CODEWITHSUNDEEP
javascriptcookieshttponly
Grofit
Grofit

Reputation: 18465

Check if httponly cookie exists in Javascript

As the question says can you find out if a cookie exists within Javascript if it is a HttpOnly? I don't need to access the information inside of it, just know it has one.

A little more information on the situation is that there was originally a web server which used a cookie as an authentication token, and it was set to httponly as it was not used by the client so it added to the security.

However now there is a change needed where the client needs to know if it has the cookie (as the site can work without the user being logged in, but if they are logged in (the auth cookie would exist) the site needs to display certain things and hide others.

There are other security precautions in place on the web server so there is no harm in the scenario where the client has an incorrect auth cookie, but the site makes it look like they are logged in, as it would delete the cookie and reject the user.

Upvotes: 50

Views: 57417

Answers (4)

Eric Labashosky
Eric Labashosky

Reputation: 29981

You can indirectly check to see if it exists by trying to set it to a value with javascript if it can't be set, then the HTTP Only Cookie must be there (or the user is blocking cookies).

function doesHttpOnlyCookieExist(cookiename) {
  var d = new Date();
  d.setTime(d.getTime() + (1000));
  var expires = "expires=" + d.toUTCString();

  document.cookie = cookiename + "=new_value;path=/;" + expires;
  return document.cookie.indexOf(cookiename + '=') == -1;
}

Upvotes: 56

Eduardo Poço
Eduardo Poço

Reputation: 3079

I had the same problem. I solved it with the server setting another cookie, not httponly, every time it refreshed the httponly session cookie, with the same max-age and no sensitive data. Now, if one of them is present, the same goes for the other, and the client can know if the httponly counterpart is there.

Upvotes: 66

Anubhav Das
Anubhav Das

Reputation: 1039

Whenever you need to check whether the cookie exists or not, you can send a request to the server that requires authentication & check the response. If its something like 401 Unauthorized or 403 Forbidden, then the cookie probably doesn't exist & you can prompt the user for login.

On the other hand, if the cookie exists, it'll be automatically sent by the browser resulting in a 200 OK response.

Upvotes: 13

Mike
Mike

Reputation: 783

No. And see Rob's comments below.

See this, which you probably already saw - http://en.wikipedia.org/wiki/HTTP_cookie#Secure_and_HttpOnly

An HttpOnly cookie is not accessible via non-HTTP methods, such as calls via JavaScript (e.g., referencing "document.cookie")...

Edit: Removed undefined response, I wrote a script that you may not be using :)

Upvotes: 12

Related Questions