Cookies

Privacy filters on proxies

The page referenced from section 4.4 of the FAQ describes a generally sound strategy for using cookies but suffers from an additional issue relating to "privacy" filters employed by content inserting/re-writing proxies.

The problem is that some of these filters identify the character sequence "cookie" within Javascript source code and replace it with an alternative string. A c.l.j. thread describing an occurrence of this problem had "cookie" replaced by "ignore" by ZoneAlarm, and Proximatron has a similar filter available (but not active) by default.

The effect of changing occurrences of document.cookie into document.ignore within source code is that attempts to write to the property just result in a new string property being assigned to the document object, but no cookie is created. And reading from the property returns the same string, or an undefined value if nothing has yet been written to the property.

The problem with the irt.org code is that the Get_Cookie and Set_Cookie functions are not written with a consideration that document.cookie may not refer to a string.

Get_Cookie will error if "cookie" has been replaced with "ignore" because it treats the document.cookie value as if it was a string. But changing that one function so that it does not attempt to read document.cookie if the value is not a string may prevent the error but would still undermine that strategy used.

However, the problem can be completely avoided by wrapping the content of the Get_Cookie and Set_Cookie functions in typeof tests and only executing the rest of the function if typeof returns "string".

function Get_Cookie(name) {
    if(typeof document.cookie == "string"){
        var start = document.cookie.indexOf(name+"=");
        var len = start+name.length+1;
        if ((!start)&&
            (name != document.cookie.substring(0,name.length))){
               return null;
           }
        if (start == -1) return null;
        var end = document.cookie.indexOf(";",len);
        if (end == -1) end = document.cookie.length;
        return unescape(document.cookie.substring(len,end));
    }else{
        /* document.cookie is not a string so return an
           empty string. When tested this will type-convert to
           boolean false (accurately) giving the impression that
           client-side cookies are not available on this system:-
        */
        return "";
    }
}

function Set_Cookie(name,value,expires,path,domain,secure) {
    if(typeof document.cookie == "string"){
        document.cookie = name + "=" +escape(value) +
            ( (expires) ? ";expires=" + expires.toGMTString() : "") +
            ( (path) ? ";path=" + path : "") +
            ( (domain) ? ";domain=" + domain : "") +
            ( (secure) ? ";secure" : "");
    }//else document.cookie is not a string so do not write to it.
}

function Delete_Cookie(name,path,domain) {
    if (Get_Cookie(name)) document.cookie = name + "=" +
       ( (path) ? ";path=" + path : "") +
       ( (domain) ? ";domain=" + domain : "") +
       ";expires=Thu, 01-Jan-70 00:00:01 GMT";
    }
}

Cookie reading and writing is unlikely to be done sufficiently often that the extra overhead of the tests will impact on the performance of the resulting script.

comp.lang.javascript FAQ notes T.O.C.