开发者

javascript document.cookie missing some pairs

My script set up ten cookies and the browser successfully saved them, but document.cookie only retrieves nine pairs, the missing pair is as follow:

auth:4ae9Mq1j6tjt7dV6kV6A0piHB6NnNjijBmecax9mA8cfDpSs6pnAcD7H1%2FUqWMIIB%2BbgtKIJ2w1L2GnXkgV2

What happened? Is there a character li开发者_StackOverflow中文版mit in document.cookie? The cookie domain is the same as all the others.


The problem is that the server side is sending the cookies with the HttpOnly setting as described here: http://en.wikipedia.org/w/index.php?title=HTTP_cookie#HttpOnly_cookie

Cookies sent this way are not accessible thru document.cookie. This is generally used to help protect the cookie value against possible XSS attacks on your site.

You didn't mention which technology you're using on the server side to set the cookies. In case you're using PHP, this link lists the possible ways the HttpOnly flag could be set:

https://www.owasp.org/index.php/HttpOnly#Using_PHP_to_set_HttpOnly


I have two clarifying questions:

  1. Why do you think that your "browser successfully saved" all of your cookie crumbs if the final crumb does not appear to be stored in document.cookie?
  2. Is the missing value the one you attempted to add last? If so, from the information you've provided, I assume that value is too long to store in the cookie.

The size in bytes of your cookie crumb string depends on your encoding.

You can read more about the maximum cookie size and number allowed per domain here. You can read an older discussion of what happens if you exceed the limit in different browsers here. These limits vary per browser.

RFC 2109 states that browsers should support a cookie size of at least 4096 bytes, at least 300 total cookies, and at least 20 cookies per domain or unique host. This article shows a cookie-size test from 2009. This 2008 blog post notes a few more items about how individual browsers handle cookies.

Note that IE 7 and later limit the number of cookies per domain to 50, whereas earlier versions of IE had a limit of 20 per domain.

RFC 2109 and numerous online references suggest that a maximum size of around 4096 bytes is a good general assumption to stick to. If you can't keep below that limit, you will probably have to store your data on the server somehow.

If it's not cookie size that's the issue, more info on exactly how you're storing and retrieving your cookie values will help the group address your question.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜