The client sets this only for encrypted connections and this is defined in [RFC 6265][1]:  

&gt; The Secure attribute limits the scope of the cookie to &quot;secure&quot; channels (where &quot;secure&quot; is defined by the user agent). When a cookie has the Secure attribute, the user agent will include the cookie in an HTTP request only if the request is transmitted over a secure channel (typically HTTP over Transport Layer Security (TLS) [RFC2818]).
&gt; 
&gt; Although seemingly useful for protecting cookies from active network attackers, the Secure attribute protects only the cookie&#39;s confidentiality. An active network attacker can overwrite Secure cookies from an insecure channel, disrupting their integrity (see Section 8.6 for more details).


  [1]: https://www.rfc-editor.org/rfc/rfc6265#section-4.1.2.5

Just another word on the subject:

Omitting `secure` because your website `example.com` is fully https is not enough.

If your user is explicitly reaching `http://example.com`, they will be redirected to `https://example.com` but that&#39;s too late already; the first request contained the cookie.

I&#39;m looking for something like the c++ function `.clear()`  for the primitive type `map`.

Or should I just create a new map instead?

Update: Thank you for your answers. By looking at the answers I just realized that sometimes creating a new map may lead to some inconsistency that we don&#39;t want. Consider the following example:

    var a map[string]string
    var b map[string]string

    func main() {
    	a = make(map[string]string)
    	b=a
    	a[&quot;hello&quot;]=&quot;world&quot;
    	a = nil
    	fmt.Println(b[&quot;hello&quot;])
    }

I mean, this is still different from the `.clear()` function in c++, which will clear the content in the object.

How to clear a map in Go?

I have implemented fancybox2 on a dev site.

When I engage the fancybox  (click the link etc) the whole html shifts behind it - and goes to the top. I have it working fine in another demo, but when I drag the same code to this project it jumps to the top. Not only with the links to inline divs, but also for simple image gallery.

Has anyone experienced this?


fancybox2 / fancybox causes page to to jump to the top

I know that a cookie with `secure` flag won&#39;t be sent via an unencrypted connection. I wonder how this works in-depth.

Who is responsible for determining whether the cookie will be sent or not?

How does cookie &quot;Secure&quot; flag work?

<p>I know that a cookie with <code>secure</code> flag won't be sent via an unencrypted connection. I wonder how this works in-depth.</p>
<p>Who is responsible for determining whether the cookie will be sent or not?</p>


How do I test a RESTful PUT (or DELETE) method using cURL?

How to do a PUT request with cURL?

I&#39;m upgrading our REST API endpoints and I want to notify clients when they are calling the to-be-deprecated endpoint.  
What header should I use in the response with a message along the lines of &quot;This API version is being deprecated, please consult the latest documentation to update your endpoints&quot;

Convention for HTTP response header to notify clients of deprecated API

I have a REST service that is exposed to iPhone and Android clients. Currently I follow the HTTP codes 200, 400, 401, 403, 404, 409, 500 etc.

My question is where is the recommended place to put the reason/description/cause of the error? Does it make more sense for the REST API to always have custom Reason in the header like so?

    &lt; HTTP/1.1 400 Bad Request - Missing Required Parameters.
    &lt; Date: Thu, 20 Dec 2012 01:09:06 GMT
    &lt; Server: Apache/2.2.22 (Ubuntu)
    &lt; Connection: close
    &lt; Transfer-Encoding: chunked

Or is it better to have it in the Response Body via JSON? 

    &lt; HTTP/1.1 400 Bad Request
    &lt; Date: Thu, 20 Dec 2012 01:09:06 GMT
    &lt; Server: Apache/2.2.22 (Ubuntu)
    &lt; Connection: close
    &lt; Transfer-Encoding: chunked
    &lt; Content-Type: application/json
    { &quot;error&quot; : &quot;Missing Required Parameters&quot; }



Rest error message in HTTP Header or Response Body?

I am trying to get Apache HttpClient to fire an HTTP request, and then display the HTTP response code (200, 404, 500, etc.) as well as the HTTP response body (text string). It is important to note that I am using `v4.2.2` because most HttpClient examples out there are from `v.3.x.x` and the API changed greatly from version 3 to version 4.

Unfortunately I&#39;ve only been able to get HttpClient returning the status code **or** the response body (but not both).

Here&#39;s what I have:

    // Getting the status code.
    HttpClient client = new DefaultHttpClient();
    HttpGet httpGet = new HttpGet(&quot;http://whatever.blah.com&quot;);
    HttpResponse resp = client.execute(httpGet);

    int statusCode = resp.getStatusLine().getStatusCode();


    // Getting the response body.
    HttpClient client = new DefaultHttpClient();
    HttpGet httpGet = new HttpGet(&quot;http://whatever.blah.com&quot;);
    ResponseHandler&lt;String&gt; handler = new BasicResponseHandler();

    String body = client.execute(httpGet, handler);

So I ask: **Using the `v4.2.2` library, how can I obtain both status code and response body from the same `client.execute(...)` call?** Thanks in advance!

How to get HttpClient returning status code and response body?

I&#39;m trying to create multithreaded web server in python, but it only responds to one request at a time and I can&#39;t figure out why. Can you help me, please?

    #!/usr/bin/env python2
    # -*- coding: utf-8 -*-
    
    from SocketServer import ThreadingMixIn
    from  BaseHTTPServer import HTTPServer
    from SimpleHTTPServer import SimpleHTTPRequestHandler
    from time import sleep
    
    class ThreadingServer(ThreadingMixIn, HTTPServer):
    	pass
    
    class RequestHandler(SimpleHTTPRequestHandler):
    	def do_GET(self):
    		self.send_response(200)
    		self.send_header(&#39;Content-type&#39;, &#39;text/plain&#39;)
    		sleep(5)
    		response = &#39;Slept for 5 seconds..&#39;
    		self.send_header(&#39;Content-length&#39;, len(response))
    		self.end_headers()
    		self.wfile.write(response)
    
    ThreadingServer((&#39;&#39;, 8000), RequestHandler).serve_forever()

Multithreaded web server in python

I have read this question here: 
https://stackoverflow.com/questions/8794981/how-do-internet-advertisers-use-third-party-cookies
on how third-party tracking cookies work, but am still very confused.
I don&#39;t understand how if I visit Website A (a normal website with ads) how Website B (an advertising website) can assign my computer an ID, and then figure out that I was on website A, and other websites after it that have its ads.

How do Third-Party &quot;tracking cookies&quot; work?

I want to display the product browsing history, so I am storing the product ids in a browser cookie.

Because the list of history is limited to 5 items, I convert the cookie value to an array, then check the length of it and cut the redundant. 

The code below is what I have tried, but it does not work; the array item isn&#39;t removed.

I would like to ask how to limit the array length so it can only store 5 items?

Or

How can I cut the items after the array index 4?


    var id = product_id;
    var browseHistory = $.cookie(&#39;history&#39;);
    if (browseHistory != null) {
      var old_cookie = $.cookie(&#39;history&#39;);
      var new_cookie = &#39;&#39;;
      
      if (old_cookie.indexOf(&#39;,&#39;) != -1) {
        var arr = old_cookie.split(&#39;,&#39;);
        if (arr.length &gt;= 5) {
          arr.splice(4, 1)
        }
      }
      
      new_cookie = id + &#39;,&#39; + old_cookie;
      $.cookie(&#39;history&#39;, new_cookie, { expires: 7, path: &#39;/&#39; });
    } else {
      $.cookie(&#39;history&#39;, id, { expires: 7, path: &#39;/&#39; });
    }

Can I limit the length of an array in JavaScript?

Seems that something similar already has been discussed on stackoverflow, but i could not find exactly the same.

I am trying to send Cookie with CORS(Cross-origin resource sharing), but it is not working. 

This is my code.

    $.ajax(
        { 
          type: &quot;POST&quot;,
          url: &quot;http://example.com/api/getlist.json&quot;,
          dataType: &#39;json&#39;,
          xhrFields: {
               withCredentials: true
          },
          crossDomain: true,
          beforeSend: function(xhr) {
                xhr.setRequestHeader(&quot;Cookie&quot;, &quot;session=xxxyyyzzz&quot;);
          },
          success: function(){
               alert(&#39;success&#39;);
          },
          error: function (xhr) {
                 alert(xhr.responseText);
          }
        }
    );

I dont see this cookie in request HEADER.

Cross domain POST request is not sending cookie Ajax Jquery

I&#39;m trying to set a cookie depending on which CSS file I choose in my HTML. I have a form with a list of options, and different CSS files as values. When I choose a file, it should be saved to a cookie for about a week. The next time you open your HTML file, it should be the previous file you&#39;ve chosen.


JavaScript code:

    function cssLayout() {
        document.getElementById(&quot;css&quot;).href = this.value;
    }


    function setCookie(){
        var date = new Date(&quot;Februari 10, 2013&quot;);
        var dateString = date.toGMTString();
        var cookieString = &quot;Css=document.getElementById(&quot;css&quot;).href&quot; + dateString;
        document.cookie = cookieString;
    }

    function getCookie(){
        alert(document.cookie);
    }


HTML code:

    &lt;form&gt;
        Select your css layout:&lt;br&gt;
        &lt;select id=&quot;myList&quot;&gt;
            &lt;option value=&quot;style-1.css&quot;&gt;CSS1&lt;/option&gt;
            &lt;option value=&quot;style-2.css&quot;&gt;CSS2&lt;/option&gt;  
            &lt;option value=&quot;style-3.css&quot;&gt;CSS3&lt;/option&gt;
            &lt;option value=&quot;style-4.css&quot;&gt;CSS4&lt;/option&gt;
        &lt;/select&gt;
    &lt;/form&gt;

    


Set cookie and get cookie with JavaScript

I have a cookie that is NOT `HttpOnly` Can I set this cookie to `HttpOnly` via JavaScript?

Set a cookie to HttpOnly via Javascript

I read that [sending cookies with cURL](https://stackoverflow.com/questions/7181785/send-cookies-with-curl) works, but not for me.

I have a REST endpoint like this:

    class LoginResource(restful.Resource):
        def get(self):
            print(session)
            if &#39;USER_TOKEN&#39; in session:
                return &#39;OK&#39;
            return &#39;not authorized&#39;, 401

When I try to access the endpoint, it refuses:

    curl -v -b ~/Downloads/cookies.txt -c ~/Downloads/cookies.txt http://127.0.0.1:5000/
    * About to connect() to 127.0.0.1 port 5000 (#0)
    *   Trying 127.0.0.1...
    * connected
    * Connected to 127.0.0.1 (127.0.0.1) port 5000 (#0)
    &gt; GET / HTTP/1.1
    &gt; User-Agent: curl/7.27.0
    &gt; Host: 127.0.0.1:5000
    &gt; Accept: */*
    &gt;
    * HTTP 1.0, assume close after body
    &lt; HTTP/1.0 401 UNAUTHORIZED
    &lt; Content-Type: application/json
    &lt; Content-Length: 16
    &lt; Server: Werkzeug/0.8.3 Python/2.7.2
    &lt; Date: Sun, 14 Apr 2013 04:45:45 GMT
    &lt;
    * Closing connection #0
    &quot;not authorized&quot;%

Where my `~/Downloads/cookies.txt` is:

    cat ~/Downloads/cookies.txt
    USER_TOKEN=in

and the server receives nothing:

    127.0.0.1 - - [13/Apr/2013 21:43:52] &quot;GET / HTTP/1.1&quot; 401 -
    127.0.0.1 - - [13/Apr/2013 21:45:30] &quot;GET / HTTP/1.1&quot; 401 -
    &lt;SecureCookieSession {}&gt;
    &lt;SecureCookieSession {}&gt;
    127.0.0.1 - - [13/Apr/2013 21:45:45] &quot;GET / HTTP/1.1&quot; 401 -

What is it that I am missing?


How to use cURL to send Cookies?

How do I resolve the problem of losing a session after a redirect in PHP?

Recently, I encountered a very common problem of losing session after redirect. And after searching through this website I can still find no solution (although [this][1] came the closest). 

**Update**

I have found the answer and I thought I&#39;d post it here to help anyone experiencing the same problem.


  [1]: https://stackoverflow.com/questions/2037316/php-session-destroyed-lost-after-header

PHP session lost after redirect

I have a question regarding URLs:

I&#39;ve read the [RFC 3986][1] and still have a question about one URL:

&gt; If a URI contains an authority component, then the path component   
&gt; must either be empty or begin with a slash (&quot;/&quot;) character.  If a URI 
&gt; does not contain an authority component, then the path cannot begin   
&gt; with two slash characters (&quot;//&quot;).  In addition, a URI reference   
&gt; (Section 4.1) may be a relative-path reference, in which case the   
&gt; first path segment cannot contain a colon (&quot;:&quot;) character.  The ABNF  
&gt; requires five separate rules to disambiguate these cases, only one of 
&gt; which will match the path substring within a given URI reference.  We 
&gt; use the generic term &quot;path component&quot; to describe the URI substring   
&gt; matched by the parser to one of these rules.

I know, that `//server.com:80/path/info` is valid (it is a schema relative URL)

I also know that `http://server.com:80/path//info` is valid.

But I am not sure whether the following one is valid:

    http://server.com:80//path/info

The problem behind my question is, that a cookie is not sent to `http://server.com:80//path/info`, when created by the URI `http://server.com:80/path/info` with restriction to `/path`





  [1]: http://www.ietf.org/rfc/rfc3986.txt

Is a URL with // in the path-section valid?

Bob uses a web application in order to achieve something. And:

 - His browser is on diet, therefore it does not support **cookies**. 
 - The web application is a popular one, it deals with a lot of users at a given moment - it has to *scale* well. As long as keeping session would impose **a limit to the number of simultaneous connections**, and, of course, will bring a non-negligible **performance penalty**, we might like to have a session-less system :)

**Some important notes:** 

- we do have **transport security** (*HTTPS* and its best friends);
- behind the curtains, the web application delegates a lot of operations to **external services**, on current **user&#39;s behalf** (those systems do recognize Bob as one of their users) - this means that **we have to forward them Bob&#39;s credentials**.

Now, how do we authenticate Bob (on each and every request)?
Which would be a reasonable way to implement such a thing?

- playing *tennis* with the credentials via **HTML form hidden fields**... the *ball* contains the credentials (**username &amp; password**) and the *two rackets* are the browser and the web application respectively. In other words, we may transport data back and forth via form fields instead of via cookies. At each web request, the browser posts the credentials. Though, in the case of a **single-page application**, this may look like playing *squash* against a rubber wall, instead of playing *tennis*, as the *web form* containing the credentials might be kept alive the entire lifetime of the *web page* (and the server will be configured not to offer the credentials back).
- storing the username &amp; the password in the context of the page - JavaScript variables etc. Single-page required here, IMHO.
- encrypted token - based authentication. In this case, the log-in action would result in the generation of an encrypted security token (username + password + something else). This token would be served back to the client and the upcoming requests will be accompanied by the token. Does this make sense? We already have HTTPS...
- others...
- last resort: do not do this, store credentials in the session! Session is good. With or without cookies.

Does any web / security concern come into your mind, regarding any of the previously described ideas? For example,

 - *time-outing* - we may keep a **timestamp**, along with the credentials (time-stamp = the time Bob entered his credentials). E.g. when **NOW - timestamp &gt; threshold**, we might deny the request.
 - *Cross-site scripting* protection - should not be different in any way, right?

Thank you a lot for taking the time to reading this :)

How to do stateless (session-less) &amp; cookie-less authentication?

For a new node.js project I&#39;m working on, I&#39;m thinking about switching over from a cookie based session approach (by this, I mean, storing an id to a key-value store containing user sessions in a user&#39;s browser) to a token-based session approach (no key-value store) using JSON Web Tokens (jwt).

The project is a game that utilizes socket.io - having a token-based session would be useful in such a scenario where there will be multiple communication channels in a single session (web and socket.io)

How would one provide token/session invalidation from the server using the jwt Approach? 

I also wanted to understand what common (or uncommon) pitfalls/attacks I should look out for with this sort of paradigm. For example, if this paradigm is vulnerable to the same/different kinds of attacks as the session store/cookie-based approach.

So, say I have the following (adapted from [this][1] and [this][2]):

Session Store Login:

    app.get(&#39;/login&#39;, function(request, response) {
        var user = {username: request.body.username, password: request.body.password };
        // Validate somehow
        validate(user, function(isValid, profile) {
            // Create session token
            var token= createSessionToken();

            // Add to a key-value database
            KeyValueStore.add({token: {userid: profile.id, expiresInMinutes: 60}});

            // The client should save this session token in a cookie
            response.json({sessionToken: token});
        });
    }

Token-Based Login:

    var jwt = require(&#39;jsonwebtoken&#39;);
    app.get(&#39;/login&#39;, function(request, response) {
        var user = {username: request.body.username, password: request.body.password };
        // Validate somehow
        validate(user, function(isValid, profile) {
            var token = jwt.sign(profile, &#39;My Super Secret&#39;, {expiresInMinutes: 60});
            response.json({token: token});
        });
    }

--

A logout (or invalidate) for the Session Store approach would require an update to the KeyValueStore 
database with the specified token.

It seems like such a mechanism would not exist in the token-based approach since the token itself would contain the info that would normally exist in the key-value store.


  [1]: http://blog.auth0.com/2014/01/15/auth-with-socket-io/
  [2]: http://coderead.wordpress.com/2012/08/16/securing-node-js-restful-services-with-jwt-tokens/

Content Type	Original Author	Original Content on Stackoverflow
Question	ted	View Question on Stackoverflow
Solution 1 - Http	Cratylus	View Answer on Stackoverflow
Solution 2 - Http	Alain Tiemblo	View Answer on Stackoverflow

How does cookie "Secure" flag work?

Http Problem Overview

Http Solutions

Solution 1 - Http

Solution 2 - Http

fancybox2 / fancybox causes page to to jump to the top

How to clear a map in Go?

Attributions