Retrieve a cookie from a different path

javascript path dns cookies
23,543

Solution 1

When you create the cookie, if you set the path to '/' instead of 'foo' you will be able to read it anywhere on the domain, including '/foo', '/bar', etc.

Solution 2

You can create an <iframe> pointed at a resource inside /bar, and cross-frame-script into it. eg:

<iframe src="/bar/blank.html" id="barframe"></iframe>

var barframe= document.getElementById('barframe');
var bardocument= 'contentDocument' in barframe? barframe.contentDocument : barframe.contentWindow.document; // IE compat
alert(bardocument.cookie);

Cookie path= is a convenience measure to prevent accidental cookie name clashes. Given that different paths share a JavaScript origin, it is not an effective security mechanism.

Solution 3

As JJ and grawity have mentioned there is no way you can do this from your page. However, you have a work around.

i. Place an iframe which points to http://localhost/bar. Have a hidden element on the "bar" page where you store the cookie value. (let this iframe be 1*1 size so it is not visible).

ii. Use JavaScript on "foo" page to fetch the cookie value.

A similar approach (with modifications) can be used to write the cookie value too!

Thanks,

Ramjee.

Solution 4

You can't access cookies from a different path - otherwise it would be a security hole.

The only way I can think of is making /bar set a cookie whose path=/ so that all pages in / (including /foo) could access it.

Share:
23,543
Admin
Author by

Admin

Updated on July 09, 2022

Comments

  • Admin
    Admin almost 2 years

    My current document URL is http: //127.0.0.1/foo and I need to change the value of a cookie for http: //127.0.0.1/bar. document.cookie is empty because document's URL is foo. For the moment, I just want to read the cookie value. Any clue?

  • Admin
    Admin about 15 years
    I cannot change the cookie's creation and path. So it means it's impossible to access cookie of bar from foo?
  • Antimony
    Antimony over 11 years
    It's not a big security issue because the cookie isn't really protected anyway. Due to SOP ignoring paths, cookie paths are not a meaningful security barrier.
  • Antimony
    Antimony over 11 years
    Wouldn't this let anyone on the internet grab the cookie?
  • Antimony
    Antimony over 11 years
    +1 for pointing out that cookie paths aren't a meaningful security wall.
  • Iliya Kolev
    Iliya Kolev over 9 years
    The path is a performance feature, not a security one... I was missing the "barframe.contentDocument" part. Thanks a lot. +1 from me.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Getting setting cookies on different domains, with javascript or other
How to get the domain value for a cookie in Javascript?
How do browser cookie domains work?
How I can set third party cookie
How to use cookie inside `getServerSideProps` method in Next.js?
Difficulty sending cookies with fetch requests in JavaScript
How to get cookie's path using javascript
Safari 13+ iframe blocks CORS cookies
ReactJS: How to implement react-cookie properly in an action?
Setting Cookie with Ajax Request