / .net framework for instance it would be an implementation of an IHttpModule.

James Westgate
  • 11,306
  • 8
  • 61
  • 68
  • I cannot access the target application, so I cannot put HttpModule into it. Also it should be cross-platform - I can't write proxy for every web server there is.. – Łukasz W. Aug 08 '12 at 15:23
  • What about a proxy that redirects to the website in question? – James Westgate Aug 10 '12 at 10:09
  • Look to my comment in kewlashu answer. I cannot risk diffrences between proxy and normal using of site.. – Łukasz W. Aug 10 '12 at 13:21
  • Well, you will need to run code somewhere. If it is not an external proxy then you will have to write a module for each web server. Note you can add an IHttpModule to any application in IIS without touching the app. – James Westgate Aug 12 '12 at 10:42
-1

The Only way is to Disable Cookies

user806084
  • 51
  • 1
  • 2
  • Did you event look at my post and comments in other answers? Like I said I need the cookies because the page in iframe should work properly until I want to reset them... – Łukasz W. Aug 11 '12 at 09:21