Reading Google Analytics cookie from PHP - javascript

I'm trying to read __utma Google Analytics cookie from PHP to find out if the user is a new one or not.
My website is on www.domain.com without HTTPS
I've noticed with the chrome console that cookie domain is .www.domain.com ie with a point before the domain. Thus when I try to read cookies with php variable $_COOKIE it does not show up.
I've also notice that with a HTTPS domain, two cookies are created : one with .www.domain.com and a second one with .domain.com which can be read.
Lastly I can read .www.domain.com using Javascript but I would like to do it with PHP.
What am I missing ?
Demo page : http://gandi.buypacker.com/ga/example.php

Apparantly others have had this same issue. Someone has made a class to help parse GA cookies: https://github.com/joaolcorreia/Google-Analytics-PHP-cookie-parser

Make sure you set your cookie domain explicitly in your Google Analytics JS code:
_gaq.push(['_setDomainName', 'www.domain.com']);

Related

Accessing localStorage for a domain via iframe

On example.com I have an iframe which loads anotherexample.com. The problem I am having though is if I load anotherexample.com directly (outside of the iframe) the localStorage isn't shared with the iframed anotherexample.com.
Is this possible to achieve?
An example of the issue can be seen by visiting https://eskimo.dev/localstorage/, then visiting https://eskimo.ooo/localstorage/iframe which iframes the first link. The iframe isn't using the localStorage from the previous.
Actually I tried, and it worked for me (I accessed first /iframe but it worked for me both ways):
Image from https://eskimo.ooo/localstorage/iframe
Image from https://eskimo.dev/localstorage/
Image from DevTools
Of course, when I disabled all third party cookies it didn't work. Might that be the reason?
I'm using chrome 107.0 by the way.
Not sure why its not behaving as it should. May be code snippets might be really helpful here. But by the above linked example in the OP. The reason its not working there is :
There are 2 domains : eskimo.dev & eskimo.ooo (Both of these are different). When the first domain eskimo.dev is opened, the local storage is set in the browser with reference to eskimo.dev and this will accessible to page with origin "eskimo.dev".
But when eskimo.ooo is opened (domain that has the iframe src set to eskimo.dev) here the localStorage will not be shared as the origin domain is eskimo.ooo, and therefore cannot access localStorage data of eskimo.dev .
What will work ? :
If you were to have eskimo.dev/localStorage (where the localStorage is set in the browser) and
now if you open eskimo.dev/localStorage/iframe (in which the iframe src points to eskimo.dev/localStorage, this page will have access to localStorage data.), why ?
Because, the domain origin is not changing, hence it can access the same localStorage.
Thanks
It is a complete other domain, so there is no way access localStorage of the other domain.
But if you have control of both domains, you could use javascript events to share the localStorage through domains.
You can see more here: cross domain localstorage with javascript

Cookie consent - Find the code that is setting the Cookies in website

Hi I am using OneTrust for my Cookie Consent.
OneTrust gives you the option to block cookies before they are set by adding this code.
<script type="text/plain" class="optanon-category-C0002">
// code
</script>
How it works:
When the above code loads, JavaScript inside the tags will not run, and no cookies will be set. Then, when the Cookie Compliance code loads, if cookies for the associated group have consent, it will dynamically change the tag to: script type=text/JavaScript
My Problem:
How do i find the code where the cookies are being set? (Find the file).
If i know where the cookies are set, I can add the code to block it. But i dont seem to find them.
How do you search for them?
I can see in chrome all the cookie names but not sure where they are within the website.
The website has a CMS (DNN, Evoq).
Thanks in advance

Make google Recaptcha work with special characters in the domain name

I was setting up an API key for a site with the swedish charachter ä in the domain name (http://sälja.io) but it did not initialize the recaptcha.
Then trying an api key for the equivalent url http://xn--slja-loa.io which worked when reaching the site from http://xn--slja-loa.io but not http://sälja.io.
Then I found the secure token which should work on all domains. It initialized the recaptchas on all domains and was also working on all tested domains, except the one with ä in it.
https://developers.google.com/recaptcha/docs/secure_token
Is there any way to get it working also with ä in the domain name ?
Edit
Since an api-key for http://xn--slja-loa.io is working from android when accessing the site from http://sälja.io, it might be how the browser interprets the domain. Eg. firefox interprets http://sälja.io as domain http://sälja.io and cannot get a response from google servers that will not allow ä in domain names. Android inteprets http://sälja.io as http://xn--slja-loa.io and will get a response since it's not containing ä. Any thoughts about this ? Is there any way to force the browser to interpret http://sälja.io as http://xn--slja-loa.io ?
Edit2
Code examples can be reached on sälja.io/test, 178.62.187.163/test and xn--slja-loa.io/test
Edit3
As of today (25.11.2015) it seems not to be possible to use recaptcha with a special charachter like ä in the domain name. Since aishwat singh have been helping the most to coming to this conclusion within the time for the bounty he will be rewarded, however an answer will be accepted when a solution can be provided for this problem.
I tried it just now and I am able to generate key for example-ä.se 6Ld8VRETAAAAALRXFNxmjEeVzbg2y5vdWv7THwJz
will post a complete working example shortly
EDIT 1
Here's git repo for code and same running on heroku
Ok it's not a complete fix because i used herokuapp.com as domain so example-ä.herokuapp.com becomes a sub domain and works
(however when earlier i tried it created a key for example-ä.se too but on loading page at captcha it gives invalid domain, figured out that was original issue, i thought you were not able to generate key for this domain)
Will try for a complete fix
EDIT 2
Btw you can specify your domain ip too, check this discussion
For me heroku free account doesn't provides ip of domain so it's difficult for me to test it
Also i was reading this thread
Figured out if i specify domains list as just com it accepts. In your case, just specify se as domains and it should work , google doesn't checks out exact url it just checks domain
Hope it helps, Will look into stoken approach too
you can read this post:
http://webdesign.tutsplus.com/tutorials/how-to-integrate-no-captcha-recaptcha-in-your-website--cms-23024
.....................

Chrome - Unable to read sessions for cross domain requests

First I'm apologizing if the title of my question is not correct or not clear. But I will explain my issue below.
Lets say I have a web application called mywebapp.com and i have a page loadjs.php. Here, I have some JS code and the content time of the file is application/javascript.
loadjs.php (mywebapp.com)
header("content-type: application/javascript")
echo "alert('some message here');";
I will use the above file in a page (index.html) of another web app as a javascript source. let's say that it is anotherwebapp.com.
index.html (anotherwebapp.com)
<html>
<head>
<script type="text/javascript" src="//mywebapp.com/loadjs.php"></script>
</head>
<body>
Some contenct here..
</body>
</html>
When this runs, there should be javascript alert as I wrote in loadjs.php (mywebapp.com).
Note:
The above is working without any issue.
My Issue:
Lets assume now I want to display this alret only for the logged in users for mywebapp.com. That means, when a user who has logged in already in mywebapp.com will see an alert when they visit anotherwebapp.com in the same browser.
So my loadjs.php file will be as below.
header("content-type: application/javascript")
if(isset($_SESSION['logged_in']) && $_SESSION['logged_in']==true)
echo "alert('some message here');";
Let's assume that $_SESSION['logged_in'] has been already set after the user login.
It was working properly in Firefox and and IE. But..
Chrome browser was not working properly.
So the reason is, chrome cannot read the session value as other browsers do.
Is there any special reason for this and is there any way to overcome this?
(Please note that the above coding sample is just an example to explain my issue.)
Looking forward to hear from you.
Session is handled server-side, so this is not a Chrome problem.
It could be a caching problem: the js file is first loaded without the alert (because the user is not logged in) but when the user logs in the js is loaded from cache and not downloaded again causing the alert to not display.
Chrome has a pretty "aggressive" caching policy, had some troubles like this before.
You should try to add a timestamp or some kind of dummy value like so that on every page reload you force the javascript file to be downloaded again
<head>
<script type="text/javascript" src="//mywebapp.com/loadjs.php?dummy=
<? echo time() ?>"></script>
</head>
I haven't been using php for quite some time so this might not work but you should get the idea
This is an interesting issue. I do not have an environment to test this right now, but the first thing I would like to do is to print the $_SESSION['logged_in'] while making a request using FF, then Chrome. If for Chrome the value is false, you have to debug why. It could be a crossdomain policy issue.
You can take a look at this: https://developer.mozilla.org/en-US/docs/HTTP/Access_control_CORS
Maybe you need to send this header from mywebapp.com:
Access-Control-Allow-Origin: http://anotherwebapp.com
Please also share if the js console of Chrome shows any error.
Update: the issue was due to chrome browser cookie settings dialed in to be restrictive. Go to chrome://settings/content and make sure Block third-party cookies and site data is not checked.
I had a similar issue.
The reason for your problem is:
The session ID is sent as a cookie, and since your request is cross-domain, it's considered a third party cookie by the browser. Several browsers will block third-party cookies.
The solution to your problem is
Generate the session ID on the client (in the browser), use Javascript sessionStorage to store the session ID then send the session ID with each request to the server.
Details in this article (related to XMLHttpRequest, but your issue is essentially the same): Javascript Cross-Domain Request With Session

Javascript security / cross scripting on same server

Have some Javascript that I need to work via the following:
://localhost
://servername
:/www.domainnamefortheserver.com
When I run the script from http://servername with an IFRAME referencing the domain - it does not load.
Is there a way to get the Javascript security model to recognize the server name, localhost and the domain as the same "domain"?
Thanks
If you are running on UNIX you can edit /etc/hosts to give a fake DNS entry for your server.
eg.
127.0.0.1 localhost www.domainnamefortheserver.com
Then you can always connect to it as the correct name even when it's not on the live site yet. Don't try and break the javascript security directly.
This will also work on OSX. Windows works differently, I expect.
If you are using a server-side language to generate the page, you may be able to set the security domain like so:
document.domain = $CURRENT_HOSTNAME;
So the security domain will be the domain the user requested. This is a shot in the dark, but I hope it helps nonetheless.
Use root relative URIs:
href="/foo/bar"
rather than absolute URIs:
href="http://example.com/foo/bar"
That way the document will be loaded from the same hostname.
What do you mean by
my references are to the domain name
?
If you load scripts in your page on http://servername (using <script src=''>), they will have access to everything on http://servername, even if they come from another domain.
However, if you try to make AJAX calls to the other domain, then you have a problem. You can use the trick explained by Christopher, ie making aliases to the domain.

Categories