Can't access cookies from document.cookie in JS, but browser shows cookies exist

Question

I can't access any cookie from JavaScript. I need to read some value and send them via JSON for my custom checks.

I've tried to access cookies from JS, like it was described at:

As you can see at the code, it's seen as clear as a crystal the next:

var c_value = document.cookie;

When I'm trying to access the document.cookie value from the Chrome's web-debugger, I see only the empty string at the Watch expressions:

So I can't read cookies value, which I need.

I've checked the cookie name, which I'm sending to get an associated value IS correct. Also, I'm using the W3Schools source code for getting cookies, if you're interested (but from the 2nd link, the technique is similar).

How can I fix my issue?

@PeeHaa Really? I don't know. I'm working under ASP.NET MVC 4 (Razor) project, and don't know does it support by default enabling this parameter. Don't be angry with me :) I'm a newbie to web-development. — , Jul 06 '13 at 23:43
Inspect the cookie in your browser and it should say whether it is httponly or not. — PeeHaa, Jul 06 '13 at 23:44
@PeeHaa I've inspected, if there is a check in HTTP column at the table of cookies viewer in Chrome's webtools, so does it mean that my cookies are HTTP only? If yes, so my project uses HTTP only cookies and I don't understand how to fix my issue :( — , Jul 06 '13 at 23:57
Yes. That means they are httponly cookies. Which is often exactly what you want, because it protects your from certain types of attacks. Do you have control over how the cookies are set? If yes: what language do you use? Also what do you need the cookie info for, because maybe there is a batter way. — PeeHaa, Jul 07 '13 at 00:00
@PeeHaa Yes I do have such a control. Cookies are setting by server-side response. I'm using C# at my ASP.NET MVC4 project. The part I'm setting cookies: http://ideone.com/fBqtke — , Jul 07 '13 at 00:03
Well I don't know much about asp, but based on your code it should be pretty obvious how to disable httponly cookies :P — PeeHaa, Jul 07 '13 at 00:04
@PeeHaa so, do you have suggestions, how to fix it? I'm googling right now. All websites suggest to use `document.cookie`, Chrome's webtool showing all my cookies and checks under Http column. Why it isn't accessible from the `document.cookie`? — , Jul 07 '13 at 00:12
The problem isn't on the clientside, but on the serverside. You may want to disable the httponly flag you are setting. — PeeHaa, Jul 07 '13 at 00:14
@PeeHaa Thanks! As we see no jQuery needed for a such stuff. May you post an answer to this question? I shall mark you as the correct one. — , Jul 07 '13 at 00:31
Does this answer your question? [Javascript document.cookie always empty string](https://stackoverflow.com/questions/15914744/javascript-document-cookie-always-empty-string) — Piotr Siupa, Sep 23 '20 at 11:37

score 153 · Accepted Answer · answered Jul 07 '13 at 00:40

You are most likely dealing with httponly cookies. httponly is a flag you can set on cookies meaning they can not be accessed by JavaScript. This is to prevent malicious scripts stealing cookies with sensitive data or even entire sessions.

So you either have to disable the httponly flag or you need to find another way to get the data to your javascript.

By looking at your code it should be easy to disable the http only flag:

Response.AddHeader("Set-Cookie", "CookieName=CookieValue; path=/;");
Response.SetCookie(new HttpCookie("session-id") { Value = Guid.NewGuid().ToString(), HttpOnly = false });
Response.SetCookie(new HttpCookie("user-name") { Value = data.Login, HttpOnly = false });

Now you should be able to access the cookie information from JavaScript. However I don't know exactly what kind of data you are trying to get so maybe you can go for another approach instead and for example render some data attribute on the page with the information you need instead of trying to read the cookie:

<div id="example" data-info="whatever data you are trying to retrieve"></div>

console.log(document.getElementById('example').getAttribute('data-info'));

score 5 · Answer 2 · answered Dec 07 '17 at 10:24

5

keep an eye also to the cookie's Path attribute, as the cookie is only visible to subdirectories under Path. I had your issue and I solved setting Path "/"

answered Dec 07 '17 at 10:24

ejaenv

2,117
1
23
28

Also the same is true for the Domain attribute – Sergiy Ostrovsky Feb 13 '23 at 18:16

score 4 · Answer 3 · answered Jul 16 '20 at 18:03

I had the same problem several times. And every time, it was for a different reason.

Different reasons:

problem of httpOnly field. It was set to false and I was trying to access it from the console. Setting it to true or accessing it from the source code did the trick.
problem of secure field. It was true and I was using only http.
problem of Expires / Max-Age. The cookie was outdated and it was not visible in document.cookie.

score 3 · Answer 4 · answered Nov 10 '17 at 17:35

I would say http only is your first culprit but this can also occur by not setting the scope of your cookie.

If the site has been redirected from another domain, you will need to look into setting the scope of the cookie. Domain and Path defines the scope of the cookie, which URLs the cookie should be sent to. Depending on this, you might not see the cookie in your response.

I ran across this issue when setting a cookie on a successful SAML SSO login and couldn't retrieve the cookie from the Document because it was never send as part of the request.

score 0 · Answer 5 · edited Mar 31 '16 at 10:11

0

If your cookie is set as Set-Cookie or Set-Cookie2 it's not part of the response headers collection: http://www.w3.org/TR/XMLHttpRequest/#the-getallresponseheaders%28%29-method

Returns all headers from the response, with the exception of those whose field name is Set-Cookie or Set-Cookie2.

edited Mar 31 '16 at 10:11

Termininja

6,620
12
48
49

answered Jan 07 '14 at 09:38

Dunken

8,481
7
54
87

score 0 · Answer 6 · edited Jul 16 '20 at 17:56

If you are using some secure authentication then that case you could not access cookies directly because of secure. you have to change some response attribute in server side using below code .

Response.AddHeader("Set-Cookie", "CookieName=CookieValue; path=/;");
Response.SetCookie(new HttpCookie("session-id") { Value = Guid.NewGuid().ToString(), HttpOnly = false });
Response.SetCookie(new HttpCookie("user-name") { Value = data.Login, HttpOnly = false });

But you should not because it may change secure to un-secure, so you have to find out solution that be done in server side to delete cookies and allow to you do some operations.

Its possible to do changes in server side.

Can't access cookies from document.cookie in JS, but browser shows cookies exist

6 Answers6

Linked

Related