4

Question originally posted on Webmasters, was recommended to move it here.

I host a webservice, and provide my members with a Javascript bookmarklet, which loads a JS sript from my server. However, clients must be logged in, in order to receive the JS script. This works for almost everybody. However, some users on setups (i.e. browser/OS) that are known to work for other people have the following problem: when they request the script via the javascript bookmarklet from my server, their cookie from my server does not get included with the request, and as such they are always "not authenticated".

I'm making the request in the following way:

var myScript = eltCreate('script');
myScript.setAttribute('src','http://myserver.com/script');
document.body.appendChild(myScript);

In a fit of confused desperation, I changed the script page to simply output "My cookie has [x] elements" where [x] is count($_COOKIE) on http://myserver.example.com. If this subset of users requests the script using the above method encoded in the bookmarklet, the message reads "My cookie has 0 elements". When they access the URL directly in their browser, the message reads "My cookie has 7 elements".

What on earth could be going on?! And more importantly, how would I fix this?

Community
  • 1
  • 1
Mala
  • 14,178
  • 25
  • 88
  • 119

1 Answers1

2

I'm pretty sure this is a privacy setting issue. The affected browsers probably have increased their privacy settings refusing 3rd party scripts from setting cookies.

I've experience similar issues when placing an IFRAME pointing to domain B on a site hosted on domain A. Some browsers refused that my IFRAME set cookies for it's own domain because it triggered a privacy issue.

You might want to store a hash in the script src attribute and have it authenticate users that way.

Edit: This is sort of what I'm talking about: Setting cross-domain cookies in Safari

Community
  • 1
  • 1
Christian Joudrey
  • 3,441
  • 25
  • 25
  • It's not so much the setting of the cookie I'm concerned with (although that's important too, I suppose) but more the reading of data which requires that the cookie be sent with the request. Does this still apply? – Mala Dec 02 '10 at 03:00
  • I will try sneaking a hash into the src part, and let you know how it goes – Mala Dec 02 '10 at 03:00
  • To be honest that's a good question, but think about it this way. Suppose a visitor visited your site (domain A) and you set a cookie that identifies him. If you put a script on another site (domain B) that hits your site, if the request passes the cookie then you could track that the user visited domain B using the HTTP Referrer header. So in that sense it is a privacy breach and I believe you are facing the same problem as I did. – Christian Joudrey Dec 02 '10 at 03:05
  • I'm actually glad I found this topic, because I too am developing an app that uses a Bookmarklet and I have never been faced with this problem as I store a unique hash in the Bookmarklet, but I will certainly remember this if the situation arises. – Christian Joudrey Dec 02 '10 at 03:06