I've got a Web App that sets a cookie in it's Javascript code which subsequently gets sent to the server on all HTTP GET requests. If I open a new Tab in Chrome and access a different page on the same server the server is seeing the cookie set in the Web Apps JS code, even though the Javascript code on this new page doesn't set any cookie. What gets weirder is I can close all Browser Tabs that are open on the site and open a new one on a non-existent 404 page and I continue to see a cookie set both when I look at the server request and in the Browser using EditThisCookie.
I don't understand why I'm seeing cookies on pages other than the Web App's page.
Cookies are built to behave in these manners. While defining cookies, expiry time is also set with that. With each request the cookie is sent to the server until it is expired for that domain.
If you wish that your cookie not to sent on next browser session, you should create non-persistent cookies.
Note that cookies can be created/deleted both from client(via javascript) and server side.
You can find below link helpful.
http://www.w3.org/2001/tag/2010/09/ClientSideStorage.html
http://www.w3schools.com/js/js_cookies.asp
Related
I'm developing a page/form for a campaign inside my company. However, the first step is to check if the person is logged in. This is easily checked against a cookie - CUSTOMER - that is set once they're logged in.
However:
1) I'm developing locally, not on the same domain, and, as a result can't see that cookie
2) The final campaign may or may not end up residing on the actual domain. They may end up using a vanity URL or something.
For purposes of this, let's assume I do NOT have access to the main domain where the cookie was set.
How can I read that cookie from off the domain? Oh, and since IT folks don't let us touch the back-end grumble, it has to be a JS solution.
Thanks!
You can't.
The only cookies you can read with client side JavaScript are those belonging to the host of the HTML document in which the <script> is embedded.
By setting withCredentials you can support cookies in cross-origin requests, but they are handled transparently by the browser and JS has no direct access to them (the XHR spec goes to far as to explicitly ban getAllResponseHeaders from reading cookie related headers). The only way for a cross-origin request to get access to cookies is for the server (which you say you don't have access to) to copy the data into the body or a different response header).
You can if you can install server side components.
You can use a dedicated domain to host your cookie and then share it using XSS technics
When dom1.foo.com logs in then you register a cookie on cookie.foo.com using an Ajax XSS call then when you go on dom2.foo.com you have to query cookie.foo.com with your XSS api
I' ve played with it some time ago
https://github.com/quazardous/mudoco/blob/master/mudoco/README.txt
It's just some sort of POC..
I'm developing a web app using Express on Node. I'm trying to implement a proxy login functionality where an user is directly logged in and redirected to another site after he logs into to my site.
In my routing function I'm writing the following code
res.cookie('fanws', 'value' );
res.redirect('http://hostname/path'); // another site
I used the debugger in chrome and saw that the cookie is not getting added in the redirected page.
I'm running the app on localhost and the site which i'm redirecting to is hosted on another server on local network.
What should I do to add the cookie on the redirected path?
In a nutshell, you can't set a cookie in a browser or read a cookie for a site that you do not control the server for or have your own client code in that page. The cookie system is designed that way on purpose for security reasons. So, from a page or server for http://www.domain1.com, you cannot read or set cookies for some other domain.
If you have code in the pages of both domains, then you can pass some info to the second page (most likely as a query parameter) that tells the code in the redirected page to take some action (like set a cookie), but you must control the Javascript or server in that second page in order to be able to do that.
The cookie in your nodejs code goes on the current request/response which means it is associated with that domain in the browser when the response from the current request is processed by the browser.
res.redirect(...) returns a 302 response with a new URL as the response to the current request. The browser then sees this response code and makes a new web request to the new page. You cannot set cookies from the server for that new domain unless you have the server for that domain also. This is a fundamental aspect of cookie security. Cookies can only be accessed via Javascript in the browser from the page in the same origin as the cookie belongs and servers can only set cookies for the particular origin in the particular request that they are processing.
#jfriend00 nice explanation.
#Kiran G you can pass in query param in the same redirect, no need to set cookies in express just sent in query param as below.
i.e.
res.redirect(`http://hostname/path?fanws=${value}`);
I am writing a single-page application with CanJS. For one of models, every time I save a new item, the application sends the normal POST request. However, there is a specific cookie that is returned in the HTTP response that I would like to send back to the server on GET requests when fetching an item.
All cookies specific to an application are passed automatically to server in request header. Make sure that the cookie which you want to send is of the same application.
This you can check by looking into the cookies of your browser. Make sure that the cookie which you want to send has Domain as your application name. Like all stackoverflow cookie will have domain value as .stackoverflow.com
You can refer to this tutorial which talks about creation and setting of cookie in JavaScript : http://www.w3schools.com/js/js_cookies.asp
I'm trying to understand the principle behind the Facebook plugins.
As I understood they set a cookie when you login, and then whenever you visit a website with their plugin installed, they are abel to recognize your userId..
I'm trying to do it on my own on a couple of different domains I have, but I don't know where to start actually...
I set a cookie TEST when I visit site1.com with a random id value
but then when i visit site2.com what should I do? I can I read the previous cookie that contains my id?
When you set a cookie in site1.com, whenever the visitor visits site1.com, the cookie would be sent to this website. There is no involvement of site2.com at all. site.com can not and should not be able to receive the cookie that was set by site1.com.
If you are designing a page such that the user visits site2.com and the web page at site2.com contains an IFRAME that loads site1.com, then the cookie that was set by site1.com earlier would be automatically sent to site1.com when it tries to load it in this IFRAME.
Also, note that these things are usually not done with JavaScript. Some sort of server side scripting such as PHP, ASP.NET, Django, etc. is used to set and read cookies sent by the client. Setting a cookie in the user's browser involves adding a 'Set-Cookie' header to the HTTP response generated by the server-side script. In PHP this can be done using setcookie(). Once the cookie is set in the browser, when the user visits the same website again before the cookie expires, the browser sends the cookie as a 'Cookie' header. The server-side script can now read this cookie. In PHP, the cookies are available in $_COOKIE variable.
I have a ColdFusion application that's behind an ISA Server. Part of the application is protected by Basic Authentication and part is not. ISA Server sets a cookie when the user logs in, but the cookie is only available for reading when I bypass ISA. So, the cookie cannot be read from the server where the application is running.
I'm trying to test whether the user's ISA session has timed out or not. I can't make any HTTP calls on the application server without affecting the session expiration time.
I thought I could read the cookie from the back-end server through a cross domain AJAX call. Unfortunately, on the back-end server the cookie is only available in a directory that is protected by Basic Authentication. Because of the Basic Authentication requirement, I can't use JSONP to check for the existence of the cookie. I also can't use a proxy script on the application server because that will change the expiration time of the cookie, which is what I'm trying to avoid.
I tried using an iFrame in my application to load a page on the back-end server, but I can't get it working with Basic Authentication. I always get the login pop-up box.
Any ideas how I can test for the existence of the cookie on the back-end server without triggering an update of the cookie expiration time on the application server?
It turns out I can access the cookie on the backend server in a directory that's not protected by Basic Authentication, so I just used JSONP and everything worked well.