Session cookies being deleted without being coded to do so

[WolfShade]

Hello, everyone.

Aside from using code to delete a JavaScript session cookie, what can arbitrarily overwrite/delete a JavaScript session cookie?

I ask because I have something that is working flawlessly in development; but as soon as it's moved into a staging area for testing, it stops working.

My initial thought was that there is something causing the browser to think that it's being redirected to another domain, thereby deleting the session. But further testing indicates this is not the case.

Basically put, I have a detail page for clients that contains nine categories; all categories are loaded in an "expanded" state (shows all information for each category) and has a "hide" link next to the header. Click "hide" and the whole category collapses, and the link becomes "expand"; click "expand" and vice-a-versa.

Also on initial page load, the document looks for a session cookie called "vddstatus"; if it does not exist, it creates the session cookie with default values set so that all categories are expanded; if it does exist, it checks the values and adjusts the expanded/hidden status as needed. This way, no matter what page you go to, when you come back to the details page, it remembers the expanded/hidden status of each category.

Like I said, on the development server it works excellently; in the staging environment, the only time it remembers the category statuses is if you click "HIDE ALL"; anything else it apparently deletes the session cookie and generates a new one, set to all categories expanded.

Any idea what could be causing this in staging but not in development?

Thanks,

^_^

[WolfShade]

Follow up question: Can a JavaScript session cookie be erased in a clustered environment?

I assumed that since the session exists in the browsers memory, it would not be affected by a clustered server setup - as long as it stayed in the same domain with every click.

^_^

[WolfShade]

No one can tell me if JavaScript session cookies are affected by clustered server environment? Does anyone know of anything that can cause JavaScript session cookies to destruct without being instructed to do so?

[Tcobb]

The only thing I know of (and this probably isn't applicable to your problem) is when a site places a lot of cookies on the visitors browser. There are browser specific limits as to the size and number of cookies that will be accepted. I have also seen a situation before where two different cookies for two different purposes (one set by javascript the other on the server side) were given the same name, and were effectively overwriting one another.

Sorry--that's all I can think of.

[WolfShade]

Thanks for the reply, Tcobb. Unfortunately, the cookie is being given a unique name, and the information is small enough that it isn't coming close to capacity for cookie value limit. And the weird thing is that if "hide all" is clicked, throwing all categories into hidden mode, it will remember that; but if you click on just one category "expand" link, the cookie is reset to default. There's nothing in the code that does that. Very odd.

^_^

[criterion9]

Thanks for the reply, Tcobb. Unfortunately, the cookie is being given a unique name, and the information is small enough that it isn't coming close to capacity for cookie value limit. And the weird thing is that if "hide all" is clicked, throwing all categories into hidden mode, it will remember that; but if you click on just one category "expand" link, the cookie is reset to default. There's nothing in the code that does that. Very odd.

^_^

That sounds like it might be a logic bomb. Maybe post some code for us to take a gander.

[Tcobb]

One other thing occurred to me, but its pure speculation... Does your function that sets the cookie set and rely upon the optional cookie parameters 'domain' or 'path' ? If so, there could be a potential problem here, especially if no expiration date is set.

[WolfShade]

criterion9: I'll post some code in a bit.

Tcobb: The cookie does include ";path=/". I have since started adding an expiration date to switch from a session cookie to a physical cookie, with no noticeable difference.

^_^

[WolfShade]

I'm still waiting for my changes to be pushed from dev to staging, so if my last changes work this will be for nothing.

Here goes.. when the page first loads, there is no client selected so no data is displayed - no data, no categories, so nothing happens. Upon selecting a client from a drop down menu, there is an onChange event that (in addition to querying the database for client information) does the following:

Code:

onChange="document.cookie='vddstatus=\'\'; expires=Wed, 31 Dec 1980 23:59:11 UTC; path=/';"

It erases the cookie (expires it and sets it blank so the browser doesn't see it.)

When the page loads with data, a function is then automatically run:

Code:

function setDivState() {
	allNames = "";
	allDivs = document.getElementsByTagName('div');
	b=0;
	cookieValue = "vddstatus=";
	for(a=0;a<allDivs.length;a++) {
		if(allDivs[a].className == "input-table") { // Gets only divs that are expandable/collapsable
			if(b==0) {
				cookieValue += allDivs[a].id + ",1";
				}
			else {
				cookieValue += "|" + allDivs[a].id + ",1";
				}
			b++;
			}
		}
	cookieValue += "; expires=Sat, 31 Dec 2050 23:59:11 UTC; path=/";
//cookieValue looks like
// vddstatus=cat1,1|cat2,1|cat3,1.. cat9,1; expires=Sat, 31 Dec 2050 23:59:11 UTC; path=/";
// 1 means expanded, 0 means closed/hidden

	cookieStart = 0;
	if(document.cookie.length <= 0) { // No cookie			
		document.cookie = cookieValue;
		}
	cookieStart = document.cookie.indexOf("vmpdetdivstatus=");
	if(cookieStart == -1) { // There is a cookie, but it doesn't have what we need
		document.cookie = cookieValue;
		}
	cookieStart = document.cookie.indexOf("vmpdetdivstatus=");

	vmpStart = cookieStart + 16;
	vmpEnd = document.cookie.indexOf(";",vmpStart);
	if(vmpEnd == -1) { vmpEnd = document.cookie.length; }
	vmpValue = unescape(document.cookie.substring(vmpStart,vmpEnd));
	//alert(vmpValue);
	stateArray = new Array();
	stateArray = vmpValue.split("|");
	saLength = stateArray.length;
	for(i=0;i<saLength;i++) {
		nameState = stateArray[i].split(",");
		thisName = nameState[0]; thisState = nameState[1]; thisLink = document.getElementById(thisName+"-display");
		switch(thisState) {
			case "0":
				document.getElementById(thisName).style.display = "none";
				thisLink.innerHTML = "[expand]";
			break;
			default:
			break;
			}
		} 
	}

If the cookie does not exist, set it to default all expanded. Regardless, read the cookie and set the category status to what is in the array.

Now for the hide/expand links. There is a "hide/expand one", a "hide all", and an "expand all". There is also a function for setting the cookie value accordingly.

Unfortunately, this post is running out of room, so I'll continue in the next reply.

(cont'd)

[WolfShade]

Code:

// This is the hide/expand one category
function toggleSectionDisplay(lnk, obj_id) {
	alterCurrentDivState(obj_id);
	obj = document.getElementById(obj_id);
	if(obj.style.display == 'none') {
		obj.style.display = '';
		lnk.innerHTML = '[hide]';
		}
	else {
		obj.style.display = 'none';
		lnk.innerHTML = '[expand]';
		}	
	return false;
	}

// This is the hide all
function hideSectionsDisplay(){
	var newCookieValue = cookieValue;
	newCookieValue = newCookieValue.replace(/\,1/gi, ",0"); // turn all opens into closes
	document.cookie = newCookieValue;
	obj_arr = AJS.getElementsByTagAndClassName(null,"input-table");
	lnk_arr = AJS.getElementsByTagAndClassName(null,"section_display");
	
	for(var i=0; i<obj_arr.length; i++)
		obj_arr[i].style.display = 'none';

	for(var i=0; i<lnk_arr.length; i++)
		lnk_arr[i].innerHTML = '[expand]';
	
	return false;
}

// Here is the expand all
function expandSectionsDisplay(){
	document.cookie = cookieValue; //Sets cookie to expand all divs

	obj_arr = AJS.getElementsByTagAndClassName(null,"input-table");
	lnk_arr = AJS.getElementsByTagAndClassName(null,"section_display");
	
	for(var i=0; i<obj_arr.length; i++) {
		obj_arr[i].style.display = ''; 
		}
	for(var i=0; i<lnk_arr.length; i++) {
		lnk_arr[i].innerHTML = '[hide]';
		}
	return false;
}

//Last but not least, here is what sets individual open/close settings in the cookie
function alterCurrentDivState(toggleThis) { // Change the state (0 or 1) of a div in cookie value
	if((document.cookie.length <= 0) || (document.cookie.indexOf("vddstatus=") < 0)) {
		document.cookie = cookieValue; alert("Category states undefined - reset to all categories expanded.");
		}
	var vmpCookieExists = document.cookie.indexOf("vddstatus=");
	var vmpCookieStart = vmpCookieExists + 16;
	var vmpCookieEnd = document.cookie.indexOf(";",vmpCookieStart);
	var vmpCookieValue = unescape(document.cookie.substring(vmpCookieStart,vmpCookieEnd));
	var thisArray = new Array(); 
	thisArray = vmpCookieValue.split("|"); 
	thisLength = thisArray.length;
	var newCookieValue = "vddstatus=";
	var thisDivState, thisId, thisState;
	for(a=0;a<thisLength;a++) {
		thisDivState = thisArray[a].split(","); thisId = thisDivState[0]; thisState = thisDivState[1];
		if(toggleThis == thisId) {
			switch(thisState) {
				case "1": thisArray[a] = thisId + ",0"; break;
				case "0": thisArray[a] = thisId + ",1"; break;
				}
			}
		switch(a) {
			case 0: newCookieValue += thisArray[a]; break;
			default: newCookieValue += "|" + thisArray[a];  break;
			}
		}
	newCookieValue += "; expires=Sat, 31 Dec 2050 23:59:11 UTC; path=/";
	document.cookie = newCookieValue; //alert(document.cookie);
	}

There _could_ be a logic bomb in there.. I tried to be as careful as I could. If you see something, please LMK.

Thanks,

^_^

[WolfShade]

Anyone see anything in the code that might cause the cookie to set the value to a TLID or CFID? I think, now, that is what is happening.

^_^

[Tcobb]

Maybe I'm missing something here but I don't see where you are escaping all of the data before you write the cookie. In the function setDivState() there is the line:

Code:

cookieValue += "; expires=Sat, 31 Dec 2050 23:59:11 UTC; path=/";

I know that spaces are not allowed within the data that the cookie is storing. Are they allowed within the parameter sections?

[WolfShade]

I can only assume that it's okay. When I first Googled "javascript cookies", the tutorial that I looked at had it that way.

^_^

[Tcobb]

I can only assume that it's okay. When I first Googled "javascript cookies", the tutorial that I looked at had it that way.


Yeah--you're right. But looking at your code again, I noticed this:

Code:

//cookieValue looks like
// vddstatus=cat1,1|cat2,1|cat3,1.. cat9,1; expires=Sat, 31 Dec 2050 23:59:11 UTC; path=/";

The value has commas in it which are, as far as I can see, not escaped in the setDivState() function, and commas are not allowed within the value portion of the cookie string.

[WolfShade]

The value has commas in it which are, as far as I can see, not escaped in the setDivState() function, and commas are not allowed within the value portion of the cookie string.

I'll Google that; but even if that did explain why it's not working in staging, why does it work in development? That's the thing that really has me scratching my head.. it works in development but not in staging (and, theoretically, it won't work in production, either.)

^_^