SitePoint Sponsor

User Tag List

Results 1 to 11 of 11
  1. #1
    $books++ == true matsko's Avatar
    Join Date
    Sep 2004
    Location
    Toronto
    Posts
    795
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Blocking Cookie Access

    Is it possible to have a script for a particular page which basically prevents any cookie access?

    Code:
    //Have Javascript Block cookie access
    
    //Then document.cookie cannot be read or written upon
    The reason why I am asking is because I am allowing for users to basically put their own html and javascript code into their profile page and I just don't want them to be allowed to edit cookies of visitors.

    I could obviously have a server side script which filters out any javascript code that contians document.cookie within it, but if there is a remove <script> tag within the provided code then the it would get really complicated to have to download remote js files and filter them out. Also if they're remote then they will be on a remote host, thus they cannot be editted and I do not want to have to store js files on my server.

    So is there any way to get around this?
    I can't believe I ate the whole thing

  2. #2
    SitePoint Evangelist
    Join Date
    Aug 2005
    Posts
    453
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    This article contains the information you are requesting:
    http://www.yourhtmlsource.com/javascript/cookies.html
    Computers and Fire ...
    In the hands of the inexperienced or uneducated,
    the results can be disastrous.
    While the professional can tame, master even conquer.

  3. #3
    $books++ == true matsko's Avatar
    Join Date
    Sep 2004
    Location
    Toronto
    Posts
    795
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by byron3@earthlink View Post
    This article contains the information you are requesting:
    http://www.yourhtmlsource.com/javascript/cookies.html
    Can't seem to understand where exactly. Are you referring to the PATH option in cookies?

    Well that can be set in PHP no problem, but I still need cookies to work for PHP throughout the website (PHPSESSID). But then once the page is forwarded to the client in html, is there any way to not allow for cookies to be read?
    Last edited by matsko; Jun 8, 2007 at 20:47.
    I can't believe I ate the whole thing

  4. #4
    SitePoint Evangelist
    Join Date
    Aug 2005
    Posts
    453
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Write a function, that on load reads your document cookies. If the name / value pair was not issued by you then overwrite the malicious name / value with no value.
    Computers and Fire ...
    In the hands of the inexperienced or uneducated,
    the results can be disastrous.
    While the professional can tame, master even conquer.

  5. #5
    $books++ == true matsko's Avatar
    Join Date
    Sep 2004
    Location
    Toronto
    Posts
    795
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yeah but won't that break the PHPSESSID value? If someone was to make a script which would rewrite that, then the users' session would be terminated or substituted with another users
    I can't believe I ate the whole thing

  6. #6
    SitePoint Evangelist
    Join Date
    Aug 2005
    Posts
    453
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You know the name of the php session cookie [PHPSESSID], just do not overwrite this cookie.
    P.S. I created a test page in php using the session_start function and then used print_r to print the array.
    Array ( [PHPSESSID] => 816fc869fc4c764e3900a246768f82b6 )
    Computers and Fire ...
    In the hands of the inexperienced or uneducated,
    the results can be disastrous.
    While the professional can tame, master even conquer.

  7. #7
    CSS & JS/DOM Adept bronze trophy
    Join Date
    Mar 2005
    Location
    USA
    Posts
    5,482
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    That's the whole issue. matsko is asking how to prevent users from using JavaScript to overwrite that cookie or add any other cookies.

    The issue is that there is no way to guarantee that there are no references to document.cookies in the JavaScript code. It's easy to use an obfuscation script to hide it. You can't just simple remove the string "document.cookies" from any JavaScript code.

    What I might do is just remove all script elements and inline event handlers with regular expressions.

    Code:
    $contents = preg_replace("/<\s*script[^>]*(src\s*=[^>]*)>\s*/i","<!-- removed script \\1 \n\n",$contents);
    $contents = preg_replace("/<\s*script[^>]*>(\s*<!--)?/is",'<!-- removed script ',$contents);
    $contents = preg_replace("/(\/\/\s*-->\s*)?<\/script>/is",' /removed script -->',$contents);
    
    $contents = preg_replace("/\bon([a-z]+)\s*=\s*(\"[^\"]*\"|\'[^\']*\')/i",'',$contents);
    We miss you, Dan Schulz.
    Learn CSS. | X/HTML Validator | CSS validator
    Dynamic Site Solutions
    Code for Firefox, Chrome, Safari, & Opera, then add fixes for IE, not vice versa.

  8. #8
    $books++ == true matsko's Avatar
    Join Date
    Sep 2004
    Location
    Toronto
    Posts
    795
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Well that's the thing, I want users to be able to jazz up their profile with JavaScript, but being able to access cookies is where it gets to become a problem.

    But maybe, by using httpOnly cookies, I could filter out all of the IE users. PHP 5.2 provides them and they seem to work with IE7, however, Firefox doesn't seem to support them.
    I can't believe I ate the whole thing

  9. #9
    $books++ == true matsko's Avatar
    Join Date
    Sep 2004
    Location
    Toronto
    Posts
    795
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    After doing some homework on the issue, I found that THIS CAN BE solved for by using some FF only javascript and the httpOnly cookie feature from IE.

    Basically what you do is this:

    - Have PHP 5.2 installed (this will allow for the httpOnly cookie creation option within PHP's setcookie function). This will prevent IE users from getting the selected certain cookies read by JavaScript. PHP doesn't set this option by default, so a home-made session setup should be made.

    - Internet Explorer 6 (SP1) and up support the httpOnly cookie feature.

    - For dealing with the mozilla users, the only way to prevent this cookie abuse is to have the idea of what I suggested in the first place: disable reading/writing of cookies. Mozilla seems to support it's own series of setting and getting prototype functions in JavaScript. So what you do is at the top of the <head> tags of the html page, place the following two snippets of code:

    Code:
    HTMLDocument.prototype.__defineGetter__("cookie",function (){return null;});
    
    HTMLDocument.prototype.__defineSetter__("cookie",function (new){});
    This should prevent the reading and writing of cookies. I am not sure about Opera, Safari or Netscape. But since Firefox is apart of Mozilla, I do believe that other mozilla browsers support the __defineSetter__ and __defineGetter__ prototype settings.
    I can't believe I ate the whole thing

  10. #10
    SitePoint Guru
    Join Date
    Apr 2006
    Posts
    802
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    HTMLDocument.prototype.__defineSetter__("cookie",function (new){});
    don't use new here, it is a keyword and will throw an error.


    HTMLDocument.prototype.__defineSetter__("cookie",function (){});

    This site may be of interest-(httponly-cookies-and-mozilla-firefox)
    http://www.ush.it/2006/07/28/httponl...zilla-firefox/

  11. #11
    $books++ == true matsko's Avatar
    Join Date
    Sep 2004
    Location
    Toronto
    Posts
    795
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    The __defineGetter__ and __defineSetter__ I think are apart included in JavaScript 1.5.

    Firefox 2.x supports up to JavaScript 1.7 and IE7 only supports up to Javascript 1.3. That might explain why the __defineGetter__ and __defineSetter__ functions don't work with IE.
    I can't believe I ate the whole thing


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •