Drop any session from client side

Question

I'm preparing some diagnostic tool. It operates on the website in the iframe - only by javascript.

Now what I need is to get rid of session cookie in the website that I have in my iframe. I just need to be logged out after performing some operations.

Unfortunately I cannot just drop the session cookie from javascript because it's mark with httpOnly flag. I did not found any way to open iframe in incognito mode either.

Now the rules for achiving this are following:

• I can add any file to target website server
• I can run any javascript on website domain
• I can force user to use specified browser (it does not have to be cross-browser solution)
• I can NOT modify website code
• The solution have to be server and programming language independent

Any ideas for the workaround?

Answer 1

You just cant manage httpOnly cookies from javascript.

But I think that you want to analyze the page, but also with js. So why use iframe ?

You can fetch content of page that is to be analyzed from outside of html or javascript:

• do ajax request to your application proxy
• use html5 websockets as proxy server. I assume that websocket server is your. Websockets have also cross-domain ability.

You then just need to parse fetched DOM (i saw something builtin for this). And let analyzing to begin.

Answer 2

As far as I understand -

Given that - You will have a website with user login/logout implemented in it.

So if you can have some way for your diagnostic app to have the logout url of target website as a config var or some setting (by putting some js or file in the server) then this job can be very simple. Just let your diagnostic app load that logout url when needed.