If i set a cookie using the code
var a = 'jn=900; expires=Fri, 27 Jul 2013 02:47:11 UTC; path=/';
document.cookie = a;
Then it is sure that document.cookie = 'jn=900; expires=Fri, 27 Jul 1999 02:47:11 UTC; path=/'; will delete the cookie.
Is it necessary to set all the properties used to set the cookie for deleting the cookie?
Ie. whether document.cookie = 'jn=900; expires=Fri, 27 Jul 1999 02:47:11 UTC;' is enough for deleting the cookie shown above, or should I also specify the path as used to set the cookie?
Assume that the cookie is accessible in the page I'm deleting the cookie.
Also is it possible to delete a cookie set by PHP using Javascript?
It is a good practice to set the path to avoid issues like cookies set by mistake on a different domain (www.domain.com instead of domain.com).
Regarding the second question, the answer is yes, you can use Javascript to access and delete cookies created by PHP if they are not marked as HttpOnly.
The HttpOnly attribute directs browsers to use cookies via the HTTP protocol only. An HttpOnly cookie is not accessible via non-HTTP methods, such as calls via JavaScript (e.g., referencing "document.cookie"), and therefore cannot be stolen easily via cross-site scripting (a pervasive attack technique[27]). As shown in previous examples, both Facebook and Google use the HttpOnly attribute extensively.
http://en.wikipedia.org/wiki/HTTP_cookie#HttpOnly_cookie
Related
What is the difference between deleting cookies via the browser e.g. by using this little menu in Edge :
and setting max age to -1 via Javascript, e.g. with code like this :
document.cookie = "MyCookie=; max-age=-1; path=/;domain=mydomain.com"
The context : I'm using some internal service in a company which should log a user out, but it requires me to remove cookies first. When using the former method (manual removal) it works, when using Javascript it doesn't. I've tried various combinations of paths, domains, max-age or expiration dates.
Deleting cookie from browser via settings or Dev tools will remove all cookies (including "HTTP only" cookie), while document.cookie cannot delete "HTTP only" cookies.
If a cookie is set with "HTTP Only" flag, it cannot be accessed by JavaScript. In your case, Your session cookie might have "HTTP only" flag, that's why its not getting deleted when you are trying to delete it with document.cookie.
You can view this from your browser Dev tools (while you are logged in). To remove HTTP only cookie, you can update its value and expiry via HTTP response (similar to how you set the cookie at first place)
Set-Cookie: MyCookie=deleted; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT
I create a cookie within a subdomain (new.domain.com), however I need to clear this cookie on another sub-domain, as this is simply a login token which needs to be accessible across multiple sub-domains.
document.cookie = 'token=; expires=Thu, 01 Jan 1970 00:00:01 GMT; path=/; domain=.domain.com';
However the above code simply won't delete this cookie, which is being ran from lets say (old.domain.com).
A cookie cannot be deleted with client side code when HttpOnly flag is used.
Quoting from docs:
Using the HttpOnly flag when generating a cookie helps mitigate the risk of client side script accessing the protected cookie (if the browser supports it).
So in order to be able to remove it, the aforementioned flag should not be set when the cookie is created.
Is it possible to store a JS cookie for the current domain including subdomains.
e.g.:
document.cookie = "key=value; expires=Tue, 16 Apr 2019 11:31:56 GMT; path=/;secure" sets a cookie for the current domain but does not add a dot to the domain name.
I know that it is possible to specify the domain via domain=.example.com but I do not want to hardcode the domain name.
I tried something like this but it did not work out:
document.cookie = "key=value; expires=Tue, 16 Apr 2019 11:31:56 GMT; path=/;secure;domain=."
Update:
I know you can get the current domain with window.location.hostname but is there a solution where i do not need to get the domain name programmatically
UPDATE 2:
like described here: What does the dot prefix in the cookie domain mean?
The leading dot means that the cookie is valid for subdomains as well; nevertheless recent HTTP specifications (RFC 6265) changed this rule so modern browsers should not care about the leading dot. The dot may be needed by old browser implementing the deprecated RFC 2109.
This means that it does not make a difference if you use a dot before the domain name in modern browsers. That said, you can leave the domain section of the JS cookie blank and it is set to the current domain (which also matches subdomains)
Possible solution:
var domainName = window.location.hostname;
document.cookie = "key=value; expires=Tue, 16 Apr 2019 11:31:56 GMT; path=/; secure; domain=." + domainName;
I try to set a cookie in browser ( here chrome ver.41.xxx ) using debugger's console:
> document.cookie = 'cookie1=hans; expires=Fri, 03 May 2020 11:00:00 GMT;'
Then, I inspect the .cookie property:
> document.cookie
> "cookie1=Hans"
Surprisingly, no expires section! Fiddler also reports the same when I refresh the page:
These are enough for me to believe that expires property is not set.
But, I get more surprised when I see the cookie expires using EditThisCookie extension
I tried to set the cookie using JavaScript in my code and exactly the same result!
Question: How can I make sure that the expires property of the cookie is set?
When reading from cookies, you will only be given the value of cookies which are valid for the current host, path, security setup, and time. Short of using a special browser add-on or browsing the file system (neither of which you can do from your own code), there is no way to get this info about a cookie. If it's there, it's not expired. That's just the way the cookie "API" was written.
In response to "How can I make sure that the expires property of the cookie is set?" - if you pass it, it's set. Using a cookie library to improve upon the browser's API can, however, help you get everything set with less fussy string manipulation.
I am trying both in javascript and in php to set cookies that will work cross-domain.
In PHP:
ini_set('session.cookie_domain', '.example.com' );
session_set_cookie_params(60*60,"/",".example.com",false,false);
In JavaScript:
document.cookie = 'coo=21c4o2fnb2et aqj256; expires=Sun Feb 01 2015 23:40:16 GMT-0500 (EST); path=/;Domain=.example.com;'
In .htaccess:
php_value session.cookie_domain .example.com
In php.ini:
session.cookie_domain = ".example.com"
In the PHP response, I get:
PHPSESSID=togp8kh3ehst2iuf4t3egll7p0; expires=Sun, 02-Nov-2014 04:43:25 GMT; path=/; domain=.example.com
So, the php response looks good to me, but the browser stores no cookies, for both the javascript and the php. Cookies do work on a single subdomain, but this site is now requesting cookie-required data from a different subdomain, so I'd like to get the cookies to work for the entire domain.
I think this answer your (duplicated) question:
Share cookie between subdomain and domain
The trick is on the setting the cookie with the higher domain possible, which would be example.com, not .example.com (which is not even valid)