javascript Chrome Extension Not able to read httponly cookies - javascript

I need to delete gmail cookies set in my chrome browser, using chrome extension , but it can delete all cookies other then Gmail cookies, then I noticed that Gmail cookies are httponly, Is there a way to remove them using javascript chrome extension..
Thanks :)

Chrome extensions can use chrome.cookies API, that has access to all cookies in the cookie store, including httpOnly.
The documentation for the API is here.
Note that this API requires declaring a permission and will not work from content scripts.

This one works absolutely fine for deleting every cookie, even if it is httponly
chrome.cookies.getAll({'domain':'accounts.google.com'},function(cookie){
for(i=0;i<cookie.length;i++){
var prefix = "https://";
var url = prefix + cookie[i].domain + cookie[i].path;
chrome.cookies.remove({'url':url , 'name':cookie[i].name},function(cookie){ });
}
});

The point of HTTPOnly cookies is not let javascript to access them.
So basically you can not read them.
If you want to delete them you can do it from the options that offers browser

Related

how to know if website is using cookies or not?

I've a requirement to verify for the website that I need to test.
Website shall not use cookies
My question, How do I find out the Smartway if any whether the entire Website is really using the cookies or not?
I know a way by which I'll disable the cookies in the browser and then while accessing the website from that browser it should shout out that cookies are not enabled in the browser. But I believe for this I'll have to check each-and-every webpage to confirm whole website is not using cookies.
You can run document.cookie in your console to read all the cookies accessible from that location.
You could also open up your dev tools and view them there. In Chrome, the cookies can be found in the application tab of the dev tools.
More info
if (document.cookie != null) {
alert("Cookies!")
} else {
alert("No cookies!")
}
<!-- YOUR CODE -->
<h1>Note: Stack Overflow dosent let me check document.cookie ):</h1>
I think this will work...

Firefox localstorage from iframge - SecurityError: The operation is insecure

I have 2 subdomains:
www.example.com = For logged in users only
internal.example.com = Public website
Since I use localstorage to store some informations on internal.example.com which I need on www.example.com I had implemented the following solution:
I load on www an iframe located on internal. I set on both sides the document domain value to the "parent domain"
document.domain = "example.com";
Now on www, I can access the localStorage of internal over www by doing the following:
frames['internalFrameName'].window.localStorage;
Now I can read and write values. This works in Chrome and Internetexplorer, and it worked in Firefox until the last update to FF30. Now I get the error:
SecurityError: The operation is insecure.
Any ideas how to fix it?
You could use a messaging system to communicate between the both frames. Then the iframe can just send you the local storage data.
This might help you with that: How to communicate between iframe and the parent site?
You need to use frames['internalFrameName'].postMessage(message, targetOrigin, [transfer]);
Gecko throws the error message when cookies are disabled so besides the object detection for localStorage (which I'm sure you're doing in the code you didn't post) first check for support for cookies.
Change:
if (window.localStorage)
To:
if (document.cookie && window.localStorage)

Reading Google Analytics cookie from PHP

I'm trying to read __utma Google Analytics cookie from PHP to find out if the user is a new one or not.
My website is on www.domain.com without HTTPS
I've noticed with the chrome console that cookie domain is .www.domain.com ie with a point before the domain. Thus when I try to read cookies with php variable $_COOKIE it does not show up.
I've also notice that with a HTTPS domain, two cookies are created : one with .www.domain.com and a second one with .domain.com which can be read.
Lastly I can read .www.domain.com using Javascript but I would like to do it with PHP.
What am I missing ?
Demo page : http://gandi.buypacker.com/ga/example.php
Apparantly others have had this same issue. Someone has made a class to help parse GA cookies: https://github.com/joaolcorreia/Google-Analytics-PHP-cookie-parser
Make sure you set your cookie domain explicitly in your Google Analytics JS code:
_gaq.push(['_setDomainName', 'www.domain.com']);

Google chrome session expire=null not working

According to connects documentation the session should expire when the browser is closed:
By default cookie.maxAge is null, meaning no "expires" parameter is set
so the cookie becomes a browser-session cookie. When the user closes the
browser the cookie (and session) will be removed.
I am using express 3 with connect-mysql for session store (Tried with connect-mongo too and its the same), and this is how i set the session data.
req.session.userid = results[0].id;
req.session.ip = req.connection.remoteAddress;
req.session.useragent = req.headers['user-agent'];
req.session.is_logged_in = true;
This all works fine except in google chrome browser for some reason (This is in OS X Lion.I have no possibility to test under win or linux right now).
Anyone had this problem in google chrome and know a way to fix it?
This is a fairly wild guess, but I wouldn't be too surprised if it's this. Google chrome will keep running in the background if you have any extensions that make use of this installed. If that's the case after a log off-log in the session should be reset.
If that isn't it, could you please open the developer tools (cmd+alt+i) and copy all the information about the cookie from there (resources->cookies->yourdomain.com). (Especially what's written in the Expires column, because it should say Session)

Can I use localhost as the domain when setting an HTTP cookie?

I am using a jQuery plugin to set cookies and when I use localhost for the domain it will not store the cookie.
Here is the plugin I am using with jQuery 1.2.6.
http://www.stilbuero.de/2006/09/17/cookie-plugin-for-jquery/
Below is the code that I am using. You can see it does not like localhost, and I am running it from a development web server on localhost. One detail is that I am running off port 4005 but that should not affect the domain, AFAIK.
$(function() {
console.log('Testing');
var one = $.cookie('Test.One');
var two = $.cookie('Test.Two');
var three = $.cookie('Test.Three');
console.log(['one', one]);
console.log(['two', two]);
console.log(['three', three]);
$('#div1').text(one);
$('#div2').text(two);
$('#div3').text(three);
$.cookie('Test.One', 'Test 1');
$.cookie('Test.Two', 'Test 2', { path: '/' });
$.cookie('Test.Three', 'Test 3', { path: '/', domain: 'localhost' });
});
I had similar problem with setting cookies. Make up a domain name and add it to your hosts file as 127.0.0.1. Then run web application on that domain.
I think the domain name of a cookie must have exactly two dots (not counting the final dot after the TLD). So .something.localhost is okay, .google.com is okay, but .localhost or google.com is not. But a glance at RFC 2965 suggests that it's more complicated than that... you might want to read that document, especially section 3.3 (and/or its precursor, RFC 2109).
I updated the jQuery plugin to not add the domain to the cookie when it is localhost. That solves my problem without touching the hosts file.
var domain = (options.domain && options.domain !== 'localhost') ? '; domain=' + (options.domain) : '';
I'm using Code Ignitor, and setting the domain to an empty string fixed my problem while working on the application on localhost. I believe this is the better solution as everyone in the development team then doesn't need to mess with their hosts files on Windows.
Production domain values can be put in the config.php of Code Ignitor when deployed on a live site.
I tried setting the host file to use an alternate name (local.acme.com) and I can now set cookies on that domain. It seems I cannot set cookies on localhost, at least not with Firefox. I do not recall that being a restriction for cookies. I would like to understand what is going on here.
Also, I did try just making the domain in the hosts file simply "dev" but that did not work. I had to use a name that ended in .com or another tld to make it work.
Simplest solution for me to resolve this was to use 127.0.0.1 instead of localhost ;-)
That works fine in Firefox!
Cookie needs to specify SameSite attribute, None value used to be the default, but recent browser versions made Lax the default value to have reasonably robust defense against some classes of cross-site request forgery (CSRF) attacks.
Along with Domain=localhost your cookie should look something like this
document.cookie = `${name}=${value}${expires}; Path=/; Domain=localhost; SameSite=Lax`;
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite

Categories