Xss Security And Cookie Dilemma

Zugluk · July 18, 2013, 3:21pm

Hi all, I read in cookies management wiki that if the XSS security by HttpOnly cookie was activated cookie weren’t useable in JS anymore. However as I use accordion and treeview which are in JQuery plugin integrate to yii, I was wondering how could I write my cookie in an Http/php way in order to fill XSS security prevention ??

I understood that with CJavaScript I could pass a variable from PHP to JS. So that meaning I can read a PHP cookie and give his value to a JS variable then use it. However If I want to modify his value… as accordion and treeview are manage by JS, how can I write it keeping HttpOnly set to true ??

twisted1919 · July 18, 2013, 3:27pm

You can’t write a cookie to be usable in javascript if httponly is true.

Zugluk · July 18, 2013, 4:08pm

Technically you can thanks to CJavascript::encode().

But my problem was more to collect information of my accordion state then write a cookie using php way.

Zugluk · July 23, 2013, 9:34am

The problem is as I use jquery widget like treeview or accordions I have to keep in mind which accordion is open or how treeview is collapsed in order to get these states if page refreshes. So would you have an idea to combine keeping these widget state one side and on other side get cookie security ??

I don’t know why I use “xss” in my topic title cause it’s different =(

codevarun · July 23, 2013, 10:13am

Hi

You can have an adapter function which will take values in js objects, use ajax to send request and PHP can set cookies for you. You can have some interval is saving in backend in meanwhile you can operate objects as it is.

In order to read already saved cookies, you might like to read cookies as soon as document is ready.

For instance look at following codes if that makes sense (I just wrote didn’t test but it is just to get idea):





     

    DEFT.cookies = {

        cookies: {},

        getCookies: function () {

            $.getJSON('/getCookies', function (data) {

                DEFT.cookies.set(data.key, data.value);

            })

        },

        sendCookies: function () {

            setInterval(function () {

                //best is to use post method

                $.ajax({

                        url: '/saveCookies',

                        dataType: 'json',

                        type: 'post',

                        'data': $.param(DEFT.cookies.cookies),

                        success: function (data) {

                            if (!data.success) {

                                alert('oh dear!');

                            }

                        }}

                )

            }, 5000)

        },

        init: function () {

            DEFT.cookies.getCookies();

            DEFT.cookies.sendCookies();

        },

        get: function (key) {

            if (typeof DEFT.cookies.cookies[key] !== undefined) {

                return DEFT.cookies.cookies['key'];

            }

            return false;

        },

        set: function (key, value) {

            DEFT.cookies.cookies[key] = value;

            return true;


        }


    };

    DEFT.cookies.init();

//after your set cookie function perhaps

    DEFT.cookies.set('somekey', [

        {'value': 'batra'},

        {'time': 3000}

    ])

    DEFT.cookies.get('somekey')