Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > Javascript > sending http requests without cookies

Reply
Thread Tools

sending http requests without cookies

 
 
yawnmoth
Guest
Posts: n/a
 
      02-14-2006
Say I wrote an ajax script to send out HTTP requests via ajax. Any
cookies that I have associated with that site will be sent along with
this HTTP request. Is there a way to prevent this from happening? I
tried the following to no avail:

http.setRequestHeader('Cookie','');

 
Reply With Quote
 
 
 
 
VK
Guest
Posts: n/a
 
      02-14-2006

yawnmoth wrote:
> Say I wrote an ajax script to send out HTTP requests via ajax. Any
> cookies that I have associated with that site will be sent along with
> this HTTP request. Is there a way to prevent this from happening? I
> tried the following to no avail:
>
> http.setRequestHeader('Cookie','');


var tmp = document.cookie;
document.cookie = '';
sendRequest();
document.cookie = tmp;

( ? )

 
Reply With Quote
 
 
 
 
Thomas 'PointedEars' Lahn
Guest
Posts: n/a
 
      02-14-2006
VK wrote:

> yawnmoth wrote:
>> Say I wrote an ajax script to send out HTTP requests via ajax. Any
>> cookies that I have associated with that site will be sent along with
>> this HTTP request. Is there a way to prevent this from happening?


I don't think so. Why would that be necessary anyway?

>> I tried the following to no avail:
>>
>> http.setRequestHeader('Cookie','');


This cannot work because the Cookie header value must not be empty.
See RFC2965, 3.3.4.

> var tmp = document.cookie;
> document.cookie = '';
> sendRequest();
> document.cookie = tmp;
>
> ( ? )


Definitely not. As can be proven easily, assigning the empty string to
document.cookie does not delete all cookies for this resource.

It merely adds a new session cookie with empty name and value for the
current domain and path -- although that particular behavior may be
UA-dependent (I tested with Firefox 1.5.0.1/Linux).

Tests with that UA also indicate that since it is not possible to determine
what the domain and path components were when a cookie was set, it is not
possible to delete it reliably using the value of document.cookies only as
it is not possible to delete a cookie when domain and path component do not
match (implicitly).


PointedEars
 
Reply With Quote
 
VK
Guest
Posts: n/a
 
      02-14-2006

Thomas 'PointedEars' Lahn wrote:
> VK wrote:
>
> > yawnmoth wrote:
> >> Say I wrote an ajax script to send out HTTP requests via ajax. Any
> >> cookies that I have associated with that site will be sent along with
> >> this HTTP request. Is there a way to prevent this from happening?

>
> I don't think so. Why would that be necessary anyway?
>
> >> I tried the following to no avail:
> >>
> >> http.setRequestHeader('Cookie','');

>
> This cannot work because the Cookie header value must not be empty.
> See RFC2965, 3.3.4.
>
> > var tmp = document.cookie;
> > document.cookie = '';
> > sendRequest();
> > document.cookie = tmp;
> >
> > ( ? )

>
> Definitely not. As can be proven easily, assigning the empty string to
> document.cookie does not delete all cookies for this resource.


Right. I forgot (it was a while I played with cookies client-side) that
cookie property works like an electric diod: it has different
"resistance" depending on what side of expression it is used.

On the right side it has "zero resistance" so by saying:
var foo = document.cookie;
you are grabbing all cookies with all attributes available for the
given document.

On the left side it has "high resistance" so you can address only one
cookie at time, so by saying:
document.cookie = foo;
document.cookie = bar;
you are not overriding foo by bar, but setting two separate cookies
(foo and bar).

So the proposed algorithm, if it's indeed the only way (I don't know
and actually I hope not) must be adjusted into a much more complicated
way:

1) grab all cookies by
var foo = document.cookie;

2) Parse cookie string "foo", extract each separate cookie and make it
expired (or override it with empty string):
document.cookie = cookie1;
document.cookie = cookie2;
etc.

3) Send request.

4) Restore all cookies back using the same algorithm as on step 2.

For one of these "update every 10ms" ajaxoids this approach is very
questionnable to work. For a single or rare requests it is doable:
again if there is nothing better than that.

 
Reply With Quote
 
Thomas 'PointedEars' Lahn
Guest
Posts: n/a
 
      02-14-2006
VK wrote:

> Thomas 'PointedEars' Lahn wrote:
>> VK wrote:
>> > yawnmoth wrote:
>> >> Say I wrote an ajax script to send out HTTP requests via ajax. Any
>> >> cookies that I have associated with that site will be sent along with
>> >> this HTTP request. Is there a way to prevent this from happening?

>> [...]
>> > var tmp = document.cookie;
>> > document.cookie = '';
>> > sendRequest();
>> > document.cookie = tmp;
>> >
>> > ( ? )

>> Definitely not. As can be proven easily, assigning the empty string to
>> document.cookie does not delete all cookies for this resource.

>
> [...]
> So the proposed algorithm, if it's indeed the only way (I don't know
> and actually I hope not) must be adjusted into a much more complicated
> way:
>
> 1) grab all cookies by
> var foo = document.cookie;
>
> 2) Parse cookie string "foo", extract each separate cookie and make it
> expired (or override it with empty string):
> document.cookie = cookie1;
> document.cookie = cookie2;
> etc.


As I said, step 2 is not possible. Once in a while you should read what
you reply to.


PointedEars
 
Reply With Quote
 
VK
Guest
Posts: n/a
 
      02-14-2006

Thomas 'PointedEars' Lahn wrote:
> > 2) Parse cookie string "foo", extract each separate cookie and make it
> > expired (or override it with empty string):
> > document.cookie = cookie1;
> > document.cookie = cookie2;
> > etc.

>
> As I said, step 2 is not possible. Once in a while you should read what
> you reply to.


What do you mean "impossible"? How do you think all JavaScript cookie
management systems work?

Read some manual like
<http://www.netspade.com/articles/2005/11/16/javascript-cookies/>

 
Reply With Quote
 
Thomas 'PointedEars' Lahn
Guest
Posts: n/a
 
      02-14-2006
VK wrote:

> Thomas 'PointedEars' Lahn wrote:
>> > 2) Parse cookie string "foo", extract each separate cookie
>> > and make it expired (or override it with empty string):
>> > document.cookie = cookie1;
>> > document.cookie = cookie2;
>> > etc.

>> As I said, step 2 is not possible. Once in a while you should
>> read what you reply to.

>
> What do you mean "impossible"?


Impossible as in "not possible".

> How do you think all JavaScript cookie management systems work?


I do not know. Why do you think that is relevant? The reference
implementation does not support it already.

> Read some manual like
> <http://www.netspade.com/articles/2005/11/16/javascript-cookies/>


Read the comments for the deleteCookie() method there, then see my
signature. Did I mention that you should read what you reply to?


PointedEars
--
Learn to think clearly.
Learn to distinguish: What is, and what seems to be.
-- Surak
 
Reply With Quote
 
Michael Winter
Guest
Posts: n/a
 
      02-14-2006
On 14/02/2006 19:00, VK wrote:

> Thomas 'PointedEars' Lahn wrote:
>
>> VK wrote:
>>
>>> 2) Parse cookie string "foo", extract each separate cookie and
>>> make it expired [...]

>>
>> As I said, step 2 is not possible. Once in a while you should read
>> what you reply to.

>
> What do you mean "impossible"?


Not possible.

> How do you think all JavaScript cookie management systems work?


Thomas clearly has a greater understanding than you do, but that is
hardly a surprise, is it?

When a cookie is created, it is possible to specify path and domain
parameters to explicitly define the scope of that cookie. In order to
modify a particular cookie, this extra information needs to be resupplied.

Example:
Set-Cookie: name=value; expires=Tue, 14-Feb-2005 20:00:00 GMT;
path=/foo

Expected:
Cookie: name=value

Actual:
Cookie: name=value


Your suggestion:
Set-Cookie: name=value; expires=Thu, 01-Jan-1970 00:00:00 GMT

You expect:
<no Cookie header>

Actual:
Cookie: name=value

The two cookies do not match. The second Set-Cookie header (or
document.cookie property equivalent) effectively creates a second cookie
that has already expired.

If user agents implemented RFC 2965 (and I know of none that do), this
necessary information would be supplied in the Cookie request header,
along with the cookie values, and it could indeed be parsed out and used
for deletion.

> Read some manual


Pot. Kettle. Black.

> like
> <http://www.netspade.com/articles/2005/11/16/javascript-cookies/>


That isn't a manual, and it doesn't support your assertions (quite the
opposite, in fact).

Mike

--
Michael Winter
Prefix subject with [News] before replying by e-mail.
 
Reply With Quote
 
VK
Guest
Posts: n/a
 
      02-14-2006

Michael Winter wrote:
> On 14/02/2006 19:00, VK wrote:
>
> > Thomas 'PointedEars' Lahn wrote:
> >
> >> VK wrote:
> >>
> >>> 2) Parse cookie string "foo", extract each separate cookie and
> >>> make it expired [...]
> >>
> >> As I said, step 2 is not possible. Once in a while you should read
> >> what you reply to.

> >
> > What do you mean "impossible"?

>
> Not possible.
>
> > How do you think all JavaScript cookie management systems work?

>
> Thomas clearly has a greater understanding than you do, but that is
> hardly a surprise, is it?


Not really - specially as I'm getting more and more hard to be
surprised recently

Thomas doesn't have better understanding, but he's already getting what
attitude (atop of his regular one which may infect you if stay
regularly on clj.
Namely when someone is asking "I have situation A there I would like to
accomplish the action X" one doesn't think about the practical answer
first:- but she thinks first of situations B, C, ...Z where the action
X may fail or not possible or not blessed etc. That's should be the
secondary thinking one is welcome to place at the postscriptum of the
solution. And if you have no solution, then do not post at all (a
letter consisting of a postscriptum only is a rather strange thing).
It's all IMHighlyHO and off-topic.

Now reading OP's original question once over: "Any cookies that I have
associated with that site will be sent along with this HTTP request".
*I have associated*

>From my (possibly wrong) reading of this sentence I concluded that OP

knows what cookies, for what domain and what path did he set.

name/domain/path exact match was implemented for exactly the opposite
situation: when someone wants to destroy cookie set by someone else.
Again it might be my mistake but I did not read this situation out of
the post.

 
Reply With Quote
 
TerraFrost
Guest
Posts: n/a
 
      02-14-2006

VK wrote:
> <snip>
> >From my (possibly wrong) reading of this sentence I concluded that OP

> knows what cookies, for what domain and what path did he set.

That is indeed the case.

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Nested HTTP params on ruby HTTP requests Dave Garcia Ruby 5 06-05-2009 08:15 AM
Give Request.Cookies and Response.Cookies is there any reason to use another method to use cookies? _Who ASP .Net 7 09-18-2008 07:49 PM
notify a web-service: sending non-blocking http requests d c Ruby 2 12-24-2007 05:20 PM
sending raw http requests with java.net.socket yawnmoth Java 8 08-21-2006 02:40 PM
Module of sending http 1.1 and/or 1.0 requests Yuchung Cheng Perl Misc 3 07-07-2003 12:09 AM



Advertisments