Security of Cookies - javascript

Just a question about setting cookies.
Say your web application is getting information about a users location and seeing if they are in x area. If they are then we can show them y content, or else don't show them.
If you wanted to store that information in a cookie so that later the server/application will read the cookie and have certain assets/web components be showed to the user, could the user theoretically set that cookie to set themselves as a valid user in the region, thus being able to see content they shouldn't? If they saw the setup of the cookie that had been set (i.e. cookie key = userInValidRegion, val = true/yes/something), could they follow the same format and set it themselves?
Thanks

Related

Sharing username and password to the next HTML page

I need to share the username and password information to the right next HTML page after succeeding the login. Because the items in the second HTML page will appear according to the user identity and privilege.
I tried sharing the same js file between the 2 HTML pages. The first set the variables and the second get them, but they don't get passed. How do I do it? javascript? jquery? on the server side??
Thanks in advance :)
It can be done in many ways, but as the first language you mentioned is javascript, I will show you in it. So saving data across pages there are variable called session variable and the process of saving/retrieving them is called session management. There are many ways for session management, one most common way is using cookie. You can save the values in cookie, like this:
setCookie("key", "value", expire_time(integer));
And now on next page to get this value you can use:
var val = getCookie("key");
Hope this helps.
Username and password is a sensitive information you have to share it form Server side in these ways:
Use post method to share this information.
Set session on first page For user type and retrieve on very next page.
As your question says second page will appear according to the user identity and privilege. You can set user identity (User Type) and its privileges.

Users can set cookies in console?

I'm wondering the best way to implement cookies to my site. I would like a user to be able to edit a given post based off a cookie that I set at the time the post is created.
I'm using Angular to set the cookie. ie:
var favoriteCookie = $cookies.myFavorite;
$cookies.myFavorite = 'oatmeal';
(per the Angular tutorial for $cookies).
My question is more at the core of how to use cookies. Wouldn't it be easy for a user to set the cookie using the console? ie:
document.cookie = 'key=value';
And get access to a post for editing? Perhaps I should be creating a unique id to use as a cookie that I then check for when the actual creator visits the page? If so, how might I go about this to best ensure only the actual creator of the post has access to editing?
You can restrict JavaScript manipulation by setting the HttpOnly flag in the cookie on a response. The console won't be able to set it programatically.

Use javascript to remember what choices the user made on previous pages?

I have some pages, on the last page I need to know what choices a user made on the two last pages.
Like this:
a.html
User has three choices here that takes him/her to different urls. I need to somehow save this choice and use it later.
Example:
<script>globalVariable1="firstchoice"</script>
b.html
This is one of three choices page and here the User have 3-4 new choices that takes him/her to different urls. I also need to save this choice somehow for later use.
Example:
<script>globalVariable2="thirdchoice"</script>
c.html
This is the page where I need to know what choices the user has made earlier. To be able to link back to those exact pages if the user wants to go back in my breadcrumb-solution.
Example:
<script>
if(globalVariable1 == "firstchoice"){
//do this
}
if(globalVariable2 == "thirdchoice"){
//do this
}
</script>
Can I do this with some global variables in javascript or how can I solve this?
Thanks
You can use localStorage. A browser API that persists key/value pairs even if you navigate between pages, reload the page or close and reopen the browser.
//setting a value
localStorage["foo"] = "bar";
//getting a value
var x = localStorage["foo"];
Using sessionStorage will also work.
//setting a value
sessionStorage["foo"] = "bar";
//getting a value
var x = sessionStorage["foo"];
Wikipedias Web Storage article describes the difference between localStorage and sessionStorage as:
Data placed in local storage is per domain (it's available to all scripts from the domain that originally stored the data) and persists after the browser is closed. Session storage is per-page-per-window and is limited to the lifetime of the window. Session storage is intended to allow separate instances of the same web application to run in different windows without interfering with each other, a use case that's not well supported by cookies.
You will have to store cookies to track the user's state. Try cookie.js. It has a really simple key-value interface that you can read about on its GitHub page.
Web pages are stateless, so you cannot share global JavaScript variables between pages.
However you can set global variables for your page and containing modules by using the value of the cookie.
Your cookies will be available on all pages of your domain for the current browser.
Example:
//Page 1: Set cookie depending on user choice
$.cookie("choice1", ValueOfChoice1);
//Page 2: Get previous user choice
globalVariable1 = $.choice1("example");
You can read Setting cookies with jQuery if you want more details about how to use cookies.
you can use localStorage or sessionStorage.
Another choice if you're using some server-side language like PHP or Asp.Net is to sore those values in the user's session on the server.

Getting Cookie for a website for a User

Is it possible to search a web page's cookie files for the cookies corresponding to a particular user?
For Example, given any of the functions defined here, I hope to be able to pass in a website URL and a name and function returns the cookie for that user(if any); All this happening when I run the script.
Or, how can I get the username from the cookies collected?
Also, When I run commands like document.cookie, it returns a dialog with some variables and values. Variable like localle, c_user, csm, sub, act, etc... What is the meaning of these variables? Is it possible to uniquely identify a cookie given the a username?
JavaScript, when embedded in an HTML document, has access to the cookies the browser has set for that page.
It cannot access cookies for a different page (unless the cookie is shared between them).
It cannot access cookies for other browsers (since the cookies are not stored in the browser running the JS).
Update re edit (which, BTW, should have been a new question):
document.cookie gives you a string containing the cookies for the document. The cookie names are determined by the author of the code that set them. They mean whatever that person wants them to mean.
Cookies can be identified by their name. Cookies do not have usernames (although the author of the code that set the cookie might store a username in a cookie).

How to save form input in browser

I'm developing a login page in which i have a three fields and a checkbox.
Three fields are:
a code
an username
a password
I want to let user clicking on checkbox to remember (even if close browser) the code and login but not the password. Can you help me? I hope to choose right question :)
That's simple, Use browser cookies to store the same. So that next time the user logs in you can pick the value from the cookie in his browser .
IMPORTANT : BUT Here's how you make it secure.
Since you are storing the UserID etc. I would recommend encrypting and storing it, next time you can pic the value decrypt and then show back
OR
Just set a flag in cookie on click of checkbox (to remember) and populate the User ID and code from the server code if that flag is true the next time you see from cookie.
EDIT : Since you have not mentioned what language/tech you are developing this, just use server side api's to read the cookie values or jQuery/script
Have you never read about cookies?

Categories