I want to open an php page and inject a cookie on the fly because it uses that as id to fire an ajax call.
The challege is I don't 'own' or have access to the php page.
Asked
Active
Viewed 553 times
2
-
If you don't have any access to the back-end or an open API call, you can't. Though you can set cookies in window.cookies with Javascript if that's what you want. – Plotisateur Oct 08 '17 at 22:59
-
This sound super suspicious. You want to write a cookie, but you can't modify the php script o.0 ?! – mituw16 Oct 08 '17 at 23:07
-
your page can't set cookies for another site – Jaromanda X Oct 08 '17 at 23:21
1 Answers
1
When setting cookies in JS, the process isn't exactly as easy as writing document.cookie="'name': 'value'". In fact, there are a lot of scripts that strive to simplify this process for setting cookies on the client side. Here is an answer I found that may help you get a simple version of that without having to extend any resources to calling external scripts.
The form for a cookie in JS is as follows:
<name>=<value>; expires=Mon, 16 Oct 2017 01:11:29 GMT; path=/
Notice the inclusion of expires and path. These are necessary when declaring a cookie on the client side.
Now, one thing to keep in mind is that if the page makes a JSON request to a different server, this won't work. This is because cookies follow a Same-Origin Policy to make cookie theft and other associated malicious code more difficult to successfully pull off.
To simplify, I mean that if you go to example.com but the server serves its resources from ajax.example.com and the cookies are for ajax.example.com, you will not be able to manipulate these cookies via javascript unless you can write HTML to some portion of the ajax.example.com domain.
The ability to set cookies without server-side interference is generally considered to be a risky security move, and some could view tampering of cookies by a user-submitted script as suspect, and possibly even an attempt to crack into a system's security. I strongly encourage you to try to have the backend changed so that the AJAX call ID is passed through some sort of GET or POST data. Either that, or have the backend manage the AJAX call ID altogether, possibly even passing an array of plausible IDs to the page for the script to use (e.g. var ajaxCallIds = [1337, 256, 11, 99].)
The way to solve your code issue is up to you, but do keep in mind that there's rarely if ever a situation that calls for client-side manipulation of cookies set and used by server-side application code.
Dakota B
- 138
- 9