browser seems to be changing a session cookie.. is javascript doing this?

I'm analysing HTTPS traffic between my Chrome browser and a 3rd party site of interest.

I notice that the website is passing back a cookie called "session" (in HTTP header "Set-Cookie"), but the next request from the browser has changed the cookie (its a long string of hex, maybe 100chars?, only the first say 20 chars have changed, but changed they have)... which is not what I expect to happen...

or is this being done by javascipt on the page when it loads?

I looked at the page searching for "cookie" but couldn't see anything.. however the page loads up a lot of other .JS scripts too... do I need to check all these too?

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dave BaldwinFixer of ProblemsCommented:
It isn't necessarily a 'session' cookie but could be session data generated by and for that page.  Are you having an actual problem or are you just trying to figure out what you're seeing?  An ASP.NET page that uses VIEW_STATE will send a lot of info back to the server with each page request.
zorba111Author Commented:
I understood that it was the *server* that handed out cookies, and occasionally changed them or deleted them... (all via the Set-Cookie HTTP header)...

...but here the *browser* is changing the cookie, and sending it back to the server...

...and the server is changing it again and sending it back...

I'm wondering if they're both applying the same algorithm to the cookie text, using it as a means to verify that the cookie has not been "tampered" with or copied, as only the browser and server know the algorithm for changing the cookie.

However, if the browser *is* changing it, then it should be possible to find the code somewhere, as the code will be javascipt (or some other client code, e.g. VBScript), shouldn't it?
Dave BaldwinFixer of ProblemsCommented:
It would be JavaScript.  More info here:  The page and the server could be using the cookie to communicate with each other.

Do you have an actual problem you're trying to solve?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Price Your IT Services for Profit

Managed service contracts are great - when they're making you money. Yes, you’re getting paid monthly, but is it actually profitable? Learn to calculate your hourly overhead burden so you can master your IT services pricing strategy.

zorba111Author Commented:
Yes, I'm writing a web bot, and looking to stay "in session"
Dave BaldwinFixer of ProblemsCommented:
Interesting.  Web bots don't usually do that as far as I know.  Can you share the link that is that changing the cookies?  And which browser are you using to test it?
zorba111Author Commented:
I could but it would be no use to you without logging you in to the website.

And they have functionality enabled to stop programs logging in from other IP addresses or domains than their customers lol.

I'm using Chrome. Somebody else on here told me about the "Inspect Element > Network" debugging functionality which is very powerful. I'm going to look at that to get a list of all the JS scripts loaded and I'll look through those.

Thanks, you've answered my original question so I'm going to award the points.

Any other hints you can give, I would be of course grateful!
Dave BaldwinFixer of ProblemsCommented:
Well, you're fighting an uphill battle when they decide to start blocking web bots.  Most web bots won't run the JavaScript on the sites so they can easily come up with a function that will block you.
zorba111Author Commented:
There are ways around that apparently, so I've read anyhow. ... I need more research, to find out how they are changing the session via the page...

No doubt its a security measure to make it more difficult for bots!

I'll end up writing a fully functioning browser engine by the time I'm finished lol.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
HTTP Protocol

From novice to tech pro — start learning today.