Access cookies set on subdomain from parent - javascript

I am trying to access a cookie set on a subdomain (small.example.org) from the parent domain (example.org) and I would like to do this from a bit of Javascript within the page.
First of all I am setting a cookie for the domain small.example.org
document.cookie = "name=Mike; domain=small.example.org"
When I load small.example.org I can successfully see the cookie that I just set. When loading example.org I cannot see any cookies from small.example.org. Maybe not that surprising.
So I figured I need to make a request to the subdomain to include something onto the main domain, a script tag.
<script src="small.example.org/script.js"></script>
Now when I load example.org with the request to the script tag and have a look in the browser, I can see the cookie from small.example.org.
But when I try to access it from Javascript using document.cookie, I get nothing.
Is this the expected behavior? I thought you cannot access cookies from Javascript only if they had the HTTPOnly flag set.
Is there a way to go around this? The example above is very close to my actual use case scenario and unfortunately I cannot play too much with the architecture.

This is the expected behavior.
JavaScript can only access a cookie that if the domain of the cookie is either:
An exact match for the hostname of the current page
A substring of the hostname of the current page
example.org can't read cookies for small.example.org (although the reverse is not true).
Note that the Origin for JavaScript is determined by the URL of the HTML document the JS is running in, not by the URL that the JS was loaded from.
You can either:
Change the domain specified when you set the cookie
Dynamically generate the JS file on the server and insert the data using server-side programming (the browser will send the cookie in the HTTP request header when requesting the JS URL because the domains match).

Related

Set cookie while loading remote js in the domain where js is hosted

Below is the scenario am looking at:
I am remotely loading a js file to the site hello.com.
The js is loaded from jsfoo.com.
I want to set a cookie for the domain jsfoo.com in the users browser when the user the is visiting hello.com?
Is it something possible from within the js file that is loaded or do I have to write a server side logic when loading the js?
The objective is to retarget the user who visited hello.com when the user vists jsfoo.com later.
Update based on the comment below:
Would it possible if js is loaded dynamically? For example if we load the js via a dynamic url like jsfoo.com/getjs.php?js=sample.js. Wouldn't it be possible for the code to set and get the cookies for jsfoo.com via php code?
The JS code is executed under your domain, so you can not set that cookie client-side. This is only possible if the script resource loaded from the other domain sets a cookie for that domain via the HTTP response header.
And you won’t be able to access the cookie of jsfoo.com in hello.com. If you need the existing value, then your script on jsfoo needs to read it when the request to its domain happens, and return the value in a way that JS can read it (f.e. by outputting it as a JS variable.)

AngularJs: How to set same cookie on different domains

I have 2 domains:
www.site1.com
www.site2.com
Important Notes:
not sub domain!
Allow-Origin are enable on both domains.
have full Access to both of domains.
Question:
How to set a cookie on site1 & get that cookie on site2 ?
I want to use it on AngularJs, no matter if using jQuery in your examples.
There is a technique that multi-site companies like google employ to keep their users logged in for all their sites per single authentication.
This question is about how A can read a cookie of B. But my answer only tells you how A can set a cookie in B. Although this technique can be employed in a useful way for OPs favor, negative points are welcome. I will still spread the awareness.
Create a php file (lets say setcookie.php) in site B. This can set a cookie for site B.
setcookie("MyCookie", "subinsb.com", time()+3600);
Now if you can call this php file from any site, it will set the cookie for site B. A famous way to call this script is via a hidden img tag. So, the site A can have this image tag - which will set a cookie for site B.
<img src="http://www.siteB.com/setcookie.php" style="display:none;" />
When this image is loaded, you know the cookie for site B is set.
Interestingly, you can send data too to the cookie of site B through the URL. Your setcookie.php can read data via $_GET and include them in the cookie.
Here is the article.

window.open() URL having www. and cookie issue

I have a script that does this:
window.open("http://www.myurl.com","myURL","width=400,height=200");
okay, this works. I have cookies set and sessions set. User can only access my page when they login. When I logout, this page will direct me to a login page from window.open() as predicted.
When I take out www in the window.open()
window.open("http://myurl.com","myURL","width=400,height=200");
the cookies and sessions doesn't apply? I can still go into the page even if I've logged out.
Now when I tried myurl.com in the original browser, it directs me to my login page where its supposed to.
Any ideas why? I mean I can just set it to www, but I would like to know what the reason is?
Thanks
I assume you're setting your cookies using PHP's setcookie() function (as that's what you commented on your question).
PHP will set these cookies to the domain the user is currently on. If the user is on www.mysite.com, the cookie will be applied to www.-subdomain only. You should instead give the domain PHP should set the cookie for:
setcookie('name', 'value', $time, '/', '.example.com')
Note the leading dot: .example.com, as it represents a wildcard so that the cookie is applied on all subdomains of example.com (that is, www.example.com and example.com, as well as other subdomains you might have).
For more information on this function: PHP docs

JavaScript: 404 page, how to get the requested url?

I'm hosting few static web pages on GitHub (gh-pages). If the user tries to access a page which isn't available, he/she is moved to a custom 404.html.
What I'm wondering is if is it possible to access the original requested URL from the custom 404.html, using just JavaScript? There's no PHP nor any other server side technology available.
I've looked at the JavaScript's Location-object but that seems to give only the access to the current URL (in this case the 404.html) but not to the original requested URL. What I'm trying to achieve is a 404.html which gives suggestion like "Did you mean to access url ..." to the user but in order to do so, I need the access to the original URL.
your only hope would be document.referrer but of course GH would need to set it, which is highly unlikely for any page returning a HTTP 404 out of a request ...
You need to look at the url in document.referrer
Because the user is moved by the server to a 404 page, JavaScript cannot know abot the requested url.
It may be posible if you add in .htaccess to redirect the user to a page with the url: page.php?url=requested_url , then the requested_url appears in the address bar, which can be read by javascript.
I've tested this with a custom domain and location.href will actually give the current url, which in this case is the faulty one. So, while document.referrer will only give empty string, location.href will give the url you want.
I'm wondering if this has to do with what kind of GH pages you're hosting as well as if you're using a custom domain. My understand was, however, that it was only possible to serve a custom 404.html using a custom domain.

how can I POST cookies to a different link?

Is there any way to POST all the cookies(cookie name , value and expire time) available for a specific domain (e.g .example.com) using javascript ? . I own the domain that I need the cookies to POST from but I want to post them to a different domain (e.g example2.com). After the cookies are POST ed I also need to redirect the client to a specific link so I think some ajax may be required
Note : I do not need to read/write cookies on different domain. I simply need to send/transport the cookies names/values/exp of the current domain to a different domain as HTTP POST values
You can access the cookies using document.cookie. However, this only gives you the name and value - there's no way (that I know of) to get the expiration date of a cookie. It contains a string with all the cookies, in a name1=value1; name2=value2; name3=value3; format.
Sending it as a POST request to another domain can be done with cross-domain XHR, but if you don't need to read the HTTP response of the request, submitting a form should be enough. Simply create an invisible <form> with its method attribute set to "post", the action attribute set to the URL on the other domain and the target attribute set to the id of an invisible iframe, add the cookies as an <input>, and submit the form.
<iframe id="foo" style="display: none"></iframe>
<form id="bar" method="post" target="foo"
action="http://www.someotherdomain.com/handle_cookies.php">
<input id="cookies" type="hidden" name="cookies" />
</form>
<script type="text/javascript">
document.getElementById('cookies').value = document.cookie;
document.getElementById('bar').submit();
</script>
Its probably better to create the <iframe> and <form> dynamically, using JavaScript, instead of having it written in the HTML, but I'm too lazy to write that at 2:30AM, sorry :P
note: If the first domain is accessed on SSL, make sure the connection to the other domain is also over SSL, otherwise you'll be transmitting secured cookies over HTTP as plain text. You can remove the scheme part from the URL of the other domain (e.g. //www.someotherdomain.com/handle_cookies.php instead of http://www.someotherdomain.com/handle_cookies.php), making it use the same scheme as the one used where the cookies are sent from. I highly recommend doing that.
The link describes a method that comes close to the requirement. But it uses the window.name property instead of cookies to send data.
Google cache copy, because the original link seized to work for a while.
Using window.name transport for cross-site POST scripting
I think due to security reasons you can't read/write a cookie for a different domain. You can apply a specific path for the cookie to be available to such as a specific folder outside of your root. I think the way the browsers work is they find cookies for the site they are accessing at the moment, and use them accordingly. But allowing for cookies to be cross domains would open up to many threats. I think, if you really want though I can't promise something like this working fully.
If you build a script on the other domain that will write a cookie based on a trigger and then you use something like PHP cURL to bring the page into the domain your working with at the moment you may be able to invoke a cookie from the other domain. This is pure theory though not something I have tested. The idea is since you own both domains its assumed you also have access to both hosting servers. So with that you need something on both ends to work with one another to do what you want, rather then hope for a one sided solution.
Reference: http://www.quirksmode.org/js/cookies.html

Categories