40

As the question says can you find out if a cookie exists within Javascript if it is a HttpOnly? I don't need to access the information inside of it, just know it has one.

A little more information on the situation is that there was originally a web server which used a cookie as an authentication token, and it was set to httponly as it was not used by the client so it added to the security.

However now there is a change needed where the client needs to know if it has the cookie (as the site can work without the user being logged in, but if they are logged in (the auth cookie would exist) the site needs to display certain things and hide others.

There are other security precautions in place on the web server so there is no harm in the scenario where the client has an incorrect auth cookie, but the site makes it look like they are logged in, as it would delete the cookie and reject the user.

Grofit
  • 17,693
  • 24
  • 96
  • 176
  • 1
    Can you not alter the server-side code to communicate the authentication status to the client as part of page creation? – Neil Feb 19 '12 at 22:22
  • 1
    There is no server side code really, its a pure html/javascript web site which also allows the users to login to persist information outside of localStorage (that's where the web-server kicks in). Originally the client was required to log in before accessing the site, however now the user can use the entire site without logging in using localStorage. This call to find out if the cookie exists is to show the login boxes or not and other remote functionality if they are logged in. – Grofit Feb 19 '12 at 22:34

4 Answers4

52

You can indirectly check to see if it exists by trying to set it to a value with javascript if it can't be set, then the HTTP Only Cookie must be there (or the user is blocking cookies).

function doesHttpOnlyCookieExist(cookiename) {
  var d = new Date();
  d.setTime(d.getTime() + (1000));
  var expires = "expires=" + d.toUTCString();

  document.cookie = cookiename + "=new_value;path=/;" + expires;
  return document.cookie.indexOf(cookiename + '=') == -1;
}
Andrea Salicetti
  • 2,423
  • 24
  • 37
Eric Labashosky
  • 29,484
  • 14
  • 39
  • 32
  • 3
    Do you mind explaining which part of this isn't working on Firefox? I'm on 66.0.3 here and it seems to work perfectly fine... getting exactly the same results as on Chrome, Edge and IE11. – Mathijs Flietstra Apr 24 '19 at 11:22
  • Safari 13 overwrite cookie – vitaliytv Jan 25 '20 at 06:02
  • Just tested on Safari 13.1, Firefox 76.0.1 and Chrome 83 on macOS Catalina. Worked like a charm on all 3, thanks for the brilliant trick! :D – Ali Almohsen Jun 02 '20 at 19:43
  • Agreed with Ali...that is a *brilliant* trick. I suspect it will be "fixed" at some point in the future, but for now, this is what I'm going with too... – Taylor C. White Jun 23 '20 at 17:44
  • 6
    In my opinion, you shouldn't rely on this solution because it's an implementation detail. Maybe in the future, major browsers will consider this a security vulnerability and in turn allow both cookies to co-exist sharing the same name. This might very well happen because browsers already provide this feature. – Charming Robot Jul 27 '20 at 21:48
  • Wow it worked for me and save my time as well thanks man. – Vijay Dhanvai Sep 04 '20 at 11:41
  • 1
    This one doesn't seem to be working anymore on ios 14. I tried with ipad and iphone ios 14.x on both Chrome and Safari, neither of them worked. – Nghia Le Jan 11 '21 at 12:29
  • Hi is there any update or alternative solution regarding IOS? it is not working on IOS – Surendra Sep 14 '22 at 08:35
48

I had the same problem. I solved it with the server setting another cookie, not httponly, every time it refreshed the httponly session cookie, with the same max-age and no sensitive data. Now, if one of them is present, the same goes for the other, and the client can know if the httponly counterpart is there.

Eduardo Poço
  • 2,819
  • 1
  • 19
  • 27
12

Whenever you need to check whether the cookie exists or not, you can send a request to the server that requires authentication & check the response. If its something like 401 Unauthorized or 403 Forbidden, then the cookie probably doesn't exist & you can prompt the user for login.

On the other hand, if the cookie exists, it'll be automatically sent by the browser resulting in a 200 OK response.

Anubhav Das
  • 940
  • 1
  • 11
  • 16
12

No. And see Rob's comments below.

See this, which you probably already saw - http://en.wikipedia.org/wiki/HTTP_cookie#Secure_and_HttpOnly

An HttpOnly cookie is not accessible via non-HTTP methods, such as calls via JavaScript (e.g., referencing "document.cookie")...

Edit: Removed undefined response, I wrote a script that you may not be using :)

powtac
  • 40,542
  • 28
  • 115
  • 170
Mike
  • 763
  • 9
  • 20
  • "It will return `undefined`"? Cookies are obtained through `document.cookie`, which is an always-existing string. The HttpOnly cookie just doesn't show up, but it's definitely not "`undefined`" – Rob W Feb 19 '12 at 22:01
  • I mean if you try to access it and get a return value. Right? – Mike Feb 19 '12 at 22:02
  • Cookies in JavaScript have to be obtained through string manipulation on `document.cookie`. For example, `document.cookie` can look like `value=woow%20; value2=another%20woot`. To find the value of the cookie whose key name is `value`, you can use (example): `var test = /(?:;\s*|^)?woow=([^;]*)/.exec(document.cookie);` If the cookie exists, you can get the value through `test[1]`. If it doesn't `test === null`, and trying to do `test[1]` will throw a `null` error. – Rob W Feb 19 '12 at 22:09