www.webdeveloper.com
Page 1 of 2 12 LastLast
Results 1 to 15 of 16

Thread: Session cookies being deleted without being coded to do so

Hybrid View

  1. #1
    Join Date
    Dec 2002
    Location
    St. Louis, MO, USA
    Posts
    1,582

    Session cookies being deleted without being coded to do so

    Hello, everyone.

    Aside from using code to delete a JavaScript session cookie, what can arbitrarily overwrite/delete a JavaScript session cookie?

    I ask because I have something that is working flawlessly in development; but as soon as it's moved into a staging area for testing, it stops working.

    My initial thought was that there is something causing the browser to think that it's being redirected to another domain, thereby deleting the session. But further testing indicates this is not the case.

    Basically put, I have a detail page for clients that contains nine categories; all categories are loaded in an "expanded" state (shows all information for each category) and has a "hide" link next to the header. Click "hide" and the whole category collapses, and the link becomes "expand"; click "expand" and vice-a-versa.

    Also on initial page load, the document looks for a session cookie called "vddstatus"; if it does not exist, it creates the session cookie with default values set so that all categories are expanded; if it does exist, it checks the values and adjusts the expanded/hidden status as needed. This way, no matter what page you go to, when you come back to the details page, it remembers the expanded/hidden status of each category.

    Like I said, on the development server it works excellently; in the staging environment, the only time it remembers the category statuses is if you click "HIDE ALL"; anything else it apparently deletes the session cookie and generates a new one, set to all categories expanded.

    Any idea what could be causing this in staging but not in development?

    Thanks,

    ^_^

  2. #2
    Join Date
    Dec 2002
    Location
    St. Louis, MO, USA
    Posts
    1,582
    Follow up question: Can a JavaScript session cookie be erased in a clustered environment?

    I assumed that since the session exists in the browsers memory, it would not be affected by a clustered server setup - as long as it stayed in the same domain with every click.

    ^_^

  3. #3
    Join Date
    Dec 2002
    Location
    St. Louis, MO, USA
    Posts
    1,582
    No one can tell me if JavaScript session cookies are affected by clustered server environment? Does anyone know of anything that can cause JavaScript session cookies to destruct without being instructed to do so?

  4. #4
    Join Date
    Mar 2009
    Posts
    430
    The only thing I know of (and this probably isn't applicable to your problem) is when a site places a lot of cookies on the visitors browser. There are browser specific limits as to the size and number of cookies that will be accepted. I have also seen a situation before where two different cookies for two different purposes (one set by javascript the other on the server side) were given the same name, and were effectively overwriting one another.

    Sorry--that's all I can think of.

  5. #5
    Join Date
    Dec 2002
    Location
    St. Louis, MO, USA
    Posts
    1,582
    Thanks for the reply, Tcobb. Unfortunately, the cookie is being given a unique name, and the information is small enough that it isn't coming close to capacity for cookie value limit. And the weird thing is that if "hide all" is clicked, throwing all categories into hidden mode, it will remember that; but if you click on just one category "expand" link, the cookie is reset to default. There's nothing in the code that does that. Very odd.

    ^_^

  6. #6
    Join Date
    Jan 2009
    Posts
    3,346
    Quote Originally Posted by WolfShade View Post
    Thanks for the reply, Tcobb. Unfortunately, the cookie is being given a unique name, and the information is small enough that it isn't coming close to capacity for cookie value limit. And the weird thing is that if "hide all" is clicked, throwing all categories into hidden mode, it will remember that; but if you click on just one category "expand" link, the cookie is reset to default. There's nothing in the code that does that. Very odd.

    ^_^
    That sounds like it might be a logic bomb. Maybe post some code for us to take a gander.

  7. #7
    Join Date
    Mar 2009
    Posts
    430
    One other thing occurred to me, but its pure speculation... Does your function that sets the cookie set and rely upon the optional cookie parameters 'domain' or 'path' ? If so, there could be a potential problem here, especially if no expiration date is set.

  8. #8
    Join Date
    Dec 2002
    Location
    St. Louis, MO, USA
    Posts
    1,582
    criterion9: I'll post some code in a bit.

    Tcobb: The cookie does include ";path=/". I have since started adding an expiration date to switch from a session cookie to a physical cookie, with no noticeable difference.

    ^_^

  9. #9
    Join Date
    Dec 2002
    Location
    St. Louis, MO, USA
    Posts
    1,582
    I'm still waiting for my changes to be pushed from dev to staging, so if my last changes work this will be for nothing.

    Here goes.. when the page first loads, there is no client selected so no data is displayed - no data, no categories, so nothing happens. Upon selecting a client from a drop down menu, there is an onChange event that (in addition to querying the database for client information) does the following:
    Code:
    onChange="document.cookie='vddstatus=\'\'; expires=Wed, 31 Dec 1980 23:59:11 UTC; path=/';"
    It erases the cookie (expires it and sets it blank so the browser doesn't see it.)

    When the page loads with data, a function is then automatically run:
    Code:
    function setDivState() {
    	allNames = "";
    	allDivs = document.getElementsByTagName('div');
    	b=0;
    	cookieValue = "vddstatus=";
    	for(a=0;a<allDivs.length;a++) {
    		if(allDivs[a].className == "input-table") { // Gets only divs that are expandable/collapsable
    			if(b==0) {
    				cookieValue += allDivs[a].id + ",1";
    				}
    			else {
    				cookieValue += "|" + allDivs[a].id + ",1";
    				}
    			b++;
    			}
    		}
    	cookieValue += "; expires=Sat, 31 Dec 2050 23:59:11 UTC; path=/";
    //cookieValue looks like
    // vddstatus=cat1,1|cat2,1|cat3,1.. cat9,1; expires=Sat, 31 Dec 2050 23:59:11 UTC; path=/";
    // 1 means expanded, 0 means closed/hidden
    
    	cookieStart = 0;
    	if(document.cookie.length <= 0) { // No cookie			
    		document.cookie = cookieValue;
    		}
    	cookieStart = document.cookie.indexOf("vmpdetdivstatus=");
    	if(cookieStart == -1) { // There is a cookie, but it doesn't have what we need
    		document.cookie = cookieValue;
    		}
    	cookieStart = document.cookie.indexOf("vmpdetdivstatus=");
    
    	vmpStart = cookieStart + 16;
    	vmpEnd = document.cookie.indexOf(";",vmpStart);
    	if(vmpEnd == -1) { vmpEnd = document.cookie.length; }
    	vmpValue = unescape(document.cookie.substring(vmpStart,vmpEnd));
    	//alert(vmpValue);
    	stateArray = new Array();
    	stateArray = vmpValue.split("|");
    	saLength = stateArray.length;
    	for(i=0;i<saLength;i++) {
    		nameState = stateArray[i].split(",");
    		thisName = nameState[0]; thisState = nameState[1]; thisLink = document.getElementById(thisName+"-display");
    		switch(thisState) {
    			case "0":
    				document.getElementById(thisName).style.display = "none";
    				thisLink.innerHTML = "[expand]";
    			break;
    			default:
    			break;
    			}
    		} 
    	}
    If the cookie does not exist, set it to default all expanded. Regardless, read the cookie and set the category status to what is in the array.

    Now for the hide/expand links. There is a "hide/expand one", a "hide all", and an "expand all". There is also a function for setting the cookie value accordingly.

    Unfortunately, this post is running out of room, so I'll continue in the next reply.

    (cont'd)

  10. #10
    Join Date
    Dec 2002
    Location
    St. Louis, MO, USA
    Posts
    1,582
    Code:
    // This is the hide/expand one category
    function toggleSectionDisplay(lnk, obj_id) {
    	alterCurrentDivState(obj_id);
    	obj = document.getElementById(obj_id);
    	if(obj.style.display == 'none') {
    		obj.style.display = '';
    		lnk.innerHTML = '[hide]';
    		}
    	else {
    		obj.style.display = 'none';
    		lnk.innerHTML = '[expand]';
    		}	
    	return false;
    	}
    
    // This is the hide all
    function hideSectionsDisplay(){
    	var newCookieValue = cookieValue;
    	newCookieValue = newCookieValue.replace(/\,1/gi, ",0"); // turn all opens into closes
    	document.cookie = newCookieValue;
    	obj_arr = AJS.getElementsByTagAndClassName(null,"input-table");
    	lnk_arr = AJS.getElementsByTagAndClassName(null,"section_display");
    	
    	for(var i=0; i<obj_arr.length; i++)
    		obj_arr[i].style.display = 'none';
    
    	for(var i=0; i<lnk_arr.length; i++)
    		lnk_arr[i].innerHTML = '[expand]';
    	
    	return false;
    }
    
    // Here is the expand all
    function expandSectionsDisplay(){
    	document.cookie = cookieValue; //Sets cookie to expand all divs
    
    	obj_arr = AJS.getElementsByTagAndClassName(null,"input-table");
    	lnk_arr = AJS.getElementsByTagAndClassName(null,"section_display");
    	
    	for(var i=0; i<obj_arr.length; i++) {
    		obj_arr[i].style.display = ''; 
    		}
    	for(var i=0; i<lnk_arr.length; i++) {
    		lnk_arr[i].innerHTML = '[hide]';
    		}
    	return false;
    }
    
    //Last but not least, here is what sets individual open/close settings in the cookie
    function alterCurrentDivState(toggleThis) { // Change the state (0 or 1) of a div in cookie value
    	if((document.cookie.length <= 0) || (document.cookie.indexOf("vddstatus=") < 0)) {
    		document.cookie = cookieValue; alert("Category states undefined - reset to all categories expanded.");
    		}
    	var vmpCookieExists = document.cookie.indexOf("vddstatus=");
    	var vmpCookieStart = vmpCookieExists + 16;
    	var vmpCookieEnd = document.cookie.indexOf(";",vmpCookieStart);
    	var vmpCookieValue = unescape(document.cookie.substring(vmpCookieStart,vmpCookieEnd));
    	var thisArray = new Array(); 
    	thisArray = vmpCookieValue.split("|"); 
    	thisLength = thisArray.length;
    	var newCookieValue = "vddstatus=";
    	var thisDivState, thisId, thisState;
    	for(a=0;a<thisLength;a++) {
    		thisDivState = thisArray[a].split(","); thisId = thisDivState[0]; thisState = thisDivState[1];
    		if(toggleThis == thisId) {
    			switch(thisState) {
    				case "1": thisArray[a] = thisId + ",0"; break;
    				case "0": thisArray[a] = thisId + ",1"; break;
    				}
    			}
    		switch(a) {
    			case 0: newCookieValue += thisArray[a]; break;
    			default: newCookieValue += "|" + thisArray[a];  break;
    			}
    		}
    	newCookieValue += "; expires=Sat, 31 Dec 2050 23:59:11 UTC; path=/";
    	document.cookie = newCookieValue; //alert(document.cookie);
    	}
    There _could_ be a logic bomb in there.. I tried to be as careful as I could. If you see something, please LMK.

    Thanks,

    ^_^

  11. #11
    Join Date
    Dec 2002
    Location
    St. Louis, MO, USA
    Posts
    1,582
    Anyone see anything in the code that might cause the cookie to set the value to a TLID or CFID? I think, now, that is what is happening.

    ^_^

  12. #12
    Join Date
    Mar 2009
    Posts
    430
    Maybe I'm missing something here but I don't see where you are escaping all of the data before you write the cookie. In the function setDivState() there is the line:
    Code:
    cookieValue += "; expires=Sat, 31 Dec 2050 23:59:11 UTC; path=/";
    I know that spaces are not allowed within the data that the cookie is storing. Are they allowed within the parameter sections?

  13. #13
    Join Date
    Dec 2002
    Location
    St. Louis, MO, USA
    Posts
    1,582
    I can only assume that it's okay. When I first Googled "javascript cookies", the tutorial that I looked at had it that way.

    ^_^

  14. #14
    Join Date
    Mar 2009
    Posts
    430
    I can only assume that it's okay. When I first Googled "javascript cookies", the tutorial that I looked at had it that way.


    Yeah--you're right. But looking at your code again, I noticed this:

    Code:
    //cookieValue looks like
    // vddstatus=cat1,1|cat2,1|cat3,1.. cat9,1; expires=Sat, 31 Dec 2050 23:59:11 UTC; path=/";
    The value has commas in it which are, as far as I can see, not escaped in the setDivState() function, and commas are not allowed within the value portion of the cookie string.

  15. #15
    Join Date
    Dec 2002
    Location
    St. Louis, MO, USA
    Posts
    1,582
    Quote Originally Posted by Tcobb View Post
    The value has commas in it which are, as far as I can see, not escaped in the setDivState() function, and commas are not allowed within the value portion of the cookie string.
    I'll Google that; but even if that did explain why it's not working in staging, why does it work in development? That's the thing that really has me scratching my head.. it works in development but not in staging (and, theoretically, it won't work in production, either.)

    ^_^

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles