在名称中设置cookie的冒号 [英] setting value of a cookie - colon in the name
问题描述
通过javascript和我的两个设置cookie值的新设置是基本的 - 虽然我很舒服的调整JQuery。
总之,我在一个必须依法显示Cookie政策的网站上工作。
我们有一个第三方解决方案将弹出一个jquery控制的div容器,其中包含一条消息和几个按钮:稍后提醒我和设置。如果用户点击设置,则可以保存并关闭或更改安全级别,弹出窗口将会消失。
我们调整了此第三方解决方案, 接受按钮,用户只需确认默认Cookie设置并继续使用该网站。
到目前为止很好!
我们知道这个第三部分的解决方案是写一个具有以下基本值的cookie:
Cookie名称: wsjnudge_javascript:jQuery_ws.jpecrJs.display(jQuery.ws.jpecrJs())_ = true;
如果此值设置为 true ,则提示更改Cookie设置的弹出消息将不会再显示,直到Cookie过期。
问题是cookie name在其名称中有一个冒号(:),当我们通过javacript解析cookiename时,它会创建一个名为
的cookie: wsjnudge_javascript%253AjQuery_ws.jpecrJs.display(jQuery.ws.jpecrJs())_
用%253A
替换冒号(:)。我们写了一些Jquery / javascript代码设置此Cookie的值并尝试对冒号编码:
首先通过设置var:
var acceptCookieEncode = encodeURIComponent
(wsjnudge_javascript:jQuery_ws.jpecrJs.display(jQuery.ws.jpecrJs())_);
然后通过点击功能写入cookie并关闭弹出窗口:
jQuery(document).on('click','。continue',function(){
jQuery。 cookie(acceptCookieEncode,'true',{expires:365});
jQuery('#wsjnudge')。remove();
因此,总而言之,close函数是正常工作的,但cookie名称不正确,因为冒号,所以实际上我们创建和设置值到错误的cookie名称。 p>
我知道我可能需要使用base64,但我完全不知道如何实现这个,显然我没有正确使用 encodeURIcomponent 来正确解析URI。
如果此邮件的格式不正确,我们深表歉意。首先海报,但StackOverflow的常规用户,提前感谢任何帮助。
Dan。
没有标准的转义机制。例如,; 字符根本不能用于cookie;与URL编码或HTML编码不同,没有任何方案允许直接从cookie取得的字符表示分号。
所以,人们倾向于做ad-hoc编码 - 它们用一些任意形式的编码来编码cookie,并且在将其拉回来之后再次对其进行解码。 URL编码,这是 encodeURIComponent()是最流行的ad-hoc编码方法,但仍然不是一个你可以期望工具无条件使用。
jQuery cookie插件采用这种形式的编码,并为您的cookie名称和值调用 encodeURIComponent()。所以如果你传递名字 wsjnudge_javascript:jQuery ... ,你将设置的cookie将具有真实名称 wsjnudge_javascript%3AjQuery 。当你在示例代码中调用 encodeURIComponent()时,你将得到的输出是双重编码: wsjnudge_javascript%253AjQuery。 .. 。
据推测,这两个名称都不适用于您使用的第三方代码,这可能是在寻找Cookie与真实名称 wsjnudge_javascript:jQuery ... 。您无法使用jQuery Cookie插件设置此Cookie,因为它内置了非Cookie标准的网址编码。您可以直接在JavaScript中设置,例如:
document.cookie ='wsjnudge_javascript:jQuery_ws.jpecrJs.display ws.jpecrJs())_ = true';
虽然注意,您可能需要添加一些参数才能匹配第三方代码正在使用 - 如果路径和 domain 参数不匹配,那么您可以最终与两个副本相同
理论上,根据 RFC 6265 这是我们对cookie的标准最近的事情,不应该允许在cookie名称中包含冒号而不用双引号括起来。然而,在实践中,浏览器(我测试过)确实允许它,并且不把双引号当作任何特殊的 - 所以在这种情况下,真正的cookie名称将最终包含双引号,这将无法识别第三方脚本。
将冒号放在cookie名称中有点不太合适,因为这样,但是这可能是第三方脚本的一部分,所以你被卡住了它。 Cookie名称通常很奇怪,我担心它似乎包含可执行的JavaScript代码。
我不知道这是否真的发生了没有第三方源代码,但如果第三方脚本确实从cookie名称中提取该JavaScript代码并使用 eval()执行它,那么这是一个很糟糕的主意。除了严重的丑陋,它将允许任何人可以注入一个cookie到你的域(例如从一个易受攻击的相关域)升级该cookie注入一个完整的跨站点脚本漏洞。
这取决于你的网站做什么,以及你有什么用户数据/交互,无论你担心这种攻击。我个人对我在我的一个网站上做这件事感到不舒服...
Im new to setting cookie values through javascript and my knowledge of both is basic - although Im comfortable with tweaking JQuery.
In summary, Im working on a web site which must display a cookie policy by law.
We have a third-party solution will pop up a jquery controlled div container with a message and a couple of buttons: 'remind me later' and 'settings'. If the user clicks settings they can then 'save and close' or change the security level, and the popup will disappear.
We have tweaked this third party solution and added an 'accept' button whereby the user can just acknowledge the 'default' cookie settings and continue using the site.
So far so good!
We know that this third-part solution is writing to a cookie with the following basic values:
Cookie name: wsjnudge_javascript:jQuery_ws.jpecrJs.display(jQuery.ws.jpecrJs())_= true;
If this value is set to true then the popup message prompting to change cookie settings will not display again until the cookie expires.
The problem is the cookie name has a colon ( : ) in its name, and when we parse the the cookiename via javacript, it creates a cookie with the name:
wsjnudge_javascript%253AjQuery_ws.jpecrJs.display(jQuery.ws.jpecrJs())_
So the colon ( : ) is being replaced with %253A
We have written a bit of Jquery / javascript code to set the value of this cookie and attempt to encode the colon:
First by setting a var:
var acceptCookieEncode = encodeURIComponent
("wsjnudge_javascript:jQuery_ws.jpecrJs.display(jQuery.ws.jpecrJs())_");
And then by having a click function to write to the cookie and close the popup:
jQuery(document).on('click','.continue',function(){
jQuery.cookie( acceptCookieEncode, 'true', { expires: 365 });
jQuery('#wsjnudge').remove();
So, in summary the close function is working, but the cookie name is incorrect because of the colon, so in effect we are creating and setting the value to the wrong cookie name..
I understand that I might have to use base64 but I have absolutely no idea how I would implement this, and evidently I am not correctly using the encodeURIcomponent to parse the URI correctly.
I apologize if the formatting of this message is incorrect. First-time poster, but regular user of StackOverflow, and thanks in advance for any help.
Dan.
Cookies do not have a standard escaping mechanism. The ; character, for example, simply cannot be used in a cookie at all; unlike with URL-encoding or HTML-encoding there is no scheme that will allow a character taken directly from a cookie to represent a semicolon.
So what people tend to do is ad-hoc encoding - they encode the cookie with some arbitrary form of encoding, and decode it again after pulling it back out. URL-encoding, which is what encodeURIComponent() does, is the most popular ad-hoc encoding method, but still not one you can expect tools to use unconditionally.
The jQuery cookie plugin adopts this form of encoding, and calls encodeURIComponent() for you on the cookie name and value. So if you pass the name wsjnudge_javascript:jQuery... to it, the cookie you'll be setting will have the real name wsjnudge_javascript%3AjQuery. When you call encodeURIComponent() yourself on top of that as in your example code, the output you will get is double-encoded: wsjnudge_javascript%253AjQuery....
Presumably neither of these names are any use to the third-party code you are using, which is probably looking for the cookie with the real name wsjnudge_javascript:jQuery.... You cannot set this cookie with the jQuery cookie plugin because of its built-in non-cookie-standard URL-encoding. You can by setting it directly in JavaScript, eg:
document.cookie= 'wsjnudge_javascript:jQuery_ws.jpecrJs.display(jQuery.ws.jpecrJs())_= true';
though either way note you may need to add some parameters to that to match whatever the third-party code is using - if the path and domain parameters don't match then you can end up with two copies of the same cookie.
In theory, according to RFC 6265 which is the nearest thing we have to a standard for cookies, it shouldn't be allowable to include a colon in a cookie name without surrounding the name in double quotes. However, in practice browsers (that I've tested) do allow it, and don't treat the double quotes as anything special - so the real cookie name in that case would end up containing double quotes, which wouldn't be recognised by the third-party script.
Putting colons in cookie names is somewhat inadvisable because of this, but that is presumably part of the third-party script so you're stuck with it. The cookie name in general is very weird and I'm worried that it appears to contain executable JavaScript code.
I can't tell if this is really what's happening without the third-party source code, but if the third-party script does indeed extract that JavaScript code from the cookie name and execute it with eval() then that's a really bad idea. Apart from the grievous ugliness, it would allow anyone who could inject a cookie into your domain (eg from a vulnerable related-domain) to escalate that cookie injection into a full-blown cross-site-scripting vulnerability.
It depends on what your site does and what user data/interactions it has whether you're worried about that kind of attack. Personally I would be uncomfortable with doing that on one of my sites...
这篇关于在名称中设置cookie的冒号的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
