Geek asks and answers

Drop the session from the client side

I am preparing a diagnostic tool. It works on a website in an iframe - only using javascript.

Now I need to get rid of the session cookie on the website that I have in my iframe. I just need to log out after doing some operations.

Unfortunately, I cannot just remove the session cookie from javascript because it indicates the httpOnly flag. I also did not find a way to open the iframe in incognito mode.

Now the rules for achieving this are as follows:

  • I can add any file to the target site server
  • I can run any javascript in the site domain
  • I can force the user to use the specified browser (this should not be a cross-browser solution).
  • I can’t change the site code
  • The solution must be independent of the server and programming language

Any ideas for a workaround?

+5
source share
7 answers

You simply cannot control the httpOnly cookie from javascript.

But I think you want to analyze the page, but also with js. So why use an iframe?

You can get the content of the page that needs to be parsed outside of html or javascript:

  • execute ajax request to application proxy
  • use html5 websockets as a proxy server. I assume the websocket server is yours. Websockets also have cross-domain capabilities.

You just need to parse the extracted DOM (I saw something built in for this). And let the analysis begin.

+2
source

As far as I understand -

- / , .

, - logout url config var - ( js ), . URL- , .

+2

cookie iframe, sandbox.

, :

cookie /iframe

, .

+1

JavaScript, AJAX , .

+1

IFrame url: example.com/iframe.html.

cookieless.example.com/iframe.html - , example.com/iframe.html.

, cookie- (, ".example.com" ), cookie www

0

, - - , cookie, .

, IIS/.net, , IHttpModule.

0

cookie

-1
source

More articles:


All Articles