I thought that httpOnly cookies were only available to read in a http request. However, when I open up Firefox dev tools, I can see the cookies' value. Is this normal?
Yes, that's normal. What HttpOnly does is it prevents cookies from being accessible to JavaScript, which makes impossible to tamper with programatically (on the client). You can still access it manually through the browser's devtools. (If you weren't, it'd be quite difficult to debug issues with them, after all.)
Yes, that’s normal.you can access the cookies using the devtool.
Related
Some cookies are marked as HttpOnly. See Chrome developer tools > resources > cookies > http column, does a checkmark here indicate HttpOnly cookie?
If I use this code inside the debug console to get all cookies:
document.write(document.cookie)
Then it gives me everything except the HttpOnly cookies, which because my code is running inside the javascript environment and the design of HttpOnly is to hide it from the javascript environment.
Is there another option to use the Chrome console to get all the cookies?
I am hoping to get this in the same format as the above line of code produces.
At the moment I'm using Modernizr to detect if the client is blocking cookies and provide warnings if it's going to prevent them doing something i.e login or add to cart.
https://github.com/Modernizr/Modernizr/blob/master/feature-detects/cookies.js
However I've found that if you use the Advanced privacy settings to block cookies this is not detected so the user doesn't get any warning and the site will appear to be broken.
I can't seem to find anything that suggests any way around this.
The Modernizr test is a purely client-side test. If IE's settings fool that test, it seems like you'll need to set a cookie in your main response, then do an ajax call and see if the cookie went back to the server. If it did, cookies aren't blocked; if it didn't, they are.
This also has the advantage that it's an end-to-end test: It doesn't matter where the cookie was blocked (the browser, a proxy, etc.), it'll tell you whether cookies currently work for that user in that environment with your site.
I developed a bookmarklet using Javascript and my bookmarklet does not work on Safari browser on Windows or Mac, when Block cookies is NOT set on Never.
go to Settings, Preferences, Privacy, Block cookies
How do i detect the value of this option ?
my bookmarklet does not work on Safari browser.
So at some point in the code, you want something to happen that does not happen. (Most likely, that a cookie can't be set and then read.)
how do i detect the value of this option
You detect that what you wanted to happen, didn't happen.
I'm pretty sure that there is no way to directly read this browser setting. You can only assume the setting based on testing if you can set a cookies and then read it.
I am able to see session cookies in Firefox 3.6 by going to
Tools->Options->Privacy->Remove Individual Cookies
How do I see those same session cookies in IE (6/7/8)?
Tools->Internet Options->Browsing
history Settings->View files
only contains persistent cookies
Also how do I access them programmatically? In Firefox I use the nsICookieManager interface to read the session cookies, does IE contain an equivalent interface?
Cookies set with the HTTPOnly attribute will not be visible to Javascript (e.g. via the document.cookie accessor). In IE8, 9, and 10, hit F12 to open the Developer Tools. Click Cache > View Cookie Information to see persistent and session cookies that apply to the current domain.
This feature is not present in the IE11 version of the tools, which would mean that your choices are 1> Watch outbound Cookie headers in Fiddler or on the Network tab, or 2> Write a plugin that calls the InternetGetCookieEx API with the appropriate flag to include HTTPOnly cookies.
Type into adress-bar:
javascript:alert(document.cookie)
to see the cookies that are currently readable by javascript.
Regarding to the read/write of session-cookies:
Why do you need to do it using javascript? usually session-cookies are needed to have an relation to serverside stored data, so you need to manage the cookies from serverside, no matter what browser there may be.
F12-> Network Tab -> Enable Network Capture Traffic Capturing - > Details Tab -> Request Header Tab.
I have a URI here in which a simple document.cookie query through the console is resulting in three cookies being displayed. I verified this with trivial code such as the following as well:
var cookies = document.cookie.split(';');
console.log(cookies.length);
The variable cookies does indeed come out to the number 3. Web Developer on the other hand is indicating that a grand total of 8 cookies are in use.
I'm slightly confused to believe which is inaccurate. I believe the best solution might involve just reiterating the code above without the influence of Firebug. However, I was wondering if someone might suggest a more clever alternative to decipher which tool is giving me the inaccurate information.
One reason might be that the other 5 cookies are HTTPONLY:
http://msdn.microsoft.com/en-us/library/ms533046.aspx
If the HttpOnly attribute is included
in the response header, the cookie is
still sent when the user browses to a
Web site in the valid domain. The
cookie cannot be accessed through
script in Internet Explorer 6 SP1,
even by the Web site that set the
cookie in the first place. This means
that even if a cross-site scripting
bug exists, and the user is tricked
into clicking a link that exploits
this bug, Windows Internet Explorer
does not send the cookie to a third
party. The information is safe.
Firefox also respects this flag (as of v2.0.0.5).
I'm pretty sure the web developer toolbar shows cookies for domain and sub-domains.
So it will show cookies for
abc.xyz.com
xyz.com
whether you are on a page of either domain