Cannot delete cookies that were set in JavaScript on the server - javascript

I am trying to write PHP code to delete all of the user cookies on my domain.
Here is what I got:
<?php
$domain = 'www.example.com';
$deleteExpiration = time() - 60*60*24*365*10; // 10 years ago
foreach (array_keys($_COOKIE) as $cookie) {
setcookie($cookie, 0, $deleteExpiration, '/', $domain);
}
Running this code on http://www.example.com/delete_cookies.php deletes all cookies that were set on the server, but not cookies that were set in JavaScript.
I verified using the Firefox Cookies dialog that the problematic cookies are indeed from (path=/; domain=www.example.com). Using Live HTTP headers, I can see that the following header is sent:
Set-Cookie: CookieName=0; expires=Fri, 12-Mar-1999 19:36:15 GMT; path=/; domain=www.example.com
So I believe the setcookie command is working as expected. Firefox is just not honoring the request.
One additional thing that I noticed is that if I set a cookie with domain=www.example.com on the server, then it is listed in the Firefox cookie dialog with domain=".www.example.com", but if I set the following cookie using JavaScript code then the leading dot is not added.
What am I doing wrong? How can I delete these cookies?

I've had a similar issue and it was solved by just not passing the domain.
setcookie($cookie, '', 1, '/');
On a side note from cookie_spec "Setting the path to a higher-level value does not override other more specific path mappings. If there are multiple matches for a given cookie name, but with separate paths, all the matching cookies will be sent." So if you have same name cookies at different path locations you will have to delete each one.

Related

View cookies using JavaScript [duplicate]

I can't access any cookie from JavaScript. I need to read some value and send them via JSON for my custom checks.
I've tried to access cookies from JS, like it was described at:
http://www.w3schools.com/js/js_cookies.asp
Get cookie by name
As you can see at the code, it's seen as clear as a crystal the next:
var c_value = document.cookie;
When I'm trying to access the document.cookie value from the Chrome's web-debugger, I see only the empty string at the Watch expressions:
So I can't read cookies value, which I need.
I've checked the cookie name, which I'm sending to get an associated value IS correct.
Also, I'm using the W3Schools source code for getting cookies, if you're interested (but from the 2nd link, the technique is similar).
How can I fix my issue?
You are most likely dealing with httponly cookies. httponly is a flag you can set on cookies meaning they can not be accessed by JavaScript. This is to prevent malicious scripts stealing cookies with sensitive data or even entire sessions.
So you either have to disable the httponly flag or you need to find another way to get the data to your javascript.
By looking at your code it should be easy to disable the http only flag:
Response.AddHeader("Set-Cookie", "CookieName=CookieValue; path=/;");
Response.SetCookie(new HttpCookie("session-id") { Value = Guid.NewGuid().ToString(), HttpOnly = false });
Response.SetCookie(new HttpCookie("user-name") { Value = data.Login, HttpOnly = false });
Now you should be able to access the cookie information from JavaScript. However I don't know exactly what kind of data you are trying to get so maybe you can go for another approach instead and for example render some data attribute on the page with the information you need instead of trying to read the cookie:
<div id="example" data-info="whatever data you are trying to retrieve"></div>
console.log(document.getElementById('example').getAttribute('data-info'));
keep an eye also to the cookie's Path attribute, as the cookie is only visible to subdirectories under Path. I had your issue and I solved setting Path "/"
I would say http only is your first culprit but this can also occur by not setting the scope of your cookie.
If the site has been redirected from another domain, you will need to look into setting the scope of the cookie. Domain and Path defines the scope of the cookie, which URLs the cookie should be sent to. Depending on this, you might not see the cookie in your response.
I ran across this issue when setting a cookie on a successful SAML SSO login and couldn't retrieve the cookie from the Document because it was never send as part of the request.
I had the same problem several times. And every time, it was for a different reason.
Different reasons:
problem of httpOnly field. It was set to false and I was trying to access it from the console. Setting it to true or accessing it from the source code did the trick.
problem of secure field. It was true and I was using only http.
problem of Expires / Max-Age. The cookie was outdated and it was not visible in document.cookie.
If your cookie is set as Set-Cookie or Set-Cookie2 it's not part of the response headers collection: http://www.w3.org/TR/XMLHttpRequest/#the-getallresponseheaders%28%29-method
Returns all headers from the response, with the exception of those whose field name is Set-Cookie or Set-Cookie2.
If you are using some secure authentication then that case you could not access cookies directly because of secure. you have to change some response attribute in server side using below code .
Response.AddHeader("Set-Cookie", "CookieName=CookieValue; path=/;");
Response.SetCookie(new HttpCookie("session-id") { Value = Guid.NewGuid().ToString(), HttpOnly = false });
Response.SetCookie(new HttpCookie("user-name") { Value = data.Login, HttpOnly = false });
But you should not because it may change secure to un-secure, so you have to find out solution that be done in server side to delete cookies and allow to you do some operations.
Its possible to do changes in server side.

cookie dupes to domain without dot prefix

I have this weird issue I cannot figure out, so I was hoping someone smarter than me could help!
I have a site https://example.com (no subdomain)
I have some code that sets a cookie, e.g.
var value="some value";
document.cookie="myCookie="+escape(value)+"; path=/; domain=example.com";
This code runs during page load in some script tag. When the page is first loaded, I see my cookie set, and in (chrome) dev tools > Application > Domain column, I see that it is set on .example.com with a leading dot, which is fine.
But then I refresh the page, and my code runs again (and there is a new value being pushed to the cookie; dunno if that matters). I look in the Application tab and I now see a "duplicate" entry for myCookie - one on .example.com and another on example.com (no leading dot). The values are the same. This is weird to me and I do not know why this is happening. Does anybody have any possible reasons for why this can happen?
Further down this rabbit hole.. I refresh the page again and the myCookie value on .example.com updates, but the one on example.com does not. More weirdness!
Meanwhile, I have other code that tries to read the cookie, but apparently the myCookie cookie on example.com takes precedence and I get that value, not the latest value (reflected in the .example.com cookie).
I have tried explicitly setting the cookie on .example.com (domain=.example.com) but the described behavior above still happens. Also, near as I can tell, there is no way for me in javascript to explicitly reference the cookie on .example.com - document.cookie just shows the example.com one (but the dev tools Applications tab does show it? So is this exposed in javascript?)
I can't provide a link to the site, but I can try to answer any questions someone might have to clarify.
But my main question is: can anybody explain possible reasons this might happen, or at least offer something that might point me in the right direction? Or failing that, alternatively some workaround to explicitly read from .example.com?
Edit
At this point, my best guess is something else on the site, likely server-side script, is duping the cookies over from .example.com to example.com but only if the values change. But this is pure speculation. I haven't been able to find any client-side proof of this (yet..) and I don't actually have access to server-side stuff. And this is probably grasping at straws anyways. But it's my best working theory ATM to take back to the site devs to ask them about..
Update - New stuff I have found / Clarifications
To be clear/restate: my site is on https://example.com with no submdomain.
This seems to only happen for my cookies where the value changes each page load. Cookies whose values do not change do not seem to get pushed from .example.com to example.com.
Even for the cookies with dynamic values, it only seems to dupe .example.com to example.com the first time. After that, the example.com cookie value does not change on subsequent page loads, even though the .example.com version gets a new dynamic value.
I have created a test script, separate from the cookies I currently observe this behavior, in an effort to divide and conquer. I thought to rule out any shenanigans with the code that sets/reads the cookies and blackbox this as much as possible.
But I am seeing the same behavior. I still suspect this is some kind of server wtfery going on, like the .example.com cookies are getting sent in the next http request and then the server is writing them back to example.com.. only on the first time? That's the double plot-twist. I don't have access to server-side stuff but I don't even know where to begin with what to holler at the site devs to look at.
Also note that so far between my colleagues and I, we tested the both the javascript lib/code that sets the problem cookies, as well as the blackbox script below on 6 other sites (not even owned/affiliated with this problem site at all) and have not been able to reproduce the issue, which further makes us suspect it is some kind of server config issue (but again, we don't really know where to start with that).
Anyways, in case it somehow helps anybody, below is the script I wrote to (further) test this issue. I am testing with a total of 8 cookies:
test_no_dot_static - I set domain=example.com with a static value
test_no_dot_dynamic - I set domain=example.comwith a dynamic value
test_dot_static - I set domain=.example.com with a static value
test_dot_dynamic - I set domain=.example.com with a dynamic value
test_implicit_no_domain_static - I set a cookie with static value with no domain= specified
test_implicit_no_domain_dynamic - I set a cookie with dynamic value with no domain= specified
test_explicit_no_domain_static - I set a cookie with static value with domain= specified with no value
test_explicit_no_domain_dynamic - I set a cookie with dynamic value with no domain= specified with no value
#1, #3 - These initially get set on .example.com and do not get duped to example.com on page refresh
#2, #4 - These initially get set on .example.com. On first page refresh, the original value is duped to example.com cookie/domain. On 2nd+ page refresh, the example.com cookie values do not change (retain original value), and the .example.com versions get new values each page load.
#5, #7 - These initially get set on example.com (not .example.com) and are there is never a version on .example.com.
#6, #8 - These initially get set on example.com (not .example.com) and their values update each page load, and there is never a version on .example.com .
Test Code
var s_testCookies = {
getCookieValue: function(a) {
var b = document.cookie.match('(^|;)\\s*' + a + '\\s*=\\s*([^;]+)');
return b ? unescape(b.pop()) : '';
},
getRandomValue: function() {
return '' + (new Date()).getTime() + '|' + Math.floor(Math.random() * 100000);
},
run: function(data) {
var data = data || {};
console.log('------------------------');
console.log('Arg: ', JSON.parse(JSON.stringify(data)));
data.previousValue = s_testCookies.getCookieValue(data.name);
console.log('Previous: ', JSON.parse(JSON.stringify(data)));
data.cookie = data.name + "=" + escape(data.value) + "; path=/;";
data.cookie+= (typeof data.domain!='undefined') && (" domain="+data.domain+";") || "";
document.cookie = data.cookie;
data.newValue = s_testCookies.getCookieValue(data.name);
console.log('New: ', JSON.parse(JSON.stringify(data)));
console.log('------------------------');
}
} // end testCookies
s_testCookies.run({
'message': 'no dot static value',
'domain': 'example.com',
'name': 'test_no_dot_static',
'value': 'no dot static value'
});
s_testCookies.run({
'message': 'no dot dynamic value',
'domain': 'example.com',
'name': 'test_no_dot_dynamic',
'value': s_testCookies.getRandomValue()
});
s_testCookies.run({
'message': 'dot static value',
'domain': '.example.com',
'name': 'test_dot_static',
'value': 'dot static value'
});
s_testCookies.run({
'message': 'dot dynamic value',
'domain': '.example.com',
'name': 'test_dot_dynamic',
'value': s_testCookies.getRandomValue()
});
s_testCookies.run({
'message': 'implicit no domain static value',
'name': 'test_implicit_no_domain_static',
'value': 'implicit no domain static value'
});
s_testCookies.run({
'message': 'implicit no domain dynamic value',
'name': 'test_implicit_no_domain_dynamic',
'value': s_testCookies.getRandomValue()
});
s_testCookies.run({
'message': 'explicit no domain static value',
'domain':'',
'name': 'test_explicit_no_domain_static',
'value': 'explicit no domain static value'
});
s_testCookies.run({
'message': 'explicit no domain dynamic value',
'domain':'',
'name': 'test_explicit_no_domain_dynamic',
'value': s_testCookies.getRandomValue()
});
Another Update based on comments / answers provided
To be clear, in practice, the issue is that we have some cookies that we set with values on a page load. Then when the page is refreshed (or another page is navigated to on the site), we read the value, do something with it, generate a new value and set the cookies again. Wash rinse repeat each page (re)load.
The issue is on initial page view, those cookies are set on .example.com domain. Then on next page load, the initial cookie/value gets duped to exampe.com, and also the cookie on .example.com gets an updated value. Then on another page load, the previous .example.com value does not get duped/pushed to example.com version of the cookie; only the .example.com version updates. So it only gets duped/pushed to example.com on the 2nd page load. Not 3rd+.
Meanwhile, the example.com cookie takes precedence and is the one document.cookie returns when we parse for the cookie value. So on 3rd+ page load, we just keep getting the value from page #2 returned from that example.com cookie, instead of the updated value in .example.com
Meanwhile, we cannot simply not specify a domain= value (#6 or #8 above), because there are in fact subdomains in play e.g. mobile.example.com that also have the code that reads/updates/writes those cookies, and if we do not specify a domain, then the cookie is only available on exactly example.com and cannot be read on mobile.example.com.
Udpate
#ffeast asked the following questions:
What does curl -I yourdomain return? Are there any Set-Cookie headers?
Here you go!
user#host:~$ curl -I https://example.com
HTTP/1.1 200 OK
X-Powered-By: Express
set-cookie: site#lang=en; Path=/;Secure
set-cookie: connect.sid=s%3As46fwOPaosGdwis0G_Wdv7gzUs75Q0rr.O1gLsLmrHmmdBXxPWJrIq8UWwOOaQf96qxUlW%2FxnEuM; Path=/; HttpOnly;Secure
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: 0
Content-Type: text/html; charset=utf-8
Content-Length: 19632
ETag: W/"4cb0-bgHMEy79PzLMv7jhB1Lh6A"
Vary: Accept-Encoding
Date: Fri, 16 Mar 2018 20:42:19 GMT
Connection: keep-alive
Set-Cookie: SecureCookie=!zPdIdxiz3mOMe2MYzy1p873u0yWtMdduASsHoU06gkaLs306mhR7cb3ir4TA2EG2cQGKmeVWJeYvxA/flQfPQUixqL8WMOfROsTgu3UZZg==; path=/; Httponly; Secure
I also see the same Response Headers from browser tab.
So there are some set-cookie headers in the initial http response, yes. They are not cookies I personally have anything to do with or know about for my scope of things, but I can ask what they are for, if that somehow helps. Example:
I notice that a domain= value is not explicitly set for them.. is it possible this somehow sets a precedent for the browser, or am I barking up the wrong tree? Even if it did though, I don't think that explains the dupe to example.com only to my cookies that change their values, nor it only happening on 2nd page load (not 3rd+)? Not sure where you're going with this, but I'm all ears!
If your goal is to use a cookie sharing between all sub-domains, allowing everyone to access and set the cookie, then you need to specify the root domain whenever you set the cookie.
Suppose you have sub.example.com, sub2.example.com and example.com, and you want to share the cookie between them then set the domain to example.com. When you don't specify a domain the cookie is only property of example.com or sub.example.com, but when you specify domain to be example.com, then it becomes accessible to example.com and all it's subdomains to read and write to.
domain=domain (e.g., 'example.com' or 'subdomain.example.com').
If not specified, defaults to the host portion of the current document
location (but not including subdomains). Contrary to earlier
specifications, leading dots in domain names are ignored, but browsers
may decline to set the cookie containing such dot . If a domain is
specified, subdomains are always included.
[source: developer.mozilla.org]
In example.com:
var value="some value";
document.cookie="myCookie="+escape(value)+"; path=/; domain=example.com";
In sub.example.com: (same as above)
var value="some value";
document.cookie="myCookie="+escape(value)+"; path=/; domain=example.com";
In both cases you have to set it to example.com. Otherwise the following situations may arise
In example.com if you forget to set example.com at a single place, a new cookie will be created only for example.com that will be different from the shared one and will not sync with it creating lots of confusion.
In sub.example.com if you forget to set example.com at a single place, a new cookie will be created only for sub.example.com that will be different from the shared one and will not sync with it creating lots of confusion.
You should not set cookie to .example.com as it is not appreciated according to the above quote.
Possible causes of cookie duplication:
When first time the page is loaded JavaScript sets the cookie with specifying domain=example.com that sets the cookie for .example.com, when the second request is made browser sends the cookie to the server, some code on server-side receiving the new cookie sets it back on example.com. This can only be verified inspecting the response headers of the second request.
When first time the page is loaded JavaScript sets the cookie with specifying domain=example.com that sets the cookie for .example.com. When the page loads for the seconds time any JavaScript code is by mistake setting it without specifying domain=example.com that sets the cookie for example.com. This can only be verified inspecting the JavaScript codes involved in setting cookies.
I believe accidental creation of domain/sub-domain specific cookies are the cause of all the anomalies you described. Reviewing every section of code where cookies are being set may solve the issue.
UPDATE: What is really happening here.
You are using InvocaJS v3.6.6 and AngularJS v1.2.19, both of them having cookie management features. InvocaJS stores data in cookie as invoca_session and specifies domain example.com, so the cookie is set for .example.com. There is no problem when AngularJS sees the cookie for the first time, it remembers it. AngularJS keeps a copy of all the cookies and when you update any cookie by AngularJS, you actually modify the copy. Afterward AngularJS loops through all the cookies, compares it with copy to determine and update which cookies have been updated by AngularJS.
InvocaJS the repeatedly changes the value of invoca_session. When AngularJS loops though all the cookies and invoca_session does not match with the value AngularJS has, it thinks the value has been changed by AngularJS (as described above) and it updates the value of invoca_session replacing the new value with old one. (I tested it, this is exactly how AngularJS v1.2.19 worked)
The problem is Angular v1.2.19 does not specify any domain while setting cookies (predicted earlier as bug probability #2). So a new cookie is created with domain set to example.com. Afterwards when InvocaJS tries to read the cookie it reads the old cookie set for example.com.
AngularJS altering cookie
According to w3schools.com documention, you may use a function to built, get and check your cookie.
You may take a look on How do browser cookie domains work, also here and here to better understand how browser and javascript handle cookie setup.
As you said in your question that error is visible also Firefox, it may be useful to note that:
Contrary to earlier specifications, leading dots in domain names are ignored, but browsers may decline to set the cookie containing such dot . If a domain is specified, subdomains are always included.
As you said :
Meanwhile, the example.com cookie takes precedence and is the one document.cookie returns when we parse for the cookie value. So on 3rd+ page load, we just keep getting the value from page #2 returned from that example.com cookie, instead of the updated value in .example.com
You may double check if some data are loaded from a sub-domain xxx.example.com on the first load and future page load.
Verify that if some data are cached during future reload.
You may finally double check the presence of the following headers in requests:
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: 0
which avoid caching issue.

Edit a dot cookie from javascript

This is driving me crazy. I am setting a cookie with a SetCookie header sent from PHP, without a domain.
setcookie('test','val',0,null,null,false,false);
Then firefox ( and I suppose other browsers ) automatically picks up the domain and makes the cookie available to all sub-domains with the annoying .domain.com. However I want to edit that cookie from JavaScript, how is that possible?
If I put
document.cookie = 'test=val';
Then I get two cookies with the name of test, one with domain domain.com ( set from javascript ) and the other one .domain.com ( sent from php ). I am being even further more confused by the fact that document.cookie and the Cookie header itself contain no information that could help distinguish the two cookies!
Put:
document.cookie = "test=val; domain=.domain.com";
in the Javascript. The default is for the domain to be the exact domain of the web page, you need to put .domain.com in explicitly to override it.
The Set-Cookie: header that came from PHP must have contained domain=.domain.com

Internet Explorer Cookies With Path In Current Path Aren't Available In document.cookie

For one of my projects I had the following paths available in a web application:
/one
/one/two
/one/two/three
Each of the different paths are variable and used cookies as part of their variability, I had created the following cookies:
one=1; Max-Age=9600; Domain=.test.test.com; Path=/one; Expires=Wed, 30 Jul 2014 20:26:09 GMT
two=2; Max-Age=9600; Domain=.test.test.com; Path=/one/two; Expires=Wed, 30 Jul 2014 20:26:09 GMT
three=3; Max-Age=9600; Domain=.test.test.com; Path=/one/two/three; Expires=Wed, 30 Jul 2014 20:26:09 GMT
When accessing the URL (I was running my test on http://test.test.com setup in my hosts file) at the following locations I received the following results:
Visit http://test.test.com/one the correct cookie (one=1) was sent to the server, but document.cookie was empty.
Visit http://test.test.com/one/ the correct cookie (one=1) was sent to the server and document.cookie also had the correct cookie (one=1).
Visit http://test.test.com/one/two the correct cookies (one=1 and two=2) were sent to the server, but document.cookie only contained the first cookie (one=1).
Visit http://test.test.com/one/two/ the correct cookies (one=1 and two=2) were sent to the server and document.cookie also had the correct cookies (one=1 and two=2).
Visit http://test.test.com/one/two/three the correct cookies (one=1, two=2, and three=3) were sent to the server, but document.cookie only contained the first two cookies (one=1, two=2).
Visit http://test.test.com/one/two/three/ the correct cookies (one=1, two=2, and three=3) were sent to the server and document.cookie also had the correct cookies (one=1, two=2, and three=3).
This utterly confounded me, and through a bunch of testing I was only able to find Internet Explorer being impacted by this issue, please see the answer for additional details.
Due to the constraints of my project I needed to have the ability to keep cookie names the same at each of these paths and also vary them by path, so I wasn't able to come up with any solution for my situation where I could use cookies without requiring a trailing slash at the end (which due to my constraints I cannot do).
If you are running into a similar issue there's a couple things that I can think of doing:
If the name of your cookies can vary, you could use different names for each of the paths and keep the path either at the root (path=/)
If the name of your cookies cannot vary but it doesn't matter if they go up a level in the path you could do that (in my case the cookie three=3 could be placed up one directory at path=/one/two if my constraints didn't prohibit me from doing that.
If your constraints don't prohibit you from requiring trailing slashes you could simply have your webserver enforce trailing slashes and redirect to a path with them when they aren't present.
If you run into the same issue with similar constraints to mine you could just move to another storage device instead of cookies. There's other modern pieces such as localStorage and sessionStorage which would allow you to store your data in a more structured way so that you can handle the logic. Note: This only works when you don't need the data from the cookie server side.
In the end what I ended up doing was moving the cookie that I didn't need server side (three=3) to use a convention instead of configuration via cookie within the project and kept the other ones as is since the other two cookies (one=1 and two=2) are only used when visiting the path http://test.test.com/one/two/three and so they are still available through document.cookie in Internet Explorer.

How do I prevent javascript written content from being stored in Firefox's wyciwyg cache?

I am working with user data and cannot allow it to be cached.
I am testing with Firefox 4 and a Tomcat 6 server with the cache-control set at no-cache, no-store, private, must-revalidate, max-age=0. I have also set the expires header.
But Firefox is still a generating a wyciwyg (what-you-cache-is-what-you-get) file in it's cache. This might be considered a history mechanism and not a caching mechanism. But it still stores user data.
An example is http://www.w3schools.com/Ajax/ajax_example.asp.
In Firefox 4.0, the about:cache (specially about:cache?device=disk) page shows the wyciwyg:// file and also the expire date set at "No expiration time". What is worse is that the cache persists after the browser is closed and restarted.
After investigation, for me, the wyciwyg is generated with the contents of a document.write() javascript call.
How do it prevent Firefox from caching this? Ideally without changing the document.write()?
Did you check with Firebug that the cache headers are actually sent to the browser?
But in any case, there's a simple solution to prevent caching: add a timestamp parameter to the request URL.
url = '/my/ajax/script?_=' + new Date().getTime();
This trick is also used by many JS libraries. If you're using jQuery, it suffices to pass cache: false to the AJAX request options.

Categories

Resources