Session cookies being deleted without being coded to do so

@WolfShadeJan 03.2011

Hello, everyone.

Aside from using code to delete a JavaScript session cookie, what can arbitrarily overwrite/delete a JavaScript session cookie?

I ask because I have something that is working flawlessly in development; but as soon as it’s moved into a staging area for testing, it stops working.

My initial thought was that there is something causing the browser to think that it’s being redirected to another domain, thereby deleting the session. But further testing indicates this is not the case.

Basically put, I have a detail page for clients that contains nine categories; all categories are loaded in an “expanded” state (shows all information for each category) and has a “hide” link next to the header. Click “hide” and the whole category collapses, and the link becomes “expand”; click “expand” and vice-a-versa.

Also on initial page load, the document looks for a session cookie called “vddstatus”; if it does not exist, it creates the session cookie with default values set so that all categories are expanded; if it does exist, it checks the values and adjusts the expanded/hidden status as needed. This way, no matter what page you go to, when you come back to the details page, it remembers the expanded/hidden status of each category.

Like I said, on the development server it works excellently; in the staging environment, the only time it remembers the category statuses is if you click “HIDE ALL”; anything else it apparently deletes the session cookie and generates a new one, set to all categories expanded.

Any idea what could be causing this in staging but not in development?

Thanks,

^{^_^{^}}

to post a comment

JavaScript

18 Comments(s) _↴

@WolfShadeauthorJan 03.2011 — #Follow up question: Can a JavaScript session cookie be erased in a clustered environment?

I assumed that since the session exists in the browsers memory, it would not be affected by a clustered server setup - as long as it stayed in the same domain with every click.

^{^_^{^}}

@WolfShadeauthorJan 04.2011 — #No one can tell me if JavaScript session cookies are affected by clustered server environment? Does anyone know of anything that can cause JavaScript session cookies to destruct without being instructed to do so?

@TcobbJan 04.2011 — #The only thing I know of (and this probably isn't applicable to your problem) is when a site places a lot of cookies on the visitors browser. There are browser specific limits as to the size and number of cookies that will be accepted. I have also seen a situation before where two different cookies for two different purposes (one set by javascript the other on the server side) were given the same name, and were effectively overwriting one another.

Sorry--that's all I can think of.

@WolfShadeauthorJan 04.2011 — #Thanks for the reply, Tcobb. Unfortunately, the cookie is being given a unique name, and the information is small enough that it isn't coming close to capacity for cookie value limit. And the weird thing is that if "hide all" is clicked, throwing all categories into hidden mode, it will remember that; but if you click on just one category "expand" link, the cookie is reset to default. There's nothing in the code that does that. Very odd.

^{^_^{^}}

@criterion9Jan 04.2011 — #Thanks for the reply, Tcobb. Unfortunately, the cookie is being given a unique name, and the information is small enough that it isn't coming close to capacity for cookie value limit. And the weird thing is that if "hide all" is clicked, throwing all categories into hidden mode, it will remember that; but if you click on just one category "expand" link, the cookie is reset to default. There's nothing in the code that does that. Very odd.

^{^_^{^}}[/QUOTE]

That sounds like it might be a logic bomb. Maybe post some code for us to take a gander.

@TcobbJan 04.2011 — #One other thing occurred to me, but its pure speculation... Does your function that sets the cookie set and rely upon the optional cookie parameters 'domain' or 'path' ? If so, there could be a potential problem here, especially if no expiration date is set.

@WolfShadeauthorJan 04.2011 — #criterion9: I'll post some code in a bit.

Tcobb: The cookie does include ";path=/". I have since started adding an expiration date to switch from a session cookie to a physical cookie, with no noticeable difference.

^{^_^{^}}

@WolfShadeauthorJan 04.2011 — #I'm still waiting for my changes to be pushed from dev to staging, so if my last changes work this will be for nothing. ?

Here goes.. when the page first loads, there is no client selected so no data is displayed - no data, no categories, so nothing happens. Upon selecting a client from a drop down menu, there is an onChange event that (in addition to querying the database for client information) does the following:

<i>
 </i>onChange="document.cookie='vddstatus=''; expires=Wed, 31 Dec 1980 23:59:11 UTC; path=/';"

It erases the cookie (expires it and sets it blank so the browser doesn't see it.)

When the page loads with data, a function is then automatically run:

<i>
 </i>function setDivState() {
 allNames = "";
 allDivs = document.getElementsByTagName('div');
 b=0;
 cookieValue = "vddstatus=";
 for(a=0;a&lt;allDivs.length;a++) {
 if(allDivs[a].className == "input-table") { // Gets only divs that are expandable/collapsable
 if(b==0) {
 cookieValue += allDivs[a].id + ",1";
 }
 else {
 cookieValue += "|" + allDivs[a].id + ",1";
 }
 b++;
 }
 }
 cookieValue += "; expires=Sat, 31 Dec 2050 23:59:11 UTC; path=/";
 //cookieValue looks like
 // vddstatus=cat1,1|cat2,1|cat3,1.. cat9,1; expires=Sat, 31 Dec 2050 23:59:11 UTC; path=/";
 // 1 means expanded, 0 means closed/hidden
 
 <i>	</i>cookieStart = 0;
 <i>	</i>if(document.cookie.length &lt;= 0) { // No cookie 
 <i>	</i>	document.cookie = cookieValue;
 <i>	</i>	}
 <i>	</i>cookieStart = document.cookie.indexOf("vmpdetdivstatus=");
 <i>	</i>if(cookieStart == -1) { // There is a cookie, but it doesn't have what we need
 <i>	</i>	document.cookie = cookieValue;
 <i>	</i>	}
 <i>	</i>cookieStart = document.cookie.indexOf("vmpdetdivstatus=");
 
 <i>	</i>vmpStart = cookieStart + 16;
 <i>	</i>vmpEnd = document.cookie.indexOf(";",vmpStart);
 <i>	</i>if(vmpEnd == -1) { vmpEnd = document.cookie.length; }
 <i>	</i>vmpValue = unescape(document.cookie.substring(vmpStart,vmpEnd));
 <i>	</i>//alert(vmpValue);
 <i>	</i>stateArray = new Array();
 <i>	</i>stateArray = vmpValue.split("|");
 <i>	</i>saLength = stateArray.length;
 <i>	</i>for(i=0;i&lt;saLength;i++) {
 <i>	</i>	nameState = stateArray[i].split(",");
 <i>	</i>	thisName = nameState[0]; thisState = nameState[1]; thisLink = document.getElementById(thisName+"-display");
 <i>	</i>	switch(thisState) {
 <i>	</i>		case "0":
 <i>	</i>			document.getElementById(thisName).style.display = "none";
 <i>	</i>			thisLink.innerHTML = "[expand]";
 <i>	</i>		break;
 <i>	</i>		default:
 <i>	</i>		break;
 <i>	</i>		}
 <i>	</i>	} 
 <i>	</i>}

If the cookie does not exist, set it to default all expanded. Regardless, read the cookie and set the category status to what is in the array.

Now for the hide/expand links. There is a "hide/expand one", a "hide all", and an "expand all". There is also a function for setting the cookie value accordingly.

Unfortunately, this post is running out of room, so I'll continue in the next reply.

(cont'd)

@WolfShadeauthorJan 04.2011 — #

<i>
 </i>// This is the hide/expand one category
 function toggleSectionDisplay(lnk, obj_id) {
 alterCurrentDivState(obj_id);
 obj = document.getElementById(obj_id);
 if(obj.style.display == 'none') {
 obj.style.display = '';
 lnk.innerHTML = '[hide]';
 }
 else {
 obj.style.display = 'none';
 lnk.innerHTML = '[expand]';
 } 
 return false;
 }
 
 // This is the hide all
 function hideSectionsDisplay(){
 var newCookieValue = cookieValue;
 newCookieValue = newCookieValue.replace(/,1/gi, ",0"); // turn all opens into closes
 document.cookie = newCookieValue;
 obj_arr = AJS.getElementsByTagAndClassName(null,"input-table");
 lnk_arr = AJS.getElementsByTagAndClassName(null,"section_display");
 
 <i>	</i>for(var i=0; i&lt;obj_arr.length; i++)
 <i>	</i>	obj_arr[i].style.display = 'none';
 
 <i>	</i>for(var i=0; i&lt;lnk_arr.length; i++)
 <i>	</i>	lnk_arr[i].innerHTML = '[expand]';
 
 <i>	</i>return false;
 }
 
 // Here is the expand all
 function expandSectionsDisplay(){
 document.cookie = cookieValue; //Sets cookie to expand all divs
 
 <i>	</i>obj_arr = AJS.getElementsByTagAndClassName(null,"input-table");
 <i>	</i>lnk_arr = AJS.getElementsByTagAndClassName(null,"section_display");
 
 <i>	</i>for(var i=0; i&lt;obj_arr.length; i++) {
 <i>	</i>	obj_arr[i].style.display = ''; 
 <i>	</i>	}
 <i>	</i>for(var i=0; i&lt;lnk_arr.length; i++) {
 <i>	</i>	lnk_arr[i].innerHTML = '[hide]';
 <i>	</i>	}
 <i>	</i>return false;
 }
 
 //Last but not least, here is what sets individual open/close settings in the cookie
 function alterCurrentDivState(toggleThis) { // Change the state (0 or 1) of a div in cookie value
 if((document.cookie.length &lt;= 0) || (document.cookie.indexOf("vddstatus=") &lt; 0)) {
 document.cookie = cookieValue; alert("Category states undefined - reset to all categories expanded.");
 }
 var vmpCookieExists = document.cookie.indexOf("vddstatus=");
 var vmpCookieStart = vmpCookieExists + 16;
 var vmpCookieEnd = document.cookie.indexOf(";",vmpCookieStart);
 var vmpCookieValue = unescape(document.cookie.substring(vmpCookieStart,vmpCookieEnd));
 var thisArray = new Array(); 
 thisArray = vmpCookieValue.split("|"); 
 thisLength = thisArray.length;
 var newCookieValue = "vddstatus=";
 var thisDivState, thisId, thisState;
 for(a=0;a&lt;thisLength;a++) {
 thisDivState = thisArray[a].split(","); thisId = thisDivState[0]; thisState = thisDivState[1];
 if(toggleThis == thisId) {
 switch(thisState) {
 case "1": thisArray[a] = thisId + ",0"; break;
 case "0": thisArray[a] = thisId + ",1"; break;
 }
 }
 switch(a) {
 case 0: newCookieValue += thisArray[a]; break;
 default: newCookieValue += "|" + thisArray[a];  break;
 }
 }
 newCookieValue += "; expires=Sat, 31 Dec 2050 23:59:11 UTC; path=/";
 document.cookie = newCookieValue; //alert(document.cookie);
 }

There _could_ be a logic bomb in there.. I tried to be as careful as I could. If you see something, please LMK.

Thanks,

^{^_^{^}}

@WolfShadeauthorJan 05.2011 — #Anyone see anything in the code that might cause the cookie to set the value to a TLID or CFID? I think, now, that is what is happening.

^{^_^{^}}

@TcobbJan 05.2011 — #Maybe I'm missing something here but I don't see where you are escaping all of the data before you write the cookie. In the function setDivState() there is the line:
[CODE]cookieValue += "; expires=Sat, 31 Dec 2050 23:59:11 UTC; path=/";[/CODE]
I know that spaces are not allowed within the data that the cookie is storing. Are they allowed within the parameter sections?

@WolfShadeauthorJan 05.2011 — #I can only assume that it's okay. When I first Googled "javascript cookies", the tutorial that I looked at had it that way.

^{^_^{^}}

@TcobbJan 05.2011 — #[I]I can only assume that it's okay. When I first Googled "javascript cookies", the tutorial that I looked at had it that way.

[/I]

Yeah--you're right. But looking at your code again, I noticed this:

[CODE]//cookieValue looks like
 // vddstatus=cat1,1|cat2,1|cat3,1.. cat9,1; expires=Sat, 31 Dec 2050 23:59:11 UTC; path=/";[/CODE]

The value has commas in it which are, as far as I can see, not escaped in the setDivState() function, and commas are not allowed within the value portion of the cookie string.

@WolfShadeauthorJan 05.2011 — #The value has commas in it which are, as far as I can see, not escaped in the setDivState() function, and commas are not allowed within the value portion of the cookie string.[/QUOTE]
I'll Google that; but even if that did explain why it's not working in staging, why does it work in development? That's the thing that really has me scratching my head.. it works in development but not in staging (and, theoretically, it won't work in production, either.)

^{^_^{^}}

@WolfShadeauthorJan 06.2011 — #This is very frustrating.

On development, it is working with no problems, whatsoever.

On staging (as it probably will on production), here is what it's doing:

If "expand all" is clicked, this is the cookie value:

<i>
 </i>vddstatus
 cat1,1|cat2,1|cat3,1|cat4,1|cat5,1|cat6,1|cat7,1|cat8,1|cat9,1
 domain.com/
 1088
 1060073856
 33063389
 2884050624
 30125481

If "hide all" is clicked, this is the cookie value:

<i>
 </i>vddstatus
 cat1,0|cat2,0|cat3,0|cat4,0|cat5,0|cat6,0|cat7,0|cat8,0|cat9,0
 domain.com/
 1088
 1060073856
 33063389
 2884050624
 30125481

If any individual "hide" or "expand" is clicked, this is the cookie value:

<i>
 </i>vddstatus
 [color=red]TLTUID=29A2C6BA180E1018889AF39A9D19E869[/color]
 domain.com/
 1088
 1060073856
 33063389
 [color=red]1613223328
 30125482[/color]

Not only can I not see what is causing this to happen, but the fact that it is NOT doing this in development is really driving me up a wall. It's the same code on both servers.

Any ideas?

^{^_^{^}}

@nsaxena76Jun 01.2017 — #hi did you find the solution to this issue ? if yes, can you please share.

@rootJun 01.2017 — #Stop wasting your time with cookies.

Use localStorage and localSession objects where possible and only rely on cookies as a last resort.

Theres many advantages over the use of localStorage, one being data size, another is persistence and privacy.

@TrainJun 02.2017 — #01-06-2011, old thread

Closing

Also in #JavaScript _↴

music box Text Box Enter Key does not trigger page Parsing xml-File using Jvascript: Cannot display first child of a node

Success!

Help @WolfShade spread the word by sharing this article on Twitter...

Tweet This

Session cookies being deleted without being coded to do so

18 Comments(s) _↴

Also in #JavaScript _↴

Success!

Social

Version

Session cookies being deleted without being coded to do so

18 Comments(s) ↴

Also in #JavaScript ↴

Success!

The web is an endless sea of information. Don't miss the boat... Subscribe!

Social

Version

18 Comments(s) _↴

Also in #JavaScript _↴