Issue Description
We have a custom application within which we have integrated JasperReports Server using iframe.
Both the applications are on different domains.
User is logged in to JasperReports Server and JSESSIONID cookie is created.
We need to fetch this JSESSIONID from JasperReports Server and pass it to the application for futher usage within the same session.
Resolution
In most application servers default configuration, the HTTPOnly flag included in Set-Cookie HTTP response header to help prevent cross-site scripting attacks.
This flag prevents passing JSESSIONID cookie from iFrame into the parent window.
https://www.owasp.org/index.php/HttpOnly
As a solution, you can disable the flag. For example, for Tomcat it is done in the next way:
- Locate Apache Tomcat application server context.xml file usually located in
<tomcat>/conf/context.xml
- Edit the file by adding useHttpOnly="false" property:
<Context useHttpOnly="false">
..................
</Context>
- Restart Tomcat
After these steps, you should be able to retrieve iFrame embedded page cookie from the parent window using JavaScript :
window.frames[0].document.cookie
As a test, you create a sample HTML page:
<html> <head> <title></title> <script> function onMyFrameLoad() { alert(window.frames[0].document.cookie); }; </script> </head> <body> <iframe id="jrs_frame" src="http://localhost:8630/jasperserver-pro/flow.html?_flowId=searchFlow&standAlone=true&j_username=jasperadmin|organization_1&j_password=jasperadmin&decorate=no", width="1000px", height="600px" onload="onMyFrameLoad(this)"/> <body> </html>
Place the page in Tomcat and open it a browser
As a result, alert message displays cookies including JSESSIONID, please find attached printscreen
Ref. Case 01457000
Recommended Comments
There are no comments to display.
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now