0

Let's say I am logged in (with login/password) on a website/service https://example.com in a browser. If I open Developer tools, I can run document.cookie in the console and copy the string containing all the cookies associated with the current website.

Then I open a new incognito window, I go to https://example.com. Of course, I'm not logged in. I can remove the current cookies with the method described in Clearing all cookies with JavaScript in the Developer tools console, and then restore the cookies copied before:

document.cookie = "<the string that I copied before>"

Then after a page reload (F5), I expected to be logged-in again, but it did not work. The cookies set with document.cookie = "<the string that I copied before>" are not kept. (For example, in the case of Reddit, it did not work.)

What's wrong with this JS approach to set cookies in the "Developer tools" from a previous session from another browser? Shouldn't it work?

Neucro
  • 252
  • 2
  • 6
Basj
  • 41,386
  • 99
  • 383
  • 673
  • _“I can run document.cookie in the console and copy the string containing all the cookies associated to the current website.”_ - no, not _all_ of them. Only those, that are accessible to client-side JavaScript in the first place. (Keyword: `httpOnly`) – CBroe Dec 14 '20 at 10:10
  • Thank you @CBroe, I think this is the answer. So there is no way to restore full cookies / a logged-in session into another browser / or into an incognito window of the same browser? – Basj Dec 14 '20 at 10:13

1 Answers1

1

Normally, the session id is set to server only, you can not get session id in JS/console.

Source: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#Restrict_access_to_cookies

Basj
  • 41,386
  • 99
  • 383
  • 673
f91kdash
  • 328
  • 2
  • 7
  • Thank you for your answer. For completeness/future reference, can you add a source / link? – Basj Dec 14 '20 at 10:25
  • https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies, you can find the anwser in section "Restrict access to cookies" – f91kdash Dec 14 '20 at 10:39