I try to set a cookie in browser ( here chrome ver.41.xxx ) using debugger's console:
> document.cookie = 'cookie1=hans; expires=Fri, 03 May 2020 11:00:00 GMT;'
Then, I inspect the .cookie property:
> document.cookie
> "cookie1=Hans"
Surprisingly, no expires section! Fiddler also reports the same when I refresh the page:
These are enough for me to believe that expires property is not set.
But, I get more surprised when I see the cookie expires using EditThisCookie extension
I tried to set the cookie using JavaScript in my code and exactly the same result!
Question: How can I make sure that the expires property of the cookie is set?
When reading from cookies, you will only be given the value of cookies which are valid for the current host, path, security setup, and time. Short of using a special browser add-on or browsing the file system (neither of which you can do from your own code), there is no way to get this info about a cookie. If it's there, it's not expired. That's just the way the cookie "API" was written.
In response to "How can I make sure that the expires property of the cookie is set?" - if you pass it, it's set. Using a cookie library to improve upon the browser's API can, however, help you get everything set with less fussy string manipulation.
Related
What is the difference between deleting cookies via the browser e.g. by using this little menu in Edge :
and setting max age to -1 via Javascript, e.g. with code like this :
document.cookie = "MyCookie=; max-age=-1; path=/;domain=mydomain.com"
The context : I'm using some internal service in a company which should log a user out, but it requires me to remove cookies first. When using the former method (manual removal) it works, when using Javascript it doesn't. I've tried various combinations of paths, domains, max-age or expiration dates.
Deleting cookie from browser via settings or Dev tools will remove all cookies (including "HTTP only" cookie), while document.cookie cannot delete "HTTP only" cookies.
If a cookie is set with "HTTP Only" flag, it cannot be accessed by JavaScript. In your case, Your session cookie might have "HTTP only" flag, that's why its not getting deleted when you are trying to delete it with document.cookie.
You can view this from your browser Dev tools (while you are logged in). To remove HTTP only cookie, you can update its value and expiry via HTTP response (similar to how you set the cookie at first place)
Set-Cookie: MyCookie=deleted; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT
I came across a strange problem, i am setting the cookies in chrome with the help of following javaScript code. i have set the expires property for 'Name' cookie and max-age property for 'Age' cookie, but none of them are working as cookies are not removed even when the specified time is already passed away. can you please explain me why?
document.cookie = "Name=Max; expires=Tue, 22 June 2021 10:36:11";
document.cookie = "Age=31; max-age=100000";
The expiry date should be set in the UTC/GMT format. If you do not set the expiry date, the cookie will be removed when the user closes the browser.
I want to create a cookie that will not be sent to the server due to some legacy code in our app that cleared the content of the cookies upon login. To accomplish that I want to set the path of the cookie to something arbitrary.
I'm trying to set a cookie is JS using the following code:
document.cookie = "test=this is a test; Domain=mydomain.com; Path=/localcookie; Expires=Mon, 05 Apr 2021 21:02:42 GMT"
This line works fine in Firefox but is being ignored in Chrome (v80). If I remove the Path parameters or set it to "/" the cookie is created but not with the path I want.
Is this a a limitation in Chrome, a security thing, a bug or I'm doing something wrong?
For one of my projects I had the following paths available in a web application:
/one
/one/two
/one/two/three
Each of the different paths are variable and used cookies as part of their variability, I had created the following cookies:
one=1; Max-Age=9600; Domain=.test.test.com; Path=/one; Expires=Wed, 30 Jul 2014 20:26:09 GMT
two=2; Max-Age=9600; Domain=.test.test.com; Path=/one/two; Expires=Wed, 30 Jul 2014 20:26:09 GMT
three=3; Max-Age=9600; Domain=.test.test.com; Path=/one/two/three; Expires=Wed, 30 Jul 2014 20:26:09 GMT
When accessing the URL (I was running my test on http://test.test.com setup in my hosts file) at the following locations I received the following results:
Visit http://test.test.com/one the correct cookie (one=1) was sent to the server, but document.cookie was empty.
Visit http://test.test.com/one/ the correct cookie (one=1) was sent to the server and document.cookie also had the correct cookie (one=1).
Visit http://test.test.com/one/two the correct cookies (one=1 and two=2) were sent to the server, but document.cookie only contained the first cookie (one=1).
Visit http://test.test.com/one/two/ the correct cookies (one=1 and two=2) were sent to the server and document.cookie also had the correct cookies (one=1 and two=2).
Visit http://test.test.com/one/two/three the correct cookies (one=1, two=2, and three=3) were sent to the server, but document.cookie only contained the first two cookies (one=1, two=2).
Visit http://test.test.com/one/two/three/ the correct cookies (one=1, two=2, and three=3) were sent to the server and document.cookie also had the correct cookies (one=1, two=2, and three=3).
This utterly confounded me, and through a bunch of testing I was only able to find Internet Explorer being impacted by this issue, please see the answer for additional details.
Due to the constraints of my project I needed to have the ability to keep cookie names the same at each of these paths and also vary them by path, so I wasn't able to come up with any solution for my situation where I could use cookies without requiring a trailing slash at the end (which due to my constraints I cannot do).
If you are running into a similar issue there's a couple things that I can think of doing:
If the name of your cookies can vary, you could use different names for each of the paths and keep the path either at the root (path=/)
If the name of your cookies cannot vary but it doesn't matter if they go up a level in the path you could do that (in my case the cookie three=3 could be placed up one directory at path=/one/two if my constraints didn't prohibit me from doing that.
If your constraints don't prohibit you from requiring trailing slashes you could simply have your webserver enforce trailing slashes and redirect to a path with them when they aren't present.
If you run into the same issue with similar constraints to mine you could just move to another storage device instead of cookies. There's other modern pieces such as localStorage and sessionStorage which would allow you to store your data in a more structured way so that you can handle the logic. Note: This only works when you don't need the data from the cookie server side.
In the end what I ended up doing was moving the cookie that I didn't need server side (three=3) to use a convention instead of configuration via cookie within the project and kept the other ones as is since the other two cookies (one=1 and two=2) are only used when visiting the path http://test.test.com/one/two/three and so they are still available through document.cookie in Internet Explorer.
As the question says can you find out if a cookie exists within Javascript if it is a HttpOnly? I don't need to access the information inside of it, just know it has one.
A little more information on the situation is that there was originally a web server which used a cookie as an authentication token, and it was set to httponly as it was not used by the client so it added to the security.
However now there is a change needed where the client needs to know if it has the cookie (as the site can work without the user being logged in, but if they are logged in (the auth cookie would exist) the site needs to display certain things and hide others.
There are other security precautions in place on the web server so there is no harm in the scenario where the client has an incorrect auth cookie, but the site makes it look like they are logged in, as it would delete the cookie and reject the user.
You can indirectly check to see if it exists by trying to set it to a value with javascript if it can't be set, then the HTTP Only Cookie must be there (or the user is blocking cookies).
function doesHttpOnlyCookieExist(cookiename) {
var d = new Date();
d.setTime(d.getTime() + (1000));
var expires = "expires=" + d.toUTCString();
document.cookie = cookiename + "=new_value;path=/;" + expires;
return document.cookie.indexOf(cookiename + '=') == -1;
}
I had the same problem. I solved it with the server setting another cookie, not httponly, every time it refreshed the httponly session cookie, with the same max-age and no sensitive data. Now, if one of them is present, the same goes for the other, and the client can know if the httponly counterpart is there.
No. And see Rob's comments below.
See this, which you probably already saw - http://en.wikipedia.org/wiki/HTTP_cookie#Secure_and_HttpOnly
An HttpOnly cookie is not accessible via non-HTTP methods, such as
calls via JavaScript (e.g., referencing "document.cookie")...
Edit: Removed undefined response, I wrote a script that you may not be using :)
Whenever you need to check whether the cookie exists or not, you can send a request to the server that requires authentication & check the response. If its something like 401 Unauthorized or 403 Forbidden, then the cookie probably doesn't exist & you can prompt the user for login.
On the other hand, if the cookie exists, it'll be automatically sent by the browser resulting in a 200 OK response.