Link to home
Start Free TrialLog in
Avatar of zorba111
zorba111

asked on

hunting for what is changing a cookie on the *browser* (not on the server)

I'm writing a bot that mimics my browser, Chrome.

In Chrome, when I interact with the website I'm interested in, the website passes back a cookie "session" using the "Set-Cookie" header in the HTTP response. *However*, on the next HTTP request from the browser, the request headers have an entry "Cookie" with an *altered* value.

Please read my assumptions/guesses about what is happening, and comment if they are valid assumptions or not:

(1) the browser has changed the cookie's value (explanation: the server sent valueA in its http response, but now the browser is using valueB in its next http request)

If assumption (1) is true...
(2) What changed the cookie's value on the browser must be javascript, because only a script can change a cookie's value  on the browser, and the only script in this page is javascipt.

if assumption (2) is true...
(3) Chromes "Inspect Element > Network" tool shows me that 5 javascript files were part of the page request (out of a total of 28 files), so it must be one of these 5 that are changing the "session" cookie.

if assumption (3) is true...
(4) I should be able to find the code that changes the cookie value by searching for ".cookie=" (or similar with whitespace). (Explanation: http://www.w3schools.com/jsref/dom_obj_document.asp shows that the syntax for changing a cookie is document.cookie = "session=abc94g290" for example. Document may be assigned to a variable, so not safe to search for "document.cookie=")


Ok, following this logic, only two instances of ".cookie=" turn up.

one is in analytics.js
the other is in jquery-ui.min.js

from your knowledge of javascript libraries, is any of these likely to be the code changing my "session" cookie?

if not (as I suspect), then what is changing it??
SOLUTION
Avatar of Rob
Rob
Flag of Australia image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of zorba111
zorba111

ASKER

Hi Dave, how do I look for these AJAX calls? cheers
**UPDATE: from my 5mins research I should be looking for creation of XMLHttpRequest objects. Is this the only way AJAX can be facilitated?
**UPDATE2: from another 15mins research, yes XMLHttpRequest objects are central to AJAX. And I can see how a file can be loaded into a JS variable (calls to open and send methods of the XMLHttpRequest ojbect). Next to research is how to execute this if its actually a file containing JS.... (instead of just text or XML)...
**UPDATE3: more research tells me that the JS can be loaded via XMLHttpRequest, presumably set to the innerHTML attribute of some DOM element, e.g. <div> or <p>. Then use JS's eval function. So I'm now looking for a chain of events like this happening anywhere in the loaded (or target document's) JS.
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Good research.  Yes, the response headers for any request can change any cookie that has been set by that site.  Sounds like they have gotten pretty serious about blocking web bots.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I had made a false assumption in my initial understanding of the problem.

The other guys made some very valid points and suggestions that helped my understanding (or to confirm my understanding) and they would have helped had it not been for my initial bad assumption.