What is the difference between deleting cookies via the browser e.g. by using this little menu in Edge :
and setting max age to -1 via Javascript, e.g. with code like this :
document.cookie = "MyCookie=; max-age=-1; path=/;domain=mydomain.com"
The context : I'm using some internal service in a company which should log a user out, but it requires me to remove cookies first. When using the former method (manual removal) it works, when using Javascript it doesn't. I've tried various combinations of paths, domains, max-age or expiration dates.
Deleting cookie from browser via settings or Dev tools will remove all cookies (including "HTTP only" cookie), while document.cookie cannot delete "HTTP only" cookies.
If a cookie is set with "HTTP Only" flag, it cannot be accessed by JavaScript. In your case, Your session cookie might have "HTTP only" flag, that's why its not getting deleted when you are trying to delete it with document.cookie.
You can view this from your browser Dev tools (while you are logged in). To remove HTTP only cookie, you can update its value and expiry via HTTP response (similar to how you set the cookie at first place)
Set-Cookie: MyCookie=deleted; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT
Related
I want to create a cookie that will not be sent to the server due to some legacy code in our app that cleared the content of the cookies upon login. To accomplish that I want to set the path of the cookie to something arbitrary.
I'm trying to set a cookie is JS using the following code:
document.cookie = "test=this is a test; Domain=mydomain.com; Path=/localcookie; Expires=Mon, 05 Apr 2021 21:02:42 GMT"
This line works fine in Firefox but is being ignored in Chrome (v80). If I remove the Path parameters or set it to "/" the cookie is created but not with the path I want.
Is this a a limitation in Chrome, a security thing, a bug or I'm doing something wrong?
I create a cookie within a subdomain (new.domain.com), however I need to clear this cookie on another sub-domain, as this is simply a login token which needs to be accessible across multiple sub-domains.
document.cookie = 'token=; expires=Thu, 01 Jan 1970 00:00:01 GMT; path=/; domain=.domain.com';
However the above code simply won't delete this cookie, which is being ran from lets say (old.domain.com).
A cookie cannot be deleted with client side code when HttpOnly flag is used.
Quoting from docs:
Using the HttpOnly flag when generating a cookie helps mitigate the risk of client side script accessing the protected cookie (if the browser supports it).
So in order to be able to remove it, the aforementioned flag should not be set when the cookie is created.
I try to set a cookie in browser ( here chrome ver.41.xxx ) using debugger's console:
> document.cookie = 'cookie1=hans; expires=Fri, 03 May 2020 11:00:00 GMT;'
Then, I inspect the .cookie property:
> document.cookie
> "cookie1=Hans"
Surprisingly, no expires section! Fiddler also reports the same when I refresh the page:
These are enough for me to believe that expires property is not set.
But, I get more surprised when I see the cookie expires using EditThisCookie extension
I tried to set the cookie using JavaScript in my code and exactly the same result!
Question: How can I make sure that the expires property of the cookie is set?
When reading from cookies, you will only be given the value of cookies which are valid for the current host, path, security setup, and time. Short of using a special browser add-on or browsing the file system (neither of which you can do from your own code), there is no way to get this info about a cookie. If it's there, it's not expired. That's just the way the cookie "API" was written.
In response to "How can I make sure that the expires property of the cookie is set?" - if you pass it, it's set. Using a cookie library to improve upon the browser's API can, however, help you get everything set with less fussy string manipulation.
For one of my projects I had the following paths available in a web application:
/one
/one/two
/one/two/three
Each of the different paths are variable and used cookies as part of their variability, I had created the following cookies:
one=1; Max-Age=9600; Domain=.test.test.com; Path=/one; Expires=Wed, 30 Jul 2014 20:26:09 GMT
two=2; Max-Age=9600; Domain=.test.test.com; Path=/one/two; Expires=Wed, 30 Jul 2014 20:26:09 GMT
three=3; Max-Age=9600; Domain=.test.test.com; Path=/one/two/three; Expires=Wed, 30 Jul 2014 20:26:09 GMT
When accessing the URL (I was running my test on http://test.test.com setup in my hosts file) at the following locations I received the following results:
Visit http://test.test.com/one the correct cookie (one=1) was sent to the server, but document.cookie was empty.
Visit http://test.test.com/one/ the correct cookie (one=1) was sent to the server and document.cookie also had the correct cookie (one=1).
Visit http://test.test.com/one/two the correct cookies (one=1 and two=2) were sent to the server, but document.cookie only contained the first cookie (one=1).
Visit http://test.test.com/one/two/ the correct cookies (one=1 and two=2) were sent to the server and document.cookie also had the correct cookies (one=1 and two=2).
Visit http://test.test.com/one/two/three the correct cookies (one=1, two=2, and three=3) were sent to the server, but document.cookie only contained the first two cookies (one=1, two=2).
Visit http://test.test.com/one/two/three/ the correct cookies (one=1, two=2, and three=3) were sent to the server and document.cookie also had the correct cookies (one=1, two=2, and three=3).
This utterly confounded me, and through a bunch of testing I was only able to find Internet Explorer being impacted by this issue, please see the answer for additional details.
Due to the constraints of my project I needed to have the ability to keep cookie names the same at each of these paths and also vary them by path, so I wasn't able to come up with any solution for my situation where I could use cookies without requiring a trailing slash at the end (which due to my constraints I cannot do).
If you are running into a similar issue there's a couple things that I can think of doing:
If the name of your cookies can vary, you could use different names for each of the paths and keep the path either at the root (path=/)
If the name of your cookies cannot vary but it doesn't matter if they go up a level in the path you could do that (in my case the cookie three=3 could be placed up one directory at path=/one/two if my constraints didn't prohibit me from doing that.
If your constraints don't prohibit you from requiring trailing slashes you could simply have your webserver enforce trailing slashes and redirect to a path with them when they aren't present.
If you run into the same issue with similar constraints to mine you could just move to another storage device instead of cookies. There's other modern pieces such as localStorage and sessionStorage which would allow you to store your data in a more structured way so that you can handle the logic. Note: This only works when you don't need the data from the cookie server side.
In the end what I ended up doing was moving the cookie that I didn't need server side (three=3) to use a convention instead of configuration via cookie within the project and kept the other ones as is since the other two cookies (one=1 and two=2) are only used when visiting the path http://test.test.com/one/two/three and so they are still available through document.cookie in Internet Explorer.
If i set a cookie using the code
var a = 'jn=900; expires=Fri, 27 Jul 2013 02:47:11 UTC; path=/';
document.cookie = a;
Then it is sure that document.cookie = 'jn=900; expires=Fri, 27 Jul 1999 02:47:11 UTC; path=/'; will delete the cookie.
Is it necessary to set all the properties used to set the cookie for deleting the cookie?
Ie. whether document.cookie = 'jn=900; expires=Fri, 27 Jul 1999 02:47:11 UTC;' is enough for deleting the cookie shown above, or should I also specify the path as used to set the cookie?
Assume that the cookie is accessible in the page I'm deleting the cookie.
Also is it possible to delete a cookie set by PHP using Javascript?
It is a good practice to set the path to avoid issues like cookies set by mistake on a different domain (www.domain.com instead of domain.com).
Regarding the second question, the answer is yes, you can use Javascript to access and delete cookies created by PHP if they are not marked as HttpOnly.
The HttpOnly attribute directs browsers to use cookies via the HTTP protocol only. An HttpOnly cookie is not accessible via non-HTTP methods, such as calls via JavaScript (e.g., referencing "document.cookie"), and therefore cannot be stolen easily via cross-site scripting (a pervasive attack technique[27]). As shown in previous examples, both Facebook and Google use the HttpOnly attribute extensively.
http://en.wikipedia.org/wiki/HTTP_cookie#HttpOnly_cookie