Working with Cookie using Javascript (document.cookie);
1: Creating Cookie
|
1.1 Creating in-memory cookie
|
document.cookie = “Username= FirstName LastName”; // In-memory cookiee
var x = document.cookie;
alert(x); //
Username=”FirstName LastName”
document.cookie
= "Key1=Value1";
document.cookie
= "Key2=Value2";
alert(document.cookie);
// displays: Key1=Value1;Key2=Value2;
Note:
If Keys are same then values overwrites;
Cookies
predefined Keys in Cookie
Note;
These parameters(their values) are seprated by semi-colon (;);
|
1.2 Creating Persistent Cookiee
|
document.cookie="username=John Doe; expires=Thu, 18
Dec 2013 12:00:00 GMT";
alert(x.UserName);
|
1.3 Creating Persistent cookie with Path (i.e., which
folder pages can access this cookie)
|
document.cookie="username=John Doe; expires=Thu, 18
Dec 2013 12:00:00 GMT; path=/";
Note:
With a path parameter, you can tell the browser what path the cookie belongs
to. By default, the cookie belongs to the current page.
|
1.4. Modifying Cookie (create new cookies with existing
keys and new values);
|
document.cookie="username=John Smith;
expires=Thu, 18 Dec 2013 12:00:00 GMT; path=/";
|
1.5.Deleting Cookie
|
Deleting
a cookie is very simple. Just set the expires parameter to a passed date:
document.cookie = "username=;
expires=Thu, 01 Jan 1970 00:00:00 GMT";
|
1.6.Cookie Location
|
C:\Users\username\AppData\Roaming\Microsoft\Windows\Cookies
If
Security Configuration to Low : %AppData%\Microsoft\Windows\Cookies\Low
At
most one file is would be created on behalf of each Domain; It contains all
values in the form of Key-Value pair.
UserName@www.w3schools[2]
|
1.7: An approach: setCookie and getCookie
data
|
function
setCookie(cname,cvalue,exdays)
{ var d = new Date(); d.setTime(d.getTime()+(exdays*24*60*60*1000)); var expires = "expires="+d.toGMTString(); document.cookie = cname + "=" + cvalue + "; " + expires; }
function
getCookie(cname)
{ var name = cname + "="; var ca = document.cookie.split(';'); for(var i=0; i var c = ca[i].trim(); if (c.indexOf(name)==0) return c.substring(name.length,c.length); } return ""; }
Calling Methods
function checkCookie()
{
var
user=getCookie("username");
if
(user!="") { alert("Welcome again " +
user); }
else
{
user = prompt("Please enter your name:","");
if
(user!="" && user!=null) { setCookie("username",user,30); }
}
}
|
1.8: Iterating through each Items stored
in Cookiee
|
document.cookie
= 'Key1=Value1,Key2=Value2'; //Dont use '&' and ';' chars for multi-valued cookiees.
var cookieArray = document.cookie.split(',');
A) Paired items reading
var x1 = cookieArray[0]; //Key1=Value1
var y1 = cookieArray[1]; //Key2=Value2
B) Keys only reading
var k1 =
cookieArray[0].split('=')[0]; //Key1
var k2 =
cookieArray[1].split('=')[0]; //Key2
C) Values only reading
var v1 =
cookieArray[0].split('=')[1];
//Value1
var v2 =
cookieArray[1].split('=')[0]; //Value2
|
Attacks on Cookies
1) XSS
attacks
a. Domain
Name validations
b. Sub-Domain
Name validations
1) Cookie
Positioning (Protecting cookies over
wire)
2) Cookie
confidentiality (Cookie data encryption)
Recommended References:
Nag-references:
http://www.webdeveloper.com/forum/showthread.php?261054-javascript-validation-amp-cookie
http://tools.ietf.org/html/draft-pettersen-dns-cookie-validate-05
Nag-Rcommended References
References:
http://www.w3schools.com/js/js_cookies.asp
http://en.wikipedia.org/wiki/Session_fixation
http://sage.math.washington.edu/home/wstein/www/home/agc/lit/javascript/xss.html
http://www.brenz.net/cookies/test_cookie.asp?fail
http://stackoverflow.com/questions/14149542/javascript-cookies-setting-multiple-cookies
http://www.jsmadeeasy.com/javascripts/Forms/Validation%20%28Cookie%29/index.htm
http://www.securiteam.com/securityreviews/5EP0L2KHFG.html
http://www.cse.wustl.edu/~jain/cse571-07/ftp/xsscript/
http://searchsoftwarequality.techtarget.com/answer/Cookie-poisoning-prevention-in-ASPNET
http://www.chacha.com/question/what-type-of-attack-can-be-prevented-by-validating-cookies-and-query-strings
https://www.acunetix.com/websitesecurity/cross-site-scripting/
http://support.microsoft.com/kb/252985
http://searchsoftwarequality.techtarget.com/answer/Cookie-poisoning-prevention-in-ASPNET
ReplyDeleteGreat Article
B.Tech Final Year Projects for CSE in JavaScript
FInal Year Project Centers in Chennai
JavaScript Training in Chennai
JavaScript Training in Chennai