Working with Cookiees

Working with Cookie using Javascript (document.cookie);

1: Creating Cookie
1.1 Creating in-memory cookie

document.cookie = “Username= FirstName LastName”;  // In-memory cookiee
var x = document.cookie;
alert(x);  // Username=”FirstName LastName”

document.cookie = "Key1=Value1";
document.cookie = "Key2=Value2";
alert(document.cookie); // displays: Key1=Value1;Key2=Value2;

Note: If Keys are same then values overwrites;

Cookies predefined Keys in Cookie
  • Expires : The date the cookie will expire. If this is blank, the cookie will expire when the visitor quits the browser.
  • Domain : The domain name of your site.
  • Path : The path to the directory or web page that set the cookie. This may be blank if you want to retrieve the cookie from any directory or page.
  • Secure : If this field contains the word "secure" then the cookie may only be retrieved with a secure server. If this field is blank, no such restriction exists.
  • Name=Value : Cookies are set and retrieved in the form of key and value pairs.
Note; These parameters(their values) are seprated by semi-colon (;);

1.2 Creating Persistent Cookiee
document.cookie="username=John Doe; expires=Thu, 18 Dec 2013 12:00:00 GMT";   
1.3 Creating Persistent cookie with Path (i.e., which folder pages can access this cookie)
document.cookie="username=John Doe; expires=Thu, 18 Dec 2013 12:00:00 GMT; path=/";
Note: With a path parameter, you can tell the browser what path the cookie belongs to. By default, the cookie belongs to the current page.

1.4. Modifying Cookie (create new cookies with existing keys and new values);
document.cookie="username=John Smith; expires=Thu, 18 Dec 2013 12:00:00 GMT; path=/";

1.5.Deleting Cookie
Deleting a cookie is very simple. Just set the expires parameter to a passed date:
document.cookie = "username=; expires=Thu, 01 Jan 1970 00:00:00 GMT";

1.6.Cookie Location
If Security Configuration to Low : %AppData%\Microsoft\Windows\Cookies\Low   

At most one file is would be created on behalf of each Domain; It contains all values in the form of Key-Value pair.
1.7: An approach: setCookie and getCookie data
function setCookie(cname,cvalue,exdays)
var d = new Date();
var expires = "expires="+d.toGMTString();
document.cookie = cname + "=" + cvalue + "; " + expires;

function getCookie(cname)
var name = cname + "=";
var ca = document.cookie.split(';');
for(var i=0; i   {
  var c = ca[i].trim();
  if (c.indexOf(name)==0) return c.substring(name.length,c.length);
return "";
Calling Methods
function checkCookie()
var user=getCookie("username");
if (user!="")  {  alert("Welcome again " + user);  }
 {  user = prompt("Please enter your name:","");
     if (user!="" && user!=null)     {     setCookie("username",user,30);     }
1.8: Iterating through each Items stored in Cookiee
document.cookie = 'Key1=Value1,Key2=Value2';  //Dont use '&' and ';' chars for multi-valued cookiees.
var cookieArray = document.cookie.split(',');

A) Paired items reading
var x1 = cookieArray[0];  //Key1=Value1
var y1 = cookieArray[1];  //Key2=Value2

B) Keys only reading
var k1 = cookieArray[0].split('=')[0]; //Key1
var k2 = cookieArray[1].split('=')[0]; //Key2

C) Values only reading
var v1 = cookieArray[0].split('=')[1]; //Value1
var v2 = cookieArray[1].split('=')[0]; //Value2

Attacks on  Cookies

1)      XSS attacks
a.       Domain Name validations
b.      Sub-Domain Name validations
1)      Cookie Positioning  (Protecting cookies over wire)
2)      Cookie confidentiality (Cookie data encryption)

Recommended References:


Nag-Rcommended References


No comments:

Post a Comment