I am dealing with a third party JavaScript code that sets a cookie through document.cookie= but without using the key=value format ; instead of doing document.cookie="mykey=myvalue" it does document.cookie="10254/1/19,20,/0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,//20".
This leads to issue on my server side code, as Chrome and Firefox send this to my server as a cookie without name and with value "10254/1/19,20,/0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,//20". Safari sends a series of cookies without values and with names "10254/1//0,//-1", "10254/1//0,1,//-1", "10254/1//0,1,2,//-1", etc.
Is it legal to set a cookie without the format key=value? I've read https://www.rfc-editor.org/rfc/rfc6265#section-4.1.1 and seen cookie-pair = cookie-name "=" cookie-value but it is not clear for me whether = is mandatory. I think it is, just would like a confirmation.
Answering myself: cookies without = should be ignored by the user agent. From http://trac.tools.ietf.org/wg/httpstate/trac/ticket/1
Per discussion on the mailing list and at IETF77, I've removed nameless cookies from the draft. Cookies without names (either because they lack a "=" or because "=" occurs as the first character of the set-cookie-string") are now ignored by the user agent.
But in practice browsers do send cookies whose name-value-pair does not contain =. They do not have the same behavior though: for instance if I set a cookie with document.cookie("foo"), Safari will send to the server a cookie with name "foo" and a blank value, while Chrome will send a cookie with a blank name a the value "foo".
Related
After clearing my browser history when I go to this URL: http://indianvisa-bangladesh.nic.in/visa/index.html
then I click on "Get Appointment" green link which takes us to http://indianvisa-bangladesh.nic.in/visa/Appointment_Login.jsp
Here it sets a JSESSIONID cookie. I can see this cookie in both Firefox/Chrome developer tools but can't access it using document.cookie in console.
When I type document.cookie; it shows empty string.
How do I print it?
Edit: Also this JSESSIONID cookie has Path value of "/visa"
The reason behind you can't read this cookie is because it is HTTPOnly Cookie, So if you are developer then you can set it easily false in your code when you are creating it. otherwise you can't get it using javascript. This is specifcally a feature rather than a bug provided by all major browsers.
See below for HTTP flag
More references:
SOQuestion1,
SOQuestion2,
SOQuestion3
I just noticed that when I setcookie('foo','a#b.com',...) in PHP and read it out in document.cookie in Javascript, the read-out value is 'a%40b.com'
In the PHP documentation:
Note that the value portion of the cookie will automatically be urlencoded when you send the cookie, and when it is received, it is automatically decoded and assigned to a variable by the same name as the cookie name. If you don't want this, you can use setrawcookie() instead if you are using PHP 5.
Seems like PHP is doing this a matter of its own policy, but Javascript (in Firefox) isn't playing the same game.
The data in question is unsanitised user input, so it should be encoded one way or another, for security and sanity purposes. Thing is, if I make Javascript use decodeURIComponent but then if the cookie is set by some other code/language/circumstance which doesn't have a policy of urlencodeing the value, then the decoding stage might yield an incorrect value.
I'd rather not hunt down every cookie-setting bit of code now and forever and consider manually normalising the encoding policy on each of them.
Is Javascript doing The Right Thing here? To what extent is this behaviour guaranteed? Can I set a HTTP header or something which will inform browsers of the cookie encoding scheme? Is there a fix-once-an-for-all solution for this?
There is some drop down on the page of web site (user has access to this page only if he/she is authenticated) an I want to save this value to cookies and set it back to drop down when user gets back to my site.
It is not a problem to save currently selected drop down option value to cookie and retrieve it later. But I faced with some problem if I make login at the same browser by another user. It gets from cookies value what was saved by previous user.
So what is good way to separate cookies for different users from the same browser? I was thinking about create cookie with name like 'username-dropdown' but I have some doubts that it is the best solution.
I use Java with Tomcat 8.
I'm going to take a guess here that you don't need this information sent to your server with each and every HTTP request; you just need to store the information client-side (and you can send it to the server as necessary via ajax).
If so, I'd use local storage, not cookies. And sure, using the username or user ID or some such is reasonable:
// Setting:
localStorage.setItem(username + "-dropdown", value);
// Getting:
var value = localstorage.getItem(username + "-dropdown");
Or you can use brackets notation:
// Setting:
localStorage[username + "-dropdown"] = value;
// Getting:
var value = localstorage[username + "-dropdown"];
Pretty much the only reason not to use brackets notation is if you need to polyfill local storage on older browsers (there are polyfills that fall back to cookies for you), but local storage is supported on all modern browsers, and also IE8, so those browsers really are very out of date at this point.
I am observing, on both Firefox and IE, that if I have a cookie 'x' on the domain a.b.c.com, and also have a cookie with the same name 'x' on domain a.b.com, then when I look at the value of document.cookie on the a.b.c.com domain, it shows both cookies. I would like to see just the cookie from the a.b.c.com domain, and not the one from the other domain. (I'm assuming this occurs because one domain is the same as the other one, with an additional segment on the hostname.) Is there a way to do this?
I don't have control over the contents of the cookie, and I don't see anything obvious in those contents that distinguishes one domain from the other.
You don't have access to the domain of the cookie in Javascript.
"When [the cookie] attribute is read, all
cookies are returned as a single
string, with each cookie's name-value
pair concatenated into a list of
name-value pairs, each list item being
separated by a ';' (semicolon)."
W3C
When you read a cookie, you only have access to the name/value pairs, and cannot determine any other information about it. If you require things such as when it was set, what domains it was set for, or anything else, you have to store it inside the cookie value.
Since you cannot set the cookies, you need another method to do what you're attempting.
How can i get the latest cookie sent from a domain ?
eg :
cookies
1 - ABC
2 - ABC123
3 - ABC456
These 3 cookies has been sent from a domain, how do i find which one is the latest one?
Thanks.
From Wikipedia:
Beside the name/value pair, a cookie
may also contain an expiration date, a
path, a domain name, and whether the
cookie is intended only for encrypted
connections. RFC 2965 also specifies
that cookies must have a mandatory
version number, but this is usually
omitted.
So you can:
Check the version number, if there is one
Check the expiration date, assuming it's being set based on current time + some amount
As far as I know, that's all you can do. If you're involved in setting the cookie, you can put the information you need into one of the properties above when you set it.