I'm currently using this to check if a cookie name exist in the browser:
document.cookie.indexOf('myCookie=')
This works if the cookie was set via PHP's setcookie() but this doesn't appear to work on PHP sessions.
E.g. if the "cookie" was set through session_start();, you can see in the browser inspector the cookie name with an expiration of "Session". I can't seem to access that session cookie name via JS. Any ideas?
To be clear: I need to check if the PHP session cookie name is present in the browser, not the session data.
It is possible to set the PHP session cookie to be available only via HTTP (i.e. not in JS) if your session.cookie_httponly PHP configuration setting is enabled. In other words, you need to disable it / set it to false for your session cookie to be accessible in JS.
You can check its value like so:
<?php
var_dump(ini_get('session.cookie_httponly'));
Generally, this setting is enabled for security reasons, so I would highly suggest questioning the necessity of doing this.
Related
I am trying to write a PoC in a website. I created a cookie storing some information in domain.com, and wish that the cookie is also available in app.domain.com/*. However the MSDN docs about domain in cookies is not very clear about this. Is that by any means possible using javascript?
document.cookie = `Code=${code.toString()}; expires= #${someDateObj}; path=/; domain=domain.com`
Expected results:
After the cookie is made available inside domain.com, when I go to anywhere inside app.domain.com/* and domain.com/* the cookie is still available for fetching.
Is it somehow possible to migrate domains from a cookie?
I have a trackingscript witch sets a cookie on the domain of the tracking script(server side, RoR backend) lets say mytracking.com.
The tracking script itself is integrated as javascript on the domain mycustomer.com.
Status quo is, every guest on the website mycustomer.com has now a cookie for the domain mytracking.com.
Can I somehow migrate the cookie domain from mytracking.com to mycustomer.com?
In your client side JavaScript, generate a unique ID. Then create an iframe with a source pointing to a script on mytracking.com and the unique ID as a parameter.
var ifrm = document.createElement('iframe');
ifrm.setAttribute('src', 'mytracking.com/storecookie.rb?uuid=<UUID>');
document.body.appendChild(ifrm);
Now the storecookie.rb script can access the cookie value on the mytracking.com domain and writes it to a database along with the UUID that you generated.
Now, in your client side JavaScript, you fetch() another script, for example mytracking.com/readcookie.rb?uuid=<UUID> that retrieves the matching cookie value from the database. With the value in your client side JS, you can simply create a new cookie with the correct domain.
Unfortunately that process is a bit convoluted, but cross-domain security prevents setting a cookie for another domain.
I recently had cookies set to a specific sub-domain (i.e. "cookie1" set to sub1.mysite.com). I then changed the code to write the same name cookie to the domain (i.e. "cookie1 set to .mysite.com). Now if I hit a page without clearing cookies, I see the two cookies with the same name but scoped differently. So my question is when on sub1.mysite.com, which cookie will be read due to two cookies existing with same name and both in scope?
Thanks,
MJ
The cookie with the most specific matching scope will be used. This allows a subdomain to override a domain-wide default cookie.
I want my PHP code to differentiate between cookies created by JavaScript (using document.cookie) and PHP (using setcookie()).
Let us suppose below pseudocode:-
<?php
$X = $_COOKIE['X'];
if($X_COOKIE_IS_SET_BY_PHP)
// ALL IS GOOD
else if($X_COOKIE_IS_SET_BY_JAVASCRIPT)
// SET A COOKIE USING PHP
?>
There is no difference. Cookies are cookies.
The only way (though highly unreliable), is to remember in the session whether you set the cookie from PHP. If not, then it might have been set from JavaScript. But like I said, this is unreliable. The cookie might have been set from PHP in an earlier session, or someone might have manually messed with the cookies.
I think the best way is to use session variables altogether. The session keeps the leading value on the server. If you need the value in JavaScript too, you can set a cookie, or add the value in a small script, but in PHP you never read back the cookie value at all, just use the session value on the server, and to reset the cookie on each request, so the client knows that value too.
Cookie isn't something stored in server side. It's a piece of data stored in the user's computer / browser. When you use setcookie() in PHP, The server sends the cookie with header which the browser stores in the user's computer (and the browser sends it back with next requests). The place that cookie is stored is the same place where document.cookie would store. Hence, after it's stored, we cannot differentiate it whether it was stored by PHP or Javascript, because no information regarding that is recorded.
I was wondering how I could retrieve a cookie that has a path specified - something like path=/foo/bar... If I use document.cookie that only retrieves me JSessionId cookie.. which I guess is the only one with path=/.
Are you trying to retrieve the cookie based on the path and not the name? It's possible to have many cookies that match a specified path. Also have a look at jQuery and the Cookie plugin. Setting and retrieving cookies is as easy as:
// get cookie
$.cookie(COOKIE_NAME)
// set cookie
$.cookie(COOKIE_NAME, 'test', { path: '/your/path', expires: 7});
http://plugins.jquery.com/project/cookie
I have figured out how to solve the problem... Just to let anyone reading this, the idea was to test one of the applications for cross site scripting attack (xss), and the cookie contained valuable information that i wanted to retrieve. The problem was that the cookie was on the other path than the web app itself. I had to access the app using /somedomain/project and the cookie had the /somedomain/project/project path set. SO I somehow had to open /somedomain/project/project url to be able to retrieve the cookie I needed. To get to that cookie I have injected an iframe element. inside that iframe element i made an ajax call. it was a dummy call to /somedomain/project/project/ just to get some information in the iframe ant to make sure iframe's document objects get created. that iframe's document object contained the cookie that i needed. After that I have made an XmlHTTPRequest call to a remote service and sent the cookie as a parameter to the remote server.