Is it possible to send HTTP Request without cookies?

I have to send some private data once from server to browser. I want to store it in a cookie. This data will be using later in Javascript code. But I want to send never(!) this private data to server when the browser does HTTP Request (because of security). I know that I can set "path" v开发者_StackOverflow社区alue in cookie (to i.e. some abstract path) but then I won't be able to read this cookie (I'll be able to read from this abstract path, but if so, the browser send this cookie to server once - but as I said this data can't be sent to server).

So, my question is: is it somehow possible not to send a cookie with HTTP Request?

If you're sending this private data from server to browser then it is being exposed anyway. I don't think it matters much that it will be included in subsequent requests.

In general you should never place private data in cookies, at least not unless encrypted. So either a) do all of this over https or b) encrypt the data. But I'm guessing that b) will be a problem as you'll have to decrypt on the client side.

To be honest it sounds like you need to rethink your strategy here.

I don't think you'll be able to force the browser not to resend the cookie up if it's valid for that request.

Perhaps a better way would be to delete the cookie within the JS once you've read your data from it:

http://techpatterns.com/downloads/javascript_cookies.php

If you need to have it back in the JS again on the next response, just have the server re-send it, and delete it again on the client side.

I should say that sending data which you would deem to be 'private' in this way does not seem entirely appropriate on the face of it - as this information could easily be viewed using a proxy of some type sat between the browser and the server.

As Richard H mentioned, data in cookies is visible to the user if they know where to look. So this is not a good place to store secrets.

That said, I had a different application which needed to store lots of data client-side and ran into this same problem. (In my application, I needed to make the application able to run offline and keep the user actions if the PC crashes or website is down.) The solution is pretty simple:

1) Store the cookie data in a JavaScript variable. (Or maintain it in a variable already.)

2) Remove the cookies. Here's a function that can erase a cookie:

function cookieErase (name) {
  document.cookie = name+'=; Max-Age=-99999999;path=/';
}

If you have more than one cookie (as was my case), you have to run the above function for every cookie you have stored. There is code to iterate each cookie, but in practice you probably know the names of the large cookies already and you might not want to delete other cookies your website is relying on.

3) Send the request as you would normally.

4) Restore the cookie data from the saved variables.

Here are some optimizations you can use:

1) Only trigger this code on a status 400 bad request (which is what you get back if the cookie data is too large). Sometimes, your data isn't too big, so deleting is unnecessary.

2) Restore the cookie data after a timeout if it isn't needed immediately. In this way, you can make multiple requests and only restore the data if there is idle time. This means your users can have a fast experience when actively using your website.

3) The moment you can, try to get any data moved to the server-side so the burden on the client/communication is less. In my case, the moment that the connection is back up, all actions are synchronized as soon as possible.