Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!
browser seems to be changing a session cookie.. is javascript doing this?
I'm analysing HTTPS traffic between my Chrome browser and a 3rd party site of interest.
I notice that the website is passing back a cookie called "session" (in HTTP header "Set-Cookie"), but the next request from the browser has changed the cookie (its a long string of hex, maybe 100chars?, only the first say 20 chars have changed, but changed they have)... which is not what I expect to happen...
or is this being done by javascipt on the page when it loads?
I looked at the page searching for "cookie" but couldn't see anything.. however the page loads up a lot of other .JS scripts too... do I need to check all these too?
cheers
I notice that the website is passing back a cookie called "session" (in HTTP header "Set-Cookie"), but the next request from the browser has changed the cookie (its a long string of hex, maybe 100chars?, only the first say 20 chars have changed, but changed they have)... which is not what I expect to happen...
or is this being done by javascipt on the page when it loads?
I looked at the page searching for "cookie" but couldn't see anything.. however the page loads up a lot of other .JS scripts too... do I need to check all these too?
cheers
Do more with
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
It isn't necessarily a 'session' cookie but could be session data generated by and for that page. Are you having an actual problem or are you just trying to figure out what you're seeing? An ASP.NET page that uses VIEW_STATE will send a lot of info back to the server with each page request.
I understood that it was the *server* that handed out cookies, and occasionally changed them or deleted them... (all via the Set-Cookie HTTP header)...
...but here the *browser* is changing the cookie, and sending it back to the server...
...and the server is changing it again and sending it back...
I'm wondering if they're both applying the same algorithm to the cookie text, using it as a means to verify that the cookie has not been "tampered" with or copied, as only the browser and server know the algorithm for changing the cookie.
However, if the browser *is* changing it, then it should be possible to find the code somewhere, as the code will be javascipt (or some other client code, e.g. VBScript), shouldn't it?
...but here the *browser* is changing the cookie, and sending it back to the server...
...and the server is changing it again and sending it back...
I'm wondering if they're both applying the same algorithm to the cookie text, using it as a means to verify that the cookie has not been "tampered" with or copied, as only the browser and server know the algorithm for changing the cookie.
However, if the browser *is* changing it, then it should be possible to find the code somewhere, as the code will be javascipt (or some other client code, e.g. VBScript), shouldn't it?
It would be JavaScript. More info here: http://www.w3schools.com/js/js_cookies.asp The page and the server could be using the cookie to communicate with each other.
Do you have an actual problem you're trying to solve?
Do you have an actual problem you're trying to solve?
Interesting. Web bots don't usually do that as far as I know. Can you share the link that is that changing the cookies? And which browser are you using to test it?
I could but it would be no use to you without logging you in to the website.
And they have functionality enabled to stop programs logging in from other IP addresses or domains than their customers lol.
I'm using Chrome. Somebody else on here told me about the "Inspect Element > Network" debugging functionality which is very powerful. I'm going to look at that to get a list of all the JS scripts loaded and I'll look through those.
Thanks, you've answered my original question so I'm going to award the points.
Any other hints you can give, I would be of course grateful!
And they have functionality enabled to stop programs logging in from other IP addresses or domains than their customers lol.
I'm using Chrome. Somebody else on here told me about the "Inspect Element > Network" debugging functionality which is very powerful. I'm going to look at that to get a list of all the JS scripts loaded and I'll look through those.
Thanks, you've answered my original question so I'm going to award the points.
Any other hints you can give, I would be of course grateful!
Well, you're fighting an uphill battle when they decide to start blocking web bots. Most web bots won't run the JavaScript on the sites so they can easily come up with a function that will block you.
There are ways around that apparently, so I've read anyhow. ... I need more research, to find out how they are changing the session via the page...
No doubt its a security measure to make it more difficult for bots!
I'll end up writing a fully functioning browser engine by the time I'm finished lol.
No doubt its a security measure to make it more difficult for bots!
I'll end up writing a fully functioning browser engine by the time I'm finished lol.
Premium Content
You need an Expert Office subscription to comment.Start Free Trial