browser seems to be changing a session cookie.. is javascript doing this?

zorba111
zorba111 used Ask the Experts™
on
I'm analysing HTTPS traffic between my Chrome browser and a 3rd party site of interest.

I notice that the website is passing back a cookie called "session" (in HTTP header "Set-Cookie"), but the next request from the browser has changed the cookie (its a long string of hex, maybe 100chars?, only the first say 20 chars have changed, but changed they have)... which is not what I expect to happen...

or is this being done by javascipt on the page when it loads?

I looked at the page searching for "cookie" but couldn't see anything.. however the page loads up a lot of other .JS scripts too... do I need to check all these too?

cheers
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Dave BaldwinFixer of Problems
Most Valuable Expert 2014

Commented:
It isn't necessarily a 'session' cookie but could be session data generated by and for that page.  Are you having an actual problem or are you just trying to figure out what you're seeing?  An ASP.NET page that uses VIEW_STATE will send a lot of info back to the server with each page request.

Author

Commented:
I understood that it was the *server* that handed out cookies, and occasionally changed them or deleted them... (all via the Set-Cookie HTTP header)...

...but here the *browser* is changing the cookie, and sending it back to the server...

...and the server is changing it again and sending it back...

I'm wondering if they're both applying the same algorithm to the cookie text, using it as a means to verify that the cookie has not been "tampered" with or copied, as only the browser and server know the algorithm for changing the cookie.

However, if the browser *is* changing it, then it should be possible to find the code somewhere, as the code will be javascipt (or some other client code, e.g. VBScript), shouldn't it?
Fixer of Problems
Most Valuable Expert 2014
Commented:
It would be JavaScript.  More info here: http://www.w3schools.com/js/js_cookies.asp  The page and the server could be using the cookie to communicate with each other.

Do you have an actual problem you're trying to solve?
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
Yes, I'm writing a web bot, and looking to stay "in session"
Dave BaldwinFixer of Problems
Most Valuable Expert 2014

Commented:
Interesting.  Web bots don't usually do that as far as I know.  Can you share the link that is that changing the cookies?  And which browser are you using to test it?

Author

Commented:
I could but it would be no use to you without logging you in to the website.

And they have functionality enabled to stop programs logging in from other IP addresses or domains than their customers lol.

I'm using Chrome. Somebody else on here told me about the "Inspect Element > Network" debugging functionality which is very powerful. I'm going to look at that to get a list of all the JS scripts loaded and I'll look through those.

Thanks, you've answered my original question so I'm going to award the points.

Any other hints you can give, I would be of course grateful!
Dave BaldwinFixer of Problems
Most Valuable Expert 2014

Commented:
Well, you're fighting an uphill battle when they decide to start blocking web bots.  Most web bots won't run the JavaScript on the sites so they can easily come up with a function that will block you.

Author

Commented:
There are ways around that apparently, so I've read anyhow. ... I need more research, to find out how they are changing the session via the page...

No doubt its a security measure to make it more difficult for bots!

I'll end up writing a fully functioning browser engine by the time I'm finished lol.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial