Skip to main content

How can Javascript be prevented from accessing PHP cookie data?

Image
By User


(Taken from a job interview)



Which of the following answers are correct ?



  • Use the httponly parameter when setting the cookie

  • The user must turn off Javascript support

  • It's a cookie setting in the browser

  • Only the issuing domain can access the cookie

  • One is on the client and the other is on the server, so it's not an issue


Source: Tips4allCCNA FINAL EXAM
Labels:

Comments

  1. UserMay 16, 2012 at 10:34 AM

    The correct answer is the first:

    Use the httponly parameter when setting the cookie


    This flag prevents (on compatible browsers, almost all, including IE >= 6sp1) the javascript engine on the browser to access cookies with this parameter. You can set this flag for regular cookies with setcookie and for session cookies with session_set_cookie_params.

    edited: Support for IE >= 6sp1 instead of IE >= 7

    ReplyDelete
  2. UserMay 16, 2012 at 10:34 AM

    First of all, the question its not well formulated.

    Cookies are an HTTP concept, not a PHP concept. PHP can create and modify cookies, but there is no such thing like a "PHP COOKIE". The browser don't care about if the response was generated by PHP, or by Python, or by a perl cgi.

    Trying to identify what could be the real question, the possibilities are:


    The cookie to keep the session id in the browser
    a cookie sent with setcookie


    I bet for the question 1. I understand that the correct question should has been:

    "Why the client side using javascript or any other method, its unable to view or modify the information stored in the PHP session?"

    Then, the answer is:

    "Because, even if the PHP sessions use cookies, this cookies are only used to store the session id, not the content of the session. The content of the session its stored on the server, not in the cookie itself."

    ReplyDelete
  3. UserMay 16, 2012 at 10:34 AM

    When the cookie header is set, you can specify httpOnly.

    This can be done via PHP's setcookie function:

    setcookie ( $name, $value, $expire, $path, $domain, $secure, $httponly )


    httpOnly instructs the browser to not allow JS to access the cookie.

    ReplyDelete
  4. UserMay 16, 2012 at 10:34 AM

    a cookie is client side..... ?

    The user must turn off Javascript support - aggressive

    Use the httponly parameter when setting the cookie - probably the right answer but as was answered earlier.. there are work-arounds I suppose

    ReplyDelete

Post a Comment

Popular posts from this blog

Why is this Javascript much *slower* than its jQuery equivalent?

By User
I have a HTML list of about 500 items and a "filter" box above it. I started by using jQuery to filter the list when I typed a letter (timing code added later): $('#filter').keyup( function() { var jqStart = (new Date).getTime(); var search = $(this).val().toLowerCase(); var $list = $('ul.ablist > li'); $list.each( function() { if ( $(this).text().toLowerCase().indexOf(search) === -1 ) $(this).hide(); else $(this).show(); } ); console.log('Time: ' + ((new Date).getTime() - jqStart)); } ); However, there was a couple of seconds delay after typing each letter (particularly the first letter). So I thought it may be slightly quicker if I used plain Javascript (I read recently that jQuery's each function is particularly slow). Here's my JS equivalent: document.getElementById('filter').addEventListener( 'keyup', function () { var jsStart = (new Date).getTime()...
3 comments
Read more

Is it possible to have IF statement in an Echo statement in PHP

By User
Thanks in advance. I did look at the other questions/answers that were similar and didn't find exactly what I was looking for. I'm trying to do this, am I on the right path? echo " <div id='tabs-".$match."'> <textarea id='".$match."' name='".$match."'>". if ($COLUMN_NAME === $match) { echo $FIELD_WITH_COLUMN_NAME; } else { } ."</textarea> <script type='text/javascript'> CKEDITOR.replace( '".$match."' ); </script> </div>"; I am getting the following error message in the browser: Parse error: syntax error, unexpected T_IF Please let me know if this is the right way to go about nesting an IF statement inside an echo. Thank you.
5 comments
Read more