I'm having a problem with cookies. If the browser has cookies disabled, the cookie gets rejected. Is there a way to enable cookies on the client's browser that is compatible with Internet Explorer, Firefox, Opera and Chrome?
If a user has chosen to disable cookies, who are you to override that choice?
The best thing to do is notify the user that they need to enable cookies for your script/site to work and provide a link to some instructions on how to do so.
Or find a different way to achieve what you are trying to do
I'm not aware of one and would be suprised if there was one - people turn cookies off for (among other things) security reasons, so allowing the site to re-enable them would be a security issue.
What you could do is to write some logic into your app to check for cookies:
First
set a cookie called 'test';
redirect the user to http://wherevertheywere?cookiecheck=1
Then, include logic like this:
if the querystring contains cookiecheck=1:
if the 'test' cooke is set
cookies are working - do whatever you need to do.
else
redirect the user to a special page on your site explaining that they need to enable cookies to use the site. This can include browser detection to give them relevant instructions,
If that would be possible, it’d be a security flaw. So no, it is not possible.
If cookies are not enabled or supported by the browser, you should have your software use an alternative way of maintaining sessions from page-to-page. You may have to include a session key as a URL parameter. Just make sure you have aggressive session key validation. Depending on your language and environment, there may already be facilities for doing this that won't add a lot of development overhead (PHP $_SESSION, for one).
I think there isn't a way to do this.
Hope there isn't a way to do that, too.
If user disabled cookie there is a reason to do this and re-enabling them should be filed as a security flaw
It is probably possible, but there are so many browsers in so many versions that you'd be hard pressed to cover a reasonable number of scenarios.
Further, if the user has disabled cookies, turning them on for the user and using them would be criminal interference with their computer.
Thought this could help anyone, on some browsers you can check if cookie is enabled using :
if(navigator.cookieEnabled)
Related
I have a website that depends completely on sessions and I store them in cookies.
So it is necessary that cookies of browser is enabled.
Now I was able to check if cookies are enabled in the browser using java-script like this:
if (!navigator.cookieEnabled)
{
//Display an warning message asking users to enable the cookies.
}
But what if user doesn't have knowledge where to find an option to enable cookies in browser.
So I would like to provide a button inside warning message to enable cookies of browser using java-script on button click.
Does browsers give this kind of write functionality to java-script?
No, you can't enable this using javascript for a security reason. There are good reasons for not allowing that.
There are some other alternatives if you're willing to consider. i.e. passing session id in the url, storing a session id in the localStorage or the modern approach is to go with JWT token.
I have a REST based service architecture. One service is used to login users. A successful login request results in a auth_token sent back to the web client.
I would like to store the token in localStorage which is working fine in most situations. However it is possible that the user disables localStorage or the browser is in private mode (as far as I know only an issue on Safari).
My question is: Is there any concept I can use as a fallback when localStorage is not available?
Is storing the token in the window variable an option?
Any ideas are appreciated.
Checkout this link to find whether you have local storage enabled or not.
https://mathiasbynens.be/notes/localstorage-pattern
Also, for the fallback you can use cookies always. Or even if the cookies is not enabled, the only way to support is by URL param. Usually, in these cases people will show a warning message staing their Localstorage/Cookie should be enabled in order to work with their site. Hope it helps .
Alternatively, you can store in window.name which will be carried over on one browser tab; if you open the same page on anther tab it wont be available.
I'm building a webapp, and I could use a solution that allows me to uniquely identify the users computer.
The reason for this is, that once the user is logged into to the application he/she can start several sessions (which is stored in mySQL) related to the app - however, the sessions should only be available from the computer in which the session was initiated.
I cannot use cookies, since the application should allow users to close the browser, restart the computer etc etc., without any risk of loosing the users session.
At first I thought I would be possible to get something like a motherboard serial. Naaah, not going to happen.
Then I thought of generating an MD5 hash based on users remote address + MAC address, until I found out that this is only possible using older versions of IE with ActiveX.
Then I came to think if all Chrome installations have some sort of unique browser ID I could use? ... Haven't been able to find anything helpful.
Any great ideas on how to generate an unique string based on the users computer?
You'll have to relax your constraints : even by using the browser digital print, you won't be able to have a guaranteed not changed and not lost UID.
My usual solution, which works very well but with no guarantee, is to send from the server to the browser an UID and to store it in localstorage. Note that a computer savvy user can remove it or change it. But if the user isn't your foe, this works well.
The reasons to prefer localstorage over cookies are :
no expiration
no tools to "clean" them, as they were origin-bound from the start and thus haven't the privacy-breach reputation of cookies
of course the cleaner and saner interface for javascript applications
I cannot use cookies, since the application should allow users to close the browser, restart the computer etc etc., without any risk of loosing the users session.
Cookies are not lost when the compute restart. You can use cookies.
ok... im looking to have a good round of brainstorming here...
say i was google... the adword/adsense/analytics division. i would be getting a little worried about the future, when users start to disable cookies (or at least delete them on a regular basis), use private browsing, roam on multiple devices. how could google alternatively track users without the benefits of cookies?
some ideas to get started (please elaborate on these and any others):
-track users using some other persistent local/client side storage
-use user-agent string fingerprinting
-test cache response - if user 304's an image, they were here
-track mac address
-any random/out of the box ideas?
Take a look at http://samy.pl/evercookie/, it's a JS API for ultra-persistent cookies, but you can take idea(s) from it's mechanism to find storage for your data.
I think you could do it using custom urls. You would basically ecrypt a cookie and attach it as part of the URL you send to the browser. When it returns, your web server would be smart enough to decode it and track whoever sent it.
I believe the Spring framework can do this in fact.
If your site requires user tracking, then I would have it fail to work if cookies are disabled. Then focus your time and effort on making it a fantastic site for the vast majority of your visitors, and don't worry about the ones who, for whatever reason, have made the explicit decision to disable cookies.
(Made this a CW answer because this is a subjective question that's likely to be closed.)
Information about browser/system/display through js and IP of cause;
Java Applet provide a lot of info about user;
Flash also (e.g. installed fonts);
Modern browsers also provide a lot of information about users (e.g. installed extensions) and provide new ways to save information on client-side (e.g. html5 storage).
altogether: http://panopticlick.eff.org/
you can always resort back to good ol way, the HIT COUNTER.
on page, use tag and link to external image on your server
on your server, when image is fetched, redirect it to php script through .htaccess and record header info about device id etc. {similar code as disabling the hotlinking of image}
Now you have all info, use php_session() to keep a track of it
you can always use js for the same purpose, but using tag will ensure that js is not required and the script will run on all browsers
Previously I had posted a program and asked about handling cookies in Javascript.
I had posted one code and u can find it in my other question.
Many gave good answers and I aslo tried their solutions. But since I am new to this html and javascript may be I dont know how to find bugs and debug it.
So can anybody please post their solution for this problem.
I want a webpage to be created in which it should check a cookie upon loading. If the cookie is 20 mins older it has to go to login page(ask for usename and password). Otherwise no login is required and it should directly come to one page(it is being designed).
So if anybody is already having a similar or exact code(in which time cookie is maintained) kindly post it.
Regards
Chaithra
It sounds like you're trying to implement a login system using javascript. If this is the case, STOP. All forms of authentication should take place on the server side, and you can use sessions to determine how long it has been since activity from that account. "Cracking" client-side (eg: javascript) security measures is laughably easy.
Short answer - This is a pretty good tutorial...click here...
Better answer - If you're going to create a login system you need to understand cookies, sessions, forms, and security (injection!!!) before you start on anything that is implemented for serious use. You should know to avoid client-side scripting for things like login before you even start. I'd recommend you keep looking at tutorials. You might want to look at things like the difference between different languages and when best to use which.
As nickf said, session timeout is best handled by the server side. The presence of a cookie is used to locate the session, not to implement the timeout. Session cookies are usually what's used to track session state - not the ones that expire. They last as long as the browser is open.
The server side, when processing a request, uses the cookie's value (usually a long random, hard to guess string) to locate the user's session. If the session isn't present, it can respond with a redirect to the login page.
EDIT: In the comments you said you're using goAhead - I'm having difficulty accessing their wiki but assuming it's close to Microsoft's ASP, see this link from webmaster-talk's asp-forum for an example of how to process a login. The part to note on the login page is:
session("UserID") = rs.Fields("usrName")
and the part that checks on each page load the sessions is still good is:
if (session("UserID") = "") then
response.redirect("default.asp")
This is like I outlined in the notes below, driving the timeout detection from the server side and letting the framework (goAhead in your case) do all the cookie magic and timeout on inactivity.