I want to create a cookie that will not be sent to the server due to some legacy code in our app that cleared the content of the cookies upon login. To accomplish that I want to set the path of the cookie to something arbitrary.
I'm trying to set a cookie is JS using the following code:
document.cookie = "test=this is a test; Domain=mydomain.com; Path=/localcookie; Expires=Mon, 05 Apr 2021 21:02:42 GMT"
This line works fine in Firefox but is being ignored in Chrome (v80). If I remove the Path parameters or set it to "/" the cookie is created but not with the path I want.
Is this a a limitation in Chrome, a security thing, a bug or I'm doing something wrong?
Related
What is the difference between deleting cookies via the browser e.g. by using this little menu in Edge :
and setting max age to -1 via Javascript, e.g. with code like this :
document.cookie = "MyCookie=; max-age=-1; path=/;domain=mydomain.com"
The context : I'm using some internal service in a company which should log a user out, but it requires me to remove cookies first. When using the former method (manual removal) it works, when using Javascript it doesn't. I've tried various combinations of paths, domains, max-age or expiration dates.
Deleting cookie from browser via settings or Dev tools will remove all cookies (including "HTTP only" cookie), while document.cookie cannot delete "HTTP only" cookies.
If a cookie is set with "HTTP Only" flag, it cannot be accessed by JavaScript. In your case, Your session cookie might have "HTTP only" flag, that's why its not getting deleted when you are trying to delete it with document.cookie.
You can view this from your browser Dev tools (while you are logged in). To remove HTTP only cookie, you can update its value and expiry via HTTP response (similar to how you set the cookie at first place)
Set-Cookie: MyCookie=deleted; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT
I have a button to give users the option to accept cookies, and another for them to revoke the cookies.
I am using the Cookie Notice for GDPR plugin by dFactory and Google Analytics Dashboard Plugin for WordPress by MonsterInsights.
I am using Facebook Pixel via a Google Tag Manager script on my website.
When the revoke button is clicked I revoke the cookies and reload the page. All my cookies delete successfully, but when I try to revoke the _fbp cookie it persists.
Name: _fbp
Value: fb.1.1562101432060.130183292
Domain: .upperroombooks.com
Path: /
Expires/Max-Age: 2019-09-30T21:03:52.000Z
Size: 32
HTTP:
Secure:
SameSite:
I am using the following code to attempt to delete the cookie:
document.cookie = '_fbp' + '=; Path=/; Domain=.upperroom.org; Expires=Thu, 01 Jan 1970 00:00:01 GMT;';
(Again, this method works for the other cookies.)
Funny enough, when I enter this code in the dev tools console it deletes the cookie as expected.
The domain of the _fbp cookie is:
Domain: .upperroombooks.com
When you're deleting the cookie, the domain you're trying to use is:
Domain= .upperroom.org
There may be an invalid domain warning in your console alluding to this.
If you correctly set (or remove) the Domain, it should work without issue.
I don't expect this will help the OP over 2 years on but it might help someone.
I try to set a cookie in browser ( here chrome ver.41.xxx ) using debugger's console:
> document.cookie = 'cookie1=hans; expires=Fri, 03 May 2020 11:00:00 GMT;'
Then, I inspect the .cookie property:
> document.cookie
> "cookie1=Hans"
Surprisingly, no expires section! Fiddler also reports the same when I refresh the page:
These are enough for me to believe that expires property is not set.
But, I get more surprised when I see the cookie expires using EditThisCookie extension
I tried to set the cookie using JavaScript in my code and exactly the same result!
Question: How can I make sure that the expires property of the cookie is set?
When reading from cookies, you will only be given the value of cookies which are valid for the current host, path, security setup, and time. Short of using a special browser add-on or browsing the file system (neither of which you can do from your own code), there is no way to get this info about a cookie. If it's there, it's not expired. That's just the way the cookie "API" was written.
In response to "How can I make sure that the expires property of the cookie is set?" - if you pass it, it's set. Using a cookie library to improve upon the browser's API can, however, help you get everything set with less fussy string manipulation.
For one of my projects I had the following paths available in a web application:
/one
/one/two
/one/two/three
Each of the different paths are variable and used cookies as part of their variability, I had created the following cookies:
one=1; Max-Age=9600; Domain=.test.test.com; Path=/one; Expires=Wed, 30 Jul 2014 20:26:09 GMT
two=2; Max-Age=9600; Domain=.test.test.com; Path=/one/two; Expires=Wed, 30 Jul 2014 20:26:09 GMT
three=3; Max-Age=9600; Domain=.test.test.com; Path=/one/two/three; Expires=Wed, 30 Jul 2014 20:26:09 GMT
When accessing the URL (I was running my test on http://test.test.com setup in my hosts file) at the following locations I received the following results:
Visit http://test.test.com/one the correct cookie (one=1) was sent to the server, but document.cookie was empty.
Visit http://test.test.com/one/ the correct cookie (one=1) was sent to the server and document.cookie also had the correct cookie (one=1).
Visit http://test.test.com/one/two the correct cookies (one=1 and two=2) were sent to the server, but document.cookie only contained the first cookie (one=1).
Visit http://test.test.com/one/two/ the correct cookies (one=1 and two=2) were sent to the server and document.cookie also had the correct cookies (one=1 and two=2).
Visit http://test.test.com/one/two/three the correct cookies (one=1, two=2, and three=3) were sent to the server, but document.cookie only contained the first two cookies (one=1, two=2).
Visit http://test.test.com/one/two/three/ the correct cookies (one=1, two=2, and three=3) were sent to the server and document.cookie also had the correct cookies (one=1, two=2, and three=3).
This utterly confounded me, and through a bunch of testing I was only able to find Internet Explorer being impacted by this issue, please see the answer for additional details.
Due to the constraints of my project I needed to have the ability to keep cookie names the same at each of these paths and also vary them by path, so I wasn't able to come up with any solution for my situation where I could use cookies without requiring a trailing slash at the end (which due to my constraints I cannot do).
If you are running into a similar issue there's a couple things that I can think of doing:
If the name of your cookies can vary, you could use different names for each of the paths and keep the path either at the root (path=/)
If the name of your cookies cannot vary but it doesn't matter if they go up a level in the path you could do that (in my case the cookie three=3 could be placed up one directory at path=/one/two if my constraints didn't prohibit me from doing that.
If your constraints don't prohibit you from requiring trailing slashes you could simply have your webserver enforce trailing slashes and redirect to a path with them when they aren't present.
If you run into the same issue with similar constraints to mine you could just move to another storage device instead of cookies. There's other modern pieces such as localStorage and sessionStorage which would allow you to store your data in a more structured way so that you can handle the logic. Note: This only works when you don't need the data from the cookie server side.
In the end what I ended up doing was moving the cookie that I didn't need server side (three=3) to use a convention instead of configuration via cookie within the project and kept the other ones as is since the other two cookies (one=1 and two=2) are only used when visiting the path http://test.test.com/one/two/three and so they are still available through document.cookie in Internet Explorer.
I'm having a strange problem with cookies which are being sent and received properly but are inaccessible to JavaScript on Internet Explorer. Chrome, Firefox, Opera, and Safari JavaScript is fine.
Post to "http://wp.abc.example.com/content/sv2.cgi?id=1234", response sets cookies, issues 302 redirect:
HTTP/1.0 302 Moved Temporarily
Location: http://members.abc.example.com/abc/members/0912/07/news01.html
Set-Cookie: AID=1495763b4fc6d5f4290e2074ab1092f7; expires=Tue Feb 16 09:33:03 2010 GMT; path=/abc/members/0912/07/news01.html; domain=abc.example.com; ;
Set-Cookie: LEADENDDATE=20091218; expires=Tue Feb 16 09:33:03 2010 GMT; path=/abc/members/0912/07/news01.html; domain=abc.example.com; ;
Browser requests target page, including the cookies just sent.
GET /abc/members/0912/07/news01.html HTTP/1.1
Cookie: AID=1495763b4fc6d5f4290e2074ab1092f7; LEADENDDATE=20091218;
Host: members.abc.example.com
Run "javascript:alert(document.cookie);" in the browser address bar.
On IE, and IE only, the cookies aren't there. Other browsers are fine. This is true for IE6, 7, and 8.
So in summary,
The "wp.abc.example.com" sets a cookie on "abc.example.com", which is sent to the server in requests on "members.abc.example.com", but not visible to JavaScript on that page.
Why?
I thought maybe instead of "abc.example.com" the cookie should be set on ".abc.example.com" to allow subdomain matching, but even so it's being sent in the "members.abc.example.com" request header.
Basically it's acting as though "HttpOnly" is set on the cookie, even though from the Set-Cookie header example shown above, that flag is not included. Does the extra ";" maybe have some effect?
Eric Law wrote up a good article on IE's various cookie-handling quirks a while back. One of the questions he answers appears as though it may apply to your scenario:
Q8: Are there any limits to the HTML DOM document.cookie property?
A: [...]
Also, due to an obscure bug in the underlying WinINET InternetGetCookie implementation, IE’s document.cookie will not return a cookie if it was set with a path attribute containing a filename.
[...]
Note that your paths do include filenames:
Set-Cookie: AID=1495763b4fc6d5f4290e2074ab1092f7; expires=Tue Feb 16 09:33:03 2010 GMT; path=/abc/members/0912/07/news01.html; domain=abc.example.com; ;
Set-Cookie: LEADENDDATE=20091218; expires=Tue Feb 16 09:33:03 2010 GMT; path=/abc/members/0912/07/news01.html; domain=abc.example.com; ;
I suggest you try setting the cookies with filename-free paths, and see if that doesn't help...