Drop any session from client side
https://stackoverflow.com/questions/11782793
-
24-06-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I'm preparing some diagnostic tool. It operates on the website in the iframe - only by javascript.
Now what I need is to get rid of session cookie in the website that I have in my iframe. I just need to be logged out after performing some operations.
Unfortunately I cannot just drop the session cookie from javascript because it's mark with httpOnly flag. I did not found any way to open iframe in incognito mode either.
Now the rules for achiving this are following:
- I can add any file to target website server
- I can run any javascript on website domain
- I can force user to use specified browser (it does not have to be cross-browser solution)
- I can NOT modify website code
- The solution have to be server and programming language independent
Any ideas for the workaround?
Solution
You just cant manage httpOnly cookies from javascript.
But I think that you want to analyze the page, but also with js. So why use iframe ?
You can fetch content of page that is to be analyzed from outside of html or javascript:
- do ajax request to your application proxy
- use html5 websockets as proxy server. I assume that websocket server is your. Websockets have also cross-domain ability.
You then just need to parse fetched DOM (i saw something builtin for this). And let analyzing to begin.
OTHER TIPS
As far as I understand -
Given that - You will have a website with user login/logout implemented in it.
So if you can have some way for your diagnostic app to have the logout url of target website as a config var or some setting (by putting some js or file in the server) then this job can be very simple. Just let your diagnostic app load that logout url when needed.
If you simply want to prevent cookies being used in the iframe you could try using the sandbox attribute.
Seems like a very similar question to:
Disable Cookies Inside A Frame/Iframe
Hope I am understanding your question correctly.
You have JavaScript so just AJAX request to your server and tell it to unset the session variable.
Say IFrame references url: example.com/iframe.html.
Have it refer to cookieless.example.com/iframe.html instead and have a serverside reverse proxy rule setup that picks up that request and points it back to example.com/iframe.html.
Depending on how you set cookies serverside (i.e: '.example.com') cookies will only be set on www and root-domain
I think you will need some kind of server side proxy that records the cookie header value, and then resets this header value at a later stage based on a value in the request.
This shouldn't be too hard to write in any language, on IIS / .net framework for instance it would be an implementation of an IHttpModule.
The Only way is to Disable Cookies
