Is it possible to send HTTP Request without cookies?

Question

I have to send some private data once from server to browser. I want to store it in a cookie. This data will be using later in Javascript code. But I want to send never(!) this private data to server when the browser does HTTP Request (because of security). I know that I can set "path" value in cookie (to i.e. some abstract path) but then I won't be able to read this cookie (I'll be able to read from this abstract path, but if so, the browser send this cookie to server once - but as I said this data can't be sent to server).

So, my question is: is it somehow possible not to send a cookie with HTTP Request?

score 3 · Answer 1 · answered Feb 20 '11 at 11:10

3

If you're sending this private data from server to browser then it is being exposed anyway. I don't think it matters much that it will be included in subsequent requests.

In general you should never place private data in cookies, at least not unless encrypted. So either a) do all of this over https or b) encrypt the data. But I'm guessing that b) will be a problem as you'll have to decrypt on the client side.

To be honest it sounds like you need to rethink your strategy here.

answered Feb 20 '11 at 11:10

Richard H

38,037
37
111
138

Thanks for answer. Of course it will be SSL and I know I can encrypt the data extra. But generally I never want to send it to server. You see, I'm coding a mobile webpage. This private data must be once somehow transfer to device (after user logged in). After received it, it will be used for some future operations. In future logging in, it won't be necessary to received it again, but the data must be available to browser. It doesn't have to develop this way, but how to transfer some private data to device (iPhone, Android, etc), to use it on mobile webpage...? – Buffalo Feb 20 '11 at 18:46
@Buffalo: well currently browsers do not really support client side caching of data, that's not cookies are for. Really all your client data and state should be kept server side, with the server rendering pages appropriately for a given user. – Richard H Feb 21 '11 at 10:59

score 0 · Answer 2 · answered Feb 20 '11 at 11:09

I don't think you'll be able to force the browser not to resend the cookie up if it's valid for that request.

Perhaps a better way would be to delete the cookie within the JS once you've read your data from it:

http://techpatterns.com/downloads/javascript_cookies.php

If you need to have it back in the JS again on the next response, just have the server re-send it, and delete it again on the client side.

I should say that sending data which you would deem to be 'private' in this way does not seem entirely appropriate on the face of it - as this information could easily be viewed using a proxy of some type sat between the browser and the server.

This private data must be sent to browser only once so it has to stored in browser cache/cookies. — Buffalo, Feb 20 '11 at 18:49
Could you use something like http://gears.google.com/ to store the information you need? — rvxnet, Feb 21 '11 at 11:49

score 0 · Answer 3 · answered Oct 18 '18 at 00:42

As Richard H mentioned, data in cookies is visible to the user if they know where to look. So this is not a good place to store secrets.

That said, I had a different application which needed to store lots of data client-side and ran into this same problem. (In my application, I needed to make the application able to run offline and keep the user actions if the PC crashes or website is down.) The solution is pretty simple:

1) Store the cookie data in a JavaScript variable. (Or maintain it in a variable already.)

2) Remove the cookies. Here's a function that can erase a cookie:

function cookieErase (name) {
  document.cookie = name+'=; Max-Age=-99999999;path=/';
}

If you have more than one cookie (as was my case), you have to run the above function for every cookie you have stored. There is code to iterate each cookie, but in practice you probably know the names of the large cookies already and you might not want to delete other cookies your website is relying on.

3) Send the request as you would normally.

4) Restore the cookie data from the saved variables.

Here are some optimizations you can use:

1) Only trigger this code on a status 400 bad request (which is what you get back if the cookie data is too large). Sometimes, your data isn't too big, so deleting is unnecessary.

2) Restore the cookie data after a timeout if it isn't needed immediately. In this way, you can make multiple requests and only restore the data if there is idle time. This means your users can have a fast experience when actively using your website.

3) The moment you can, try to get any data moved to the server-side so the burden on the client/communication is less. In my case, the moment that the connection is back up, all actions are synchronized as soon as possible.

I don't think that's possible. As far as I know, the browser will attach all cookies to every request, even if it results in the request failing. If you save the cookie data, remove the cookies, then restore it afterwards, it's the same effect. — azoundria, Mar 07 '19 at 00:32

Is it possible to send HTTP Request without cookies?

3 Answers3