I'm newbie learning laravel and have the following in my route file::
Route::get("/setcookie", function(){
$cookie = Cookie::make("low-carb","almond cookie",30);
return Redirect::to("getcookie")->withCookie($cookie);
});
Route::get("/getcookie", function(){
$cookie = Cookie::get("low-carb");
return View::make("getcookie")->withCookie($cookie);
});
I set a cookie and redirect to a different page. I want to be able to show the cookie via javascript dialog box in a view page. The "getcookie" view page looks like::
<html>
<body>
this is the cookie page
<script language="javascript">
window.onload = showCookies;
function showCookies(){
alert("Cookie is: " + document.cookie);
}
</script>
</body>
</html>
The only thing i see on the popup dialog box is "Cookie is". The value am expecting doesn't show up.
I know definitely that am doing something wrong because when i check the cookies in the chrome developer tools, i see for the "setcookie" route, the keys REQUEST COOKIE and RESPONSE_COOKIE (laravel_session and low-carb) both have values but for the "getcookie" route where it is redirected to, the REQUEST COOKIE key in chrome has both "laravel_session and low-carb" but the RESPONSE_COOKIE key only has the "laravel_session" and the "low-carb" key-value is missing.
What am i doing wrong?
By default Laravel cookies are marked as httponly - this means that they they can't be accessed via JS. This is often what you want, hence it being the default.
If you look at the source here: https://github.com/laravel/framework/blob/master/src/Illuminate/Cookie/CookieJar.php#L41, you'll see that the method signature looks like:
public function make($name, $value, $minutes = 0, $path = null, $domain = null, $secure = false, $httpOnly = true)
where the last variable passed in is the httpOnly variable.
So, if you change from:
Cookie::make("low-carb","almond cookie",30);
to
Cookie::make("low-carb","almond cookie",30, null, null, false, false);
Then your cookie will not be marked as httponly, and will be accessible via JS.
You can check if a cookie httponly or not by using your browsers dev tools, in Chrome's Dev Tools go to Resources, then to Cookies, then to oyur domain, and there is a column in that table called HTTP - it has a Tick if that cookies is HTTPonly.
Edit: All cookies are encrypted and signed in Laravel, so that users can't tamper with them. Not 100% on this personally - $_SESSION is for persistent data that the user can't edit, $_COOKIE is for data that you want the user to be able to read and edit. Anyway, just use PHP's native:
setcookie("low-carb", "almond cookie", time()+(30*60));
instead of the laravel method if you want to do this.
You might also want to think whether there is a "better" way to deal with this - perhaps you don't need Cookies for this anyway (remember they are sent with every request that matches the cookie's path, CSS, JS, images, fonts - everything)
Related
I've working on project where lots information stored in Cookies.
We've using PHP Laravel 5.2 framework and jQuery library 1.9. Every thing working fine but when trying to read a cookies with jQuery that created with Laravel PHP code its return nothing but when checked it in browser cookies and read with PHP Laravel its working fine
Laravel Code:
Cookie::queue('COOKIE_NAME', $value, $minutes); //Create a cookie
jQuery Code:
var cookieValue = $.cookie("COOKIE_NAME"); //Return nothing
After few minutes of tested, I found this Is it possible to read HTTPONLY cookies with jQuery?. It means you cannot read HttpOnly cookies, so you should compact cookies value to the view instead or made it available like so, but you will deal with security issues I guess.
Cookie::queue('COOKIE_NAME', 'MyValue', 60, null, null, false, false);
With this kind of setting, you can read your cookies with jquery cookies.
P/S: Cookies value will be encrypted with base64, so you need to decrypt it before using.
Hope this help
You can either make ajax request to retrieve the cookies from your controller or you can create a meta tag as
<meta name="cookie" content="{{ cookie_function() }}" />
in your blade.php file. Then using jquery
var cookieValue = $('meta[name="cookie"]').attr('content');
I am using query.cookie.js to set a cookie as in the following code:
$.cookie('objectID', objectID);
var theTarget = '/mvtm?page_id=4252' ;
window.open(theTarget, "Detail").focus();
Then in the targeted page, in an iframe, I am using PHP code to access the cookie:
$variable = $_COOKIE['objectID'];
However, that index in $_COOKIE is undefined! I can see the cookie in the browser in both the page where it is set and the targeted page (using browser developer tools). These pages are all in the same domain (localhost) and the cookies are intended to be simple session cookies.
Does the fact that both the set and get code above are in iframes have any bearing? I've tried this in both Safari and Firefox.
Make the cookie available across the entire domain by setting the path
$.cookie('objectID', objectID, { path: '/' });
by default it's only available on the page where it was created.
That's my problem: I have an website, example.com, in which index.html file a introduced a <script src="website.net/js.js"></script> You can see, that this is on other web server.
In the js.js I have some data that I want to send to php. For that, I am using Ajax. So, I made a request to "website.net/data.php" using method get. In data.php file everything is ok,I received the value, but I want to set a cookie which value is what I received through ajax. Here is the problem. The setcookie function says that the cookie was set, but when I check in the browser, there's no cookie!
It works fine if the index.html file where I use <script src="website.net/js.js"></script> is hosted on the same domain where I am making the request. If it is on another domain, it doesn't work anymore.
I have read something about Ajax cross site, but I don't want to send something back to example.com. All I want is to send some data from example.com to website.net and then setting a cookie based on that value.
From the example.net I take a single value. On website.net I receive that value, I check if it's not already a cookie set, if it's not, I set it. On the same page, website.net, I use this cookie too.
Where do you check if the cookie is set? On the domain example.com or on the domain website.net?
In case you try to access the cookie using example.com, it is simply not possible to write/access or do anything with a cookie of an other domain. This is for security reasons. If you could, every other website could access you cookie and steal your identity easily.
Try to set the cookie within an iframe. I'm not sure if you can actually set cookies for website.net using JavaScript just because js.js is loaded from that domain.
Thank you very much!
I found an other way to send the data to a php file without ajax using basic javascript and <img /> tag
For example:
example.com has in index:
<script type="text/javscript" src="http://website.net/js.js"></script>
In the js.js file I have
var important_data = 123; //
var src = "http://website.net/process.php?important_data=" + important_data;
document.write('<img src="' + src + '"/> ');
Now, every time I load example.com, it sends to website.net the important data. I tried to set a cookie in process.php file and it worked! I tested that idea on localhost (both 'websites' were in my local server), but it should works also between 2 different domains. I'll try to see if it works between 2 different websites. After that, I'll come back to share the result.
Thank you!
Later Edit:
I checked if I can set a cookie using that method, and it works!
It works great! The cookie for website.net is not setted for that domain, it is setted for example.com. Exactly how I want!
I am using Codeigniter with the TankAuth library installed and trying to upload to index.php/requests/doUpload from swfupload but can't access the page as authenticated. I have read many posts around the net about similar problem and tried to set $config['sess_match_useragent'] = FALSE; but still no difference. I have ended up skipping the login check in my controller for testing purposes. But now I need to access tankAuth library from my controller to get the current logged in user ID. It is requested in my application and cannot skip it, I really need to pass the logged in user id to that doUpload model. I have setup controller like this:
function doUploadFileFn() {
if (!$this->tank_auth->is_logged_in()) {
return;
} else {
$user_id = $this->tank_auth->get_user_id();
$this->load->model('requests/doUploadFile');
$this->doUploadFile->uploadData($user_id);
}
}
Now, it does not pass the is_logged_in() check, as I learned from other posts, CI deletes the session but I have setup the config not to match the user agent but still not working.
Is there any solution to this out there ?
Following the tutorial in the CI forums I was able to achieve what you are asking for.
1) Put this in the SWFUpload JS config:
post_params: {"<?php echo $this->config->item('sess_cookie_name'); ?>" :"<?php echo $this->session->get_cookie_data(); ?>"},
2) And place the MY_Session.php file in your application/libraries/ folder.
3) The new library should be loaded the moment the view is loaded if not (for some reason) then load your library in the controller.
P.S: You need to set:
$config['sess_match_useragent'] = FALSE;
Otherwise a new session will be created for a useragent Shockwave Flash
EDIT: Okay, based on your comment..you really need to set your post_params setting to your current session so it can be sent when the flash post to your controller, now in your case the best thing I could think of is the below:
Your externalUntouchableJsFile.js:
// JS scripts...
...
var swfu = new SWFUpload({
...
...
post_params: GLOBAL_VAR,
...
});
...
// rest of your JS
And in your PHP view and before loading this JS file have something like:
<script>
var GLOBAL_VAR = {};
<?php if(session_is_there) { ?>
GLOBAL_VAR = {"<?php echo $this->config->item('sess_cookie_name'); ?>" :"<?php echo $this->session->get_cookie_data(); ?>"}
<?php } ?>
</script>
<script type="text/javascript" src="<?php echo base_url() ?>path/to/js/externalUntouchableJsFile.js"></script>
EDIT 2: Since you are using an external js file, you may forget to define the global variable so use:
post_params: (typeof GLOBAL_VAR === 'undefined') ? {}:GLOBAL_VAR,
It bears mentioning that the Flash file should be served from the same domain as your CI site or one won't be able to read the other's cookies. Also make sure that the login cookie path is set to the root path. If SWFUpload can not read the login cookie, it can not send it either.
Flash has limited access to session cookies, as documented here in the SWFUpload forum. Is it possible that you've set the auto login to avoid setting an expiration (in config/tank_auth.php), thereby making it a session cookie? If that is the case, then the SWFUpload SWF may not be able to access or send the autologin cookie value, depending on the version of Flash player on the computer. Double-check your cookie expiration values using a debug tool like Firebug to see if this is the case. If the upload works when you check a "remember" me box but not otherwise, that would indicate a session cookie problem.
To force the SWF to pass the TankAuth cookie value on file uploads, you could first overload the cookie helper get_cookie function to look in either the $_COOKIE array or the $_POST array for values. Then, it appears that with SWFUpload v2 you can send additional POST values along with the upload, and this would be the way to send the autologin key, which would then allow your controller to get the user_id. But before hacking the Cookie helper, make sure your moving parts are working first, as described in the first paragraph.
I have managed to apply a rough fix for this by passing the logged user ID in the URL, and getting it from Javascript with URL functions. It's the best method I can rely to right now, it doesn't bother me too much that the user ID is visible because I'm using a managed iframe to display that specific part of the app and the app is for internal company use only.
Thanks for your answers.
I am using PHP/JavaScript/MySQL on XAMPP to develop the prototype.
I need to use session that in-turn makes use of cookies. Here is the question,
how do I know whether or not the user's browser supports cookies or not.
For detecting javascript, I use <noscript></noscript>. Please correct me if I am wrong.
Thank you
You have to set a cookie and test it to see if they're enabled:
<script type = "text/javascript" language = "JavaScript">
var tmpcookie = new Date();
chkcookie = (tmpcookie.getTime() + '');
document.cookie = "chkcookie=" + chkcookie + "; path=/";
if (document.cookie.indexOf(chkcookie,0) < 0) {
window.location = 'nocookies.html';
}
else {
window.location = 'cookies.html';
}
</script>
Here is the question, how do I know whether or not
the user's browser supports cookies or not.
If a cookie isn't set, set a cookie and redirect to a page that checks if the cookie is set. If it is, redirect back, otherwise redirect to a "Sorry, we really need cookies" page.
Only do this if you do really need cookies.
For detecting javascript, I use <noscript></noscript>. Please correct me if I am wrong.
Better to build on things that work.
I will choose different style of detecting.
To detect whether javascript is enabled/disabled, i will write some little elements (perhaps div) and i will execute some javascript to remove such elements. Hence, when the javascript is disabled/doesn't exist, those elements will still be there saying that "Please activate your Javascript". On the other hand, those element(s) will be gone since javascript is already remove them. After all, it comes back to your website concept. Some website can't do anything when javascript is not exist/disabled and further they choose to redirect the request into another page (through tag). Some websites still can function but certain feature will not be available, and this concept leads to "warning" technique.
To detect whether cookie is enabled/disabled, just set a cookie using Javascript. In next request, you can check whether such cookie is set or not. If it's set, then both Javascript and Cookie is enabled. If it's not set, then Javascript or Cookie or both is disabled.
Good luck