Chrome blocks sessions request to NX5 using BEARER authetification on web client

Answered
Follow
Avatar
Miguel Dina

Hi to all,

We have a project which is stuck over this. Please help us out.

THE CASE

  • Our web app name is IFA.
  • It connects to NX over https to request media.
  • After connecting to NX and sending the session request the received cookie is blocked by the Chrome browser because it comes from a different domain.

 

QUESTION

How can we get over this by receiving the cookie without disableing Chrome's security?.

 

MORE

We are aware of other less secure authetification methods (URL Based) that could be used for this matter but since this product is intended for the financial sector, security is a most.

 

Please advise on how to procced.

Thanks in advance,
Miguel Dina

0

Comments

3 comments

Sort by Date Votes
  • Avatar
    Andrey Terentyev

    Hello Miguel Dina,

    could you please elaborate on the following?

    What is the build number of the Server?

    It connects to NX over https to request media.

    Could you please share a code snippet or an URL you're connecting to?

    0
    Comment actions Permalink
  • Avatar
    Miguel Dina

    Hi there,

    Sorry, just now we see your answer. Too bad on our side. Here is the info.

    Built: 5.0.0.35745

    Our product name is IFA.

    Server Side:

    From the server side IFA request a session. The session delivers a token.
    POST https://10.1.10.75:7001/rest/v1/login/sessions 

    The token is passed to the Client Side. The client uses the token to request the session cookie from the VMS.
    It never gets to assign the cookie because the NX authentification method does not works with the browser security system.

    Client side 
    GET https://10.1.10.75:7001/rest/v1/login/sessions/vms-ab7909a962971e122fd6b672175c9dda-rpsf3Bp8ve?setCookie=true 
     
    function HttpRequestForNXV5(url) { 
        var requestOptions = { 
            method: 'GET', 
            redirect: 'follow' 
        }; 
     
        fetch(url, requestOptions) 
            .then(response => response.text()) 
            .then(result => console.log(result)) 
            .catch(error => console.log('error', error)); 
    }

    Thanks very much!
    Miguel Dina

    0
    Comment actions Permalink
  • Avatar
    Andrey Terentyev

    Hello Miguel,

    How can we get over this by receiving the cookie without disableing Chrome's security?.

    There is no solution for that, but disabling CORS security.

    You could create your own web service running on the same or other machine and communicate to it from your web page. The web service would transform your requests to API requests to the Server.

    0
    Comment actions Permalink

Please sign in to leave a comment.

Didn't find what you were looking for?

New post