Is it possible to store a JS cookie for the current domain including subdomains.
e.g.:
document.cookie = "key=value; expires=Tue, 16 Apr 2019 11:31:56 GMT; path=/;secure" sets a cookie for the current domain but does not add a dot to the domain name.
I know that it is possible to specify the domain via domain=.example.com but I do not want to hardcode the domain name.
I tried something like this but it did not work out:
document.cookie = "key=value; expires=Tue, 16 Apr 2019 11:31:56 GMT; path=/;secure;domain=."
Update:
I know you can get the current domain with window.location.hostname but is there a solution where i do not need to get the domain name programmatically
UPDATE 2:
like described here: What does the dot prefix in the cookie domain mean?
The leading dot means that the cookie is valid for subdomains as well; nevertheless recent HTTP specifications (RFC 6265) changed this rule so modern browsers should not care about the leading dot. The dot may be needed by old browser implementing the deprecated RFC 2109.
This means that it does not make a difference if you use a dot before the domain name in modern browsers. That said, you can leave the domain section of the JS cookie blank and it is set to the current domain (which also matches subdomains)
Possible solution:
var domainName = window.location.hostname;
document.cookie = "key=value; expires=Tue, 16 Apr 2019 11:31:56 GMT; path=/; secure; domain=." + domainName;
Related
I create a cookie within a subdomain (new.domain.com), however I need to clear this cookie on another sub-domain, as this is simply a login token which needs to be accessible across multiple sub-domains.
document.cookie = 'token=; expires=Thu, 01 Jan 1970 00:00:01 GMT; path=/; domain=.domain.com';
However the above code simply won't delete this cookie, which is being ran from lets say (old.domain.com).
A cookie cannot be deleted with client side code when HttpOnly flag is used.
Quoting from docs:
Using the HttpOnly flag when generating a cookie helps mitigate the risk of client side script accessing the protected cookie (if the browser supports it).
So in order to be able to remove it, the aforementioned flag should not be set when the cookie is created.
I am trying both in javascript and in php to set cookies that will work cross-domain.
In PHP:
ini_set('session.cookie_domain', '.example.com' );
session_set_cookie_params(60*60,"/",".example.com",false,false);
In JavaScript:
document.cookie = 'coo=21c4o2fnb2et aqj256; expires=Sun Feb 01 2015 23:40:16 GMT-0500 (EST); path=/;Domain=.example.com;'
In .htaccess:
php_value session.cookie_domain .example.com
In php.ini:
session.cookie_domain = ".example.com"
In the PHP response, I get:
PHPSESSID=togp8kh3ehst2iuf4t3egll7p0; expires=Sun, 02-Nov-2014 04:43:25 GMT; path=/; domain=.example.com
So, the php response looks good to me, but the browser stores no cookies, for both the javascript and the php. Cookies do work on a single subdomain, but this site is now requesting cookie-required data from a different subdomain, so I'd like to get the cookies to work for the entire domain.
I think this answer your (duplicated) question:
Share cookie between subdomain and domain
The trick is on the setting the cookie with the higher domain possible, which would be example.com, not .example.com (which is not even valid)
If i set a cookie using the code
var a = 'jn=900; expires=Fri, 27 Jul 2013 02:47:11 UTC; path=/';
document.cookie = a;
Then it is sure that document.cookie = 'jn=900; expires=Fri, 27 Jul 1999 02:47:11 UTC; path=/'; will delete the cookie.
Is it necessary to set all the properties used to set the cookie for deleting the cookie?
Ie. whether document.cookie = 'jn=900; expires=Fri, 27 Jul 1999 02:47:11 UTC;' is enough for deleting the cookie shown above, or should I also specify the path as used to set the cookie?
Assume that the cookie is accessible in the page I'm deleting the cookie.
Also is it possible to delete a cookie set by PHP using Javascript?
It is a good practice to set the path to avoid issues like cookies set by mistake on a different domain (www.domain.com instead of domain.com).
Regarding the second question, the answer is yes, you can use Javascript to access and delete cookies created by PHP if they are not marked as HttpOnly.
The HttpOnly attribute directs browsers to use cookies via the HTTP protocol only. An HttpOnly cookie is not accessible via non-HTTP methods, such as calls via JavaScript (e.g., referencing "document.cookie"), and therefore cannot be stolen easily via cross-site scripting (a pervasive attack technique[27]). As shown in previous examples, both Facebook and Google use the HttpOnly attribute extensively.
http://en.wikipedia.org/wiki/HTTP_cookie#HttpOnly_cookie
document.cookie is empty, however there are some cookies on this site
I try to clean cookie from http://ya.ru (firebug show some cookies on this site) but document.cookie is empty
Why?
The cookies being set on ya.ru are invalid. From the headers:
Set-Cookie:S=; path=/; expires=Thu, 12-Apr-2001 18:01:31 GMT
S=; domain=.ya.ru; path=/; expires=Thu, 12-Apr-2001 18:01:31 GMT
That means that the cookie S is being set to blank (and once on a potentially invalid domain .ya.ru)
and from kiss.ya.ru:
Cookie:yandexuid=740707471300761151; fuid01=4d880a3f046a3adb.XAGDFwCcblJ88BiI0-dizIwYqqeFGNCvuzmuswZQjSzBOiQsoOPEvCh0rUsbgtkecV63gqRK6ya5qdTjR-LlwdBAsop6Em9vXP6vlBLZgLZQolx7uVPD4Qw_PPWCapoE
yandexuid=740707471300761151; fuid01=4d880a3f046a3adb.XAGDFwCcblJ88BiI0-dizIwYqqeFGNCvuzmuswZQjSzBOiQsoOPEvCh0rUsbgtkecV63gqRK6ya5qdTjR-LlwdBAsop6Em9vXP6vlBLZgLZQolx7uVPD4Qw_PPWCapoE
Since the site is running on ya.ru, you can't read the kiss.ya.ru cookies due to security issues.
Probably a security thing. If the Javascript has been load from a host or path different than the one set for the cookie, the cookie's invisible.
I'm having a strange problem with cookies which are being sent and received properly but are inaccessible to JavaScript on Internet Explorer. Chrome, Firefox, Opera, and Safari JavaScript is fine.
Post to "http://wp.abc.example.com/content/sv2.cgi?id=1234", response sets cookies, issues 302 redirect:
HTTP/1.0 302 Moved Temporarily
Location: http://members.abc.example.com/abc/members/0912/07/news01.html
Set-Cookie: AID=1495763b4fc6d5f4290e2074ab1092f7; expires=Tue Feb 16 09:33:03 2010 GMT; path=/abc/members/0912/07/news01.html; domain=abc.example.com; ;
Set-Cookie: LEADENDDATE=20091218; expires=Tue Feb 16 09:33:03 2010 GMT; path=/abc/members/0912/07/news01.html; domain=abc.example.com; ;
Browser requests target page, including the cookies just sent.
GET /abc/members/0912/07/news01.html HTTP/1.1
Cookie: AID=1495763b4fc6d5f4290e2074ab1092f7; LEADENDDATE=20091218;
Host: members.abc.example.com
Run "javascript:alert(document.cookie);" in the browser address bar.
On IE, and IE only, the cookies aren't there. Other browsers are fine. This is true for IE6, 7, and 8.
So in summary,
The "wp.abc.example.com" sets a cookie on "abc.example.com", which is sent to the server in requests on "members.abc.example.com", but not visible to JavaScript on that page.
Why?
I thought maybe instead of "abc.example.com" the cookie should be set on ".abc.example.com" to allow subdomain matching, but even so it's being sent in the "members.abc.example.com" request header.
Basically it's acting as though "HttpOnly" is set on the cookie, even though from the Set-Cookie header example shown above, that flag is not included. Does the extra ";" maybe have some effect?
Eric Law wrote up a good article on IE's various cookie-handling quirks a while back. One of the questions he answers appears as though it may apply to your scenario:
Q8: Are there any limits to the HTML DOM document.cookie property?
A: [...]
Also, due to an obscure bug in the underlying WinINET InternetGetCookie implementation, IE’s document.cookie will not return a cookie if it was set with a path attribute containing a filename.
[...]
Note that your paths do include filenames:
Set-Cookie: AID=1495763b4fc6d5f4290e2074ab1092f7; expires=Tue Feb 16 09:33:03 2010 GMT; path=/abc/members/0912/07/news01.html; domain=abc.example.com; ;
Set-Cookie: LEADENDDATE=20091218; expires=Tue Feb 16 09:33:03 2010 GMT; path=/abc/members/0912/07/news01.html; domain=abc.example.com; ;
I suggest you try setting the cookies with filename-free paths, and see if that doesn't help...