Link to home
Start Free TrialLog in
Avatar of zorba111

asked on

browser seems to be changing a session cookie.. is javascript doing this?

I'm analysing HTTPS traffic between my Chrome browser and a 3rd party site of interest.

I notice that the website is passing back a cookie called "session" (in HTTP header "Set-Cookie"), but the next request from the browser has changed the cookie (its a long string of hex, maybe 100chars?, only the first say 20 chars have changed, but changed they have)... which is not what I expect to happen...

or is this being done by javascipt on the page when it loads?

I looked at the page searching for "cookie" but couldn't see anything.. however the page loads up a lot of other .JS scripts too... do I need to check all these too?

Avatar of Dave Baldwin
Dave Baldwin
Flag of United States of America image

It isn't necessarily a 'session' cookie but could be session data generated by and for that page.  Are you having an actual problem or are you just trying to figure out what you're seeing?  An ASP.NET page that uses VIEW_STATE will send a lot of info back to the server with each page request.
Avatar of zorba111


I understood that it was the *server* that handed out cookies, and occasionally changed them or deleted them... (all via the Set-Cookie HTTP header)...

...but here the *browser* is changing the cookie, and sending it back to the server...

...and the server is changing it again and sending it back...

I'm wondering if they're both applying the same algorithm to the cookie text, using it as a means to verify that the cookie has not been "tampered" with or copied, as only the browser and server know the algorithm for changing the cookie.

However, if the browser *is* changing it, then it should be possible to find the code somewhere, as the code will be javascipt (or some other client code, e.g. VBScript), shouldn't it?
Avatar of Dave Baldwin
Dave Baldwin
Flag of United States of America image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Yes, I'm writing a web bot, and looking to stay "in session"
Interesting.  Web bots don't usually do that as far as I know.  Can you share the link that is that changing the cookies?  And which browser are you using to test it?
I could but it would be no use to you without logging you in to the website.

And they have functionality enabled to stop programs logging in from other IP addresses or domains than their customers lol.

I'm using Chrome. Somebody else on here told me about the "Inspect Element > Network" debugging functionality which is very powerful. I'm going to look at that to get a list of all the JS scripts loaded and I'll look through those.

Thanks, you've answered my original question so I'm going to award the points.

Any other hints you can give, I would be of course grateful!
Well, you're fighting an uphill battle when they decide to start blocking web bots.  Most web bots won't run the JavaScript on the sites so they can easily come up with a function that will block you.
There are ways around that apparently, so I've read anyhow. ... I need more research, to find out how they are changing the session via the page...

No doubt its a security measure to make it more difficult for bots!

I'll end up writing a fully functioning browser engine by the time I'm finished lol.