0

How can I access this 'Cookies' via js code? They doesn't present in document.cookie object(it's empty)

screenshot

Nisarg Shah
  • 14,151
  • 6
  • 34
  • 55
dirty harry
  • 49
  • 1
  • 4
  • 1
    possible duplicate of https://stackoverflow.com/questions/10730362/get-cookie-by-name – Aravind S Jul 02 '18 at 08:31
  • 1
    Possible duplicate of [Get cookie by name](https://stackoverflow.com/questions/10730362/get-cookie-by-name) – Eddie Jul 02 '18 at 08:33
  • 2
    If a cookie is marked HTTPOnly, it may not appear in the `document.cookie`. Looking at the screenshot, it seems like the first cookie qualifies for that. I am assuming that the other cookies belong to a different domain (possibly due to an Iframe on the page), so they might not appear on document.cookie unless you switch the context to that particular Iframe. – Nisarg Shah Jul 02 '18 at 08:36
  • 1
    Nisarg Shah, yes, you're the first who see that. So, is there a way to get HTTPOnly cookie? – dirty harry Jul 02 '18 at 08:40
  • 2
    @dirtyharry That's the point of HTTPOnly. That it can only be **only** be retrieved during an HTTP request, and **not** via Javascript. So no. – Ivar Jul 02 '18 at 08:42
  • @dirtyharry I just posted an answer with more details, but as Ivar said, HttpOnly is **meant** to prevent people from accessing cookies from Javascript. If you need to do so, either you can change the attribute value or you can try using localStorage. But with localStorage you lose the ability of setting its value from the server. – Nisarg Shah Jul 02 '18 at 08:46

2 Answers2

2

If a cookie is marked HTTPOnly, it will not appear in the document.cookie. The attribute HTTPOnly is meant to prevent an XSS attack from stealing your cookies. So there is no way you can access a cookie marked HTTPOnly from Javascript.

Looking at the screenshot, it seems like the first cookie qualifies for that. I am assuming that the other cookies belong to a different domain (possibly due to an Iframe on the page), so they might not appear on document.cookie unless you switch the context to that particular Iframe

References:

The HTTPOnly cookie attribute can help to mitigate this (XSS) attack by preventing access to cookie value through Javascript.

https://developer.mozilla.org/en-US/docs/Web/API/Document/cookie

Also, you can read more about this in section "Cookie stealing and XSS" here: https://www.nczonline.net/blog/2009/05/12/cookies-and-security/

Nisarg Shah
  • 14,151
  • 6
  • 34
  • 55
-3

Have you tried the easy way: 

var x = document.cookie;

Or you can create the following function to acces a specific cookie

function getCookie(cname) {
        var name = cname + "=";
        var decodedCookie = decodeURIComponent(document.cookie);
        var ca = decodedCookie.split(';');
        for(var i = 0; i <ca.length; i++) {
            var c = ca[i];
            while (c.charAt(0) == ' ') {
                c = c.substring(1);
            }
            if (c.indexOf(name) == 0) {
                return c.substring(name.length, c.length);
            }
        }
        return "";
    }

Link to documentation: w3schools cookies documentation

Try via JQuery

alert( $.cookie("example") );

Or if you have a secure cookie (HTTPOnly Cookie)

Go to this thread: Reading Secure Cookies

Thomas Verhoeven
  • 238
  • 3
  • 16