I go to a forum which uses vBulletin 3.8. When I log in, I use firebug to see what cookies were set. I see these cookies:
__utmb, __utmc, __utma, __utmz, bbsessionhash, vbseo_loggedin, bbpassword, bbuserid, bblastactivity, bblastvisit
They all had a value set, and the domain was identical.
But when I use JavaScript to view them, it only saw these cookies:
__utmb, __utmc, __utma, __utmz, vbseo_loggedin, bblastactivity, bblastvisit
In firebug, I only see these three cookies: bbsessionhash, bbpasword and bbuserid, that were actually set. HTTPOnly in column HTTPOnly. What does it mean and is that the reason I can't see those cookies in JavaScript using document.cookie
?
To view all cookies stored in Chrome: Click on the three dots at the top right corner and click Settings. Select Privacy and security and click Cookies and other site data. Click See all cookies and site data.
The data contained in a cookie is automatically transmitted between the web browser and the web server, so CGI scripts on the server can read and write cookie values that are stored on the client. JavaScript can also manipulate cookies using the cookie property of the Document object.
One useful Javascript convenience function I ran across a while back is the javascript:alert(document. cookie) browser scriptlet. If you type this into the address bar of your browser, it will pop up a list of all of the cookies currently set in this domain (try it!)
You are most likely dealing with httponly cookies. httponly is a flag you can set on cookies meaning they can not be accessed by JavaScript.
From http://en.wikipedia.org/wiki/HTTP_cookie:
Cookies are not directly visible to client-side programs such as JavaScript if they have been sent with the HttpOnly flag. From the point of view of the server, the only difference with respect of the normal case is that the set-cookie header line is added a new field containing the string `HttpOnly':
Set-Cookie: RMID=732423sdfs73242; expires=Fri, 31-Dec-2010 23:59:59 GMT; path=/; domain=.example.net; HttpOnly
When the browser receives such a cookie, it is supposed to use it as usual in the following HTTP exchanges, but not to make it visible to client-side scripts.
TheHttpOnly
flag is not part of any standard, and is not implemented in all browsers.
Update from 2017: a lot of time had passed since 2009, and HttpOnly
header flag is became a standard, defined in the section 5.2.6 of RFC6265, with the storage semantics described in the same document (look for "http-only-flag" throughout the RFC text).
There is no way to access anything about the HttpOnly
cookies from "non-HTTP" APIs, e.g. JavaScript. By design, neither reading, nor writing such cookies is possible.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With