sso – Cookie set from a server to a client with different domain(via XHR), but not recognized by Client domain

I have three domains but the same code base (Domain X, Domain Y, Domain Z) and
Accounts website A

If a user tries to sign in accounts from domain X, I wanted to SSO in the other two domains (Browser Scenario: third party cookies blocked).

I tried the following approach,

  1. Go to Accounts from Domain X
  2. Sign In
  3. Get the required authentication token info and posts an XHR request to Domain Y to create a cookie.

When I check the request in Network, the required cookie is set in the response cookies, but when I open Domain Y separately the cookie is not present in the Application Cookies.

Can anyone please tell why the created cookie via XHR request is not accessible by the main domain? Kindly help.

Can I disable a cookie from a contrib module, in this case fontawesome I believe

I have a D8 site v8.9.6 and have some questions on cookies.

I would prefer not to have any cookies on my site unless they are really required for a properly functioning website. With all things going on like GDPR and APP I prefer to have this as clean as possible.

In order to find out which cookies are in use I checked Chrome DevTools and it shows me just 1: _ga with source of (I installed the FontAwesome module).
First question, can I disable this cookie somehow?

Second question is related to Dropdown Language, a module that gives me a dropdown select list for the user to select its language of choice. I can’t find anything in the documentation about how this tracks the user’s choice and I don’t see anything in DevTools (cookies, session), so this is not working with cookies?


magento2 – PCI Compliance: Insecure configuration of Cookie attributes

The PCI compliance checking found this issue on our site: “Insecure configuration of Cookie
attributes”. Magento Version: 2.3.5-p1

Here are the Default Cookie Settings:

enter image description here

The Base URL and Secure Base URL are already using https.

How will we be able to set the secure flag on all cookies to true?

How to limit page view only ONCE per visitor via cookie?


Is there a way within WordPress by (pasting some sort of a script I guess) make so I can restrict certain page on my site to be seen only once. And if the visitor decides to refresh or to enter it again in the browser to redirect him to another page.

I have managed to find a script that redirects visitors after some time is spent on the page, but I couldn’t manage to find a script that could to also limit the number of views of a user per page… is there just a copy-paste script that could just do that? (sorry but my coding skills are only good enough to just copy-paste a code… and probably replace some basic values)

*if there is something unclear, please let me know, so I can further explain.

Thank you and have a good one!


8 – Standard way of filling webform fields with session or cookie values

Is there a standard way of filling Webform (hidden) fields with session variables and cookies?

In previous versions of Webform (4.x?), I’ve read that some placeholders could be used for setting the default value the one in a cookie or session variable, but this functionality was apparently removed (maybe when Webform switched to use the more standard Token module?)

I’m imagining two ways of doing this, but all of them may require custom code:

  • Implementing a custom component that acts like a hidden field but that gets its value from a specific cookie/session variable of choice.
  • Exposing cookies & session variables as tokens, and then use default Webform default value mechanism with tokens. Ideally, I would like the form editors to be able to choose any cookie/session variable they want, so I’m not sure this can be done that way.

8 – Set cookie inside webform handler

Following up with my previous question, I need to set and retrieve a cookie in two difference places:

  • set – inside postSave() in a Webform handler
  • get – inside an event subscriber.

In looking around, it seems that there are a few different options for tools, such as SymfonyComponentHttpFoundationResponse and SymfonyComponentHttpFoundationCookie, or GuzzleHttpCookieSetCookie and GuzzleHttpCookieCookieJar.

For setting the cookie, if I try this in my webform handler:

$values = $webform_submission->getData();

$response = new Response();
$cookie = new Cookie('Dixon customer info form', $values('destination_url'), 0, '/' , NULL, FALSE);

I get redirected to a blank page. If I try this:

$values = $webform_submission->getData();

$cookie_jar = new CookieJar();
  // Get the current host.
  $host = Drupal::request()->getSchemeAndHttpHost();

  // Set a cookie for the specific form.
  $cookie = new SetCookie((
    'Name' => 'formEnterCookie',
    'Value' => $values('destination_url'),
    'Domain' => $host,
    'Secure' => FALSE,

no cookie gets set. Using either option, how do I set my cookie within my webform handler?

woocommerce – Gravity Form Set cookie and submit to checkout field

I’m having difficulty with the following code in that I’m adding it to code snippet plugin but I am unable to see the cookie being set in the developer tools after the form has been submitted. My understanding is that if the cookie is set then it should show the cookie name in the session within Developer Tools.

// Saving the user data from Gravity Form field to Woocommerce session
add_action( 'gform_after_submission', 'store_email_insession', 10, 2 );
function store_email_insession( $entry ) {
    $email = rgar( $entry, '3' ); // Get value of field id 3.

    // Set the session data
    WC()->session->set( 'custom_data', array( 'email' => $email ) );

// Autofill the checkout email field from user data saved in Woocommerce session
add_filter( 'woocommerce_billing_fields' , 'prefill_billing_fields' );
function prefill_billing_fields ( $address_fields ) {
    // Get the session data
    $data = WC()->session->get('custom_data');

    // Email
    if( isset($data('email')) && ! empty($data('email')) )
        $address_fields('billing_email')('default') = $data('email');

    return $address_fields;

I’ve also tried to set the specific form from which I’d like the email field to be stored from, by specifying the form:

add_action( 'gform_after_submission_11', 'store_email_insession', 10, 2 );

That’s my attempt and I think the autofill section is correct from what I have gleaned but the setting of the cookie itself so it stores the email address isn’t being set as expected and therefore isn’t populating the billing_email field.

Thanks in advance.

audit – Cookie secure flag with HSTS

We have a portal and try to win a big corporate Client.

Our Pentest showed that we don’t have secure flag on an authentication cookie.

We use HSTS however. With preload.

In latest Chrome, it looks good. In Firefox browser sends cookie over HTTP when requested.

Is this a security issue? Compliance? GDPR?

Will this be a blocker for a corporate Customer win?

Best if folks with experience with audits by big corporations help here, answer here.

I know it is an issue, with FF.

Will this be seen very bad? Be a deal breaker?

Bonus point for info with other Browsers i.e Edge, IE and how to possibly fix FF behavior.


tls – Should be the Secure cookie flag set also on only HTTPS websites?

Should be the cookie secure flag set on websites which are served only through HTTPS?

The Secure attribute tells the browser to only send the cookie if the request is being sent over a secure channel such as HTTPS

Let’s say the victim connect to and there is no
How can an attacker have access to the cookie? I mean if he intercepts the traffic the cookie will be encrypted.

session management – OpenId Connect Authorization Code Flow, using refresh token to renew id_token? And subsequently issueing a new cookie

I am currently working on implementing a proof of concept for ADFS (2019) (which I managed succesfully) and Azure AD with renewing the cookie / id_token by doing a refresh_token call in the backend of the web application. We currently experience a lot of problems with the hidden iframe solution we implemented in previous years due to browser security changes (SameSite cookie flag for example).

It’s hard to find any information whether this approach with refresh tokens is sound. I often stumble upon information which only talks about access_tokens and refresh_tokens. And id tokens are at the best vaguely mentioned.

Both the ADFS and Azure AD documentation state that you can also receive the id_token by providing openid in the scope. I did not find any warnings on the (rather) poorly documented ADFS OpenId Connect / OAuth pages.

Though I found the following piece of information on the AzureAD Documentation regarding the id_token:

“An unsigned JSON Web Token (JWT). The app can decode the segments of this token to request information about the user who signed in. The app can cache the values and display them, but it should not rely on them for any authorization or security boundaries. For more information about id_tokens, see the id_token reference.
Note: Only provided if openid scope was requested.”


As far as my knowledge goes, access tokens should not be used to implicitly (and not to mention missing claims compared to the id_token) assume proof of identity. And I am certainly discouraged by the above information, if using refresh tokens is still a viable option.

The application I’m working on also has the problem of not having absolute urls everywhere, so top frame redirects are not our first choice.

Can anyone provide some guidance as to which approach for renewing an users session, is secure and recommended? I can’t seem to find the proper information on official documentation and blog posts.