PHP not accessing Javascript cookie

Question

I am creating a small CRUD web app where I need the user to enter their password when they wish to delete an item from the database, I have an onClick() on the delete button on the HTML table which passes the ID of the product to be deleted to the js function. When the function runs I wish to confirm that they really want to delete the product and then ask for their password and store it in a cookie. BUT IT DOES NOT SEEM TO WORK :(

I am setting a cookie using javascript like

document.cookie = 'password=${userPassword},expires=${now.toGMTString()},path=/../includes/delete-product.inc.php; With this line of code, when I console.log(document.cookie), it shows me the cookie in the console like

password=admin,expires=Sat, 12 Dec 2020 08:40:38 GMT,path=/../includes/delete-product.inc.php; PHPSESSID=3n1l3q6ksqitdpc76hjrero9ja

when I redirect to another PHP page using window.open() I can not access this cookie.

print_r($_COOKIE); <- only shows me the PHPSESSID only.

When I explicitly try to access the cookie using the following line $userPassword = $_COOKIE[password]; it gives me undefined index 'password'

This is my code.

myproject/admin/view-products.php (This is the page where I try to set the cookie using javascript)

function deletePrompt(id) {
      const now = new Date();
      const time = now.getTime();
      const expiresIn = time + (50 * 1000);
      now.setTime(expiresIn);
      const path = `../includes/delete-product.inc.php`;

      const intent = confirm("Are you sure you want to delete this products");
      if (intent === true) {
        const userPassword = prompt("Enter password");
        document.cookie = `password=${userPassword},expires=${now.toGMTString()},path=/../includes/delete-product.inc.php`;
        console.log(document.cookie);
        return;
        window.open(`../includes/delete-product.inc.php?id=${id}`, "_self");
      }
    }

myproject/includes/delete-product.inc.php (This is the PHP page where I need to access the cookie)

<?php
require_once "./database-connection.inc.php";
require_once "./functions.inc.php";

  if (isset($_SESSION["adminId"])) {
    $productId = $_GET["id"];
    $userPassword = $_COOKIE["password"];    //<- This throws undefined index error
    if (deleteProduct($connection, $productId, $userPassword)) {
      header("location: ../admin/view-products.php?msg=deleted");
      exit();
    }
    else {
      header("location: ../admin/view-products.php?msg=incorrectPass");
      exit();
    }
  }
  else {
    header("location: ../admin/login.php");
    exit();
  }

look if this post helps you https://stackoverflow.com/questions/5045053/set-cookie-wih-js-read-with-php-problem — Giacomo M, Dec 12 '20 at 09:01
"_ask the for their password and store it in a cookie_" Don't store passwords in cookies, or anywhere else but your server. — Teemu, Dec 12 '20 at 09:14
so you are suggesting to store password in the $_SESSION super global variables? — Usman_Codes._., Dec 12 '20 at 09:19
Generally you want to expose a password as little as possible. That means you hash it at the earliest opportunity and store it to whatever persistent storage you have, most commonly a database. You can then store the reference to the user in a session. Keep in mind that `$_SESSION` data is most commonly communicated over a cookie (`PHPSESSID`) as well. — Ro Achterberg, Dec 12 '20 at 09:45
Thanks for the tip.. I figure plain text password in session variables will be of no use to the attackers until the hashing algorithm used is known.. — Usman_Codes._., Dec 12 '20 at 10:01
No, that's not what I meant. Ro seems to have explained it already in their comment. Additionally to that, a password is meant to recognize users only when they're logging in. After that you'd store a random unique identifier to a session cookie, and also change that identifier periodically if possible during the session. Always use this identifier to regocnize the user, don't expose passwords anywhere. If you want to make an intermediate psw check, do it similarly to your login logic. Keeping users' passwords in safe is on your responsibility, you shouldn't give any change for password leaks. — Teemu, Dec 12 '20 at 10:04

score 1 · Answer 1 · answered Dec 12 '20 at 09:18

To anyone else facing this the problem, the solution is that cookies don't get sent across directories, so you need to have the recipient file in the same domain if you wish to transfer cookies across them otherwise it won't work. eg. Following pattern will work

youProject/someDirectory/file1
youProject/someDirectory/file2

Following will NOT WORK

youProject/someDirectory/file1
youProject/someOtherDirectory/file2

PHP not accessing Javascript cookie

1 Answers1