Just what does it actually do when a user disables cookies?

A place to discuss the implementation and style of computer programs.

Moderators: phlip, Moderators General, Prelates

User avatar
Archgeek
Posts: 128
Joined: Wed May 02, 2007 6:00 am UTC
Location: Central US
Contact:

Just what does it actually do when a user disables cookies?

Postby Archgeek » Mon Mar 10, 2014 3:25 pm UTC

I'm wondering if cookies can still be used server-side, for various odd reasons, when the client-side browser has them disabled. Does disabling cookies only cause client-side scripts to refuse to set and read cookies, while the server can do as it sees fit, or does it also prevent cookies set by the server from being sent back in the client requests?
(I'm trying to see if some redirect tomfoolery can return its result to a previous page sans $_GET for all browsers and settings.)

All elucidation appreciated!
"That big tube down the side was officially called a "systems tunnel", which is aerospace contractor speak for "big tube down the side."

User avatar
thoughtfully
Posts: 2244
Joined: Thu Nov 01, 2007 12:25 am UTC
Location: Minneapolis, MN
Contact:

Re: Just what does it actually do when a user disables cooki

Postby thoughtfully » Mon Mar 10, 2014 4:39 pm UTC

I don't think server-side cookies are a thing, at least not distinctly from any other state it could be storing server-side. Disabling cookies in your client just stops the client from accepting/storing cookies from the server. The server can still keep track of you by IP address and user agent strings, for instance.

The server can always do "as it sees fit" on the server side. Cookies are a special case where client cooperation is required. Bad Netscape! :)
Image
Perfection is achieved, not when there is nothing more to add, but when there is nothing left to take away.
-- Antoine de Saint-Exupery

User avatar
Archgeek
Posts: 128
Joined: Wed May 02, 2007 6:00 am UTC
Location: Central US
Contact:

Re: Just what does it actually do when a user disables cooki

Postby Archgeek » Mon Mar 10, 2014 5:25 pm UTC

Is client cooperation absolutely required, though? Say in some odd case where we don't want to start session but need to carry some information across a page redirect, will a cookie set in PHP be available a few requests later if the client has cookies disabled?
"That big tube down the side was officially called a "systems tunnel", which is aerospace contractor speak for "big tube down the side."

User avatar
PeteP
What the peck?
Posts: 1451
Joined: Tue Aug 23, 2011 4:51 pm UTC

Re: Just what does it actually do when a user disables cooki

Postby PeteP » Mon Mar 10, 2014 5:39 pm UTC

Archgeek wrote:Is client cooperation absolutely required, though? Say in some odd case where we don't want to start session but need to carry some information across a page redirect, will a cookie set in PHP be available a few requests later if the client has cookies disabled?

No cookies set in php are normal cookies, cookies are saved client side making client cooperation absolutely required (if there isn't some bug).
If you cause the redirect and if the destination is another page you control, you can just append data to the url itself.

User avatar
Archgeek
Posts: 128
Joined: Wed May 02, 2007 6:00 am UTC
Location: Central US
Contact:

Re: Just what does it actually do when a user disables cooki

Postby Archgeek » Mon Mar 10, 2014 6:56 pm UTC

Ah, so if PHP sends a cookie in the request and the client doesn't have them enabled or supported, it just won't send it back on the next request, then? That's about what I was starting to suspect.
But if the page wants to redirect to another page with a piece of information that's not a session variable and also not show the user the information in the URL, it should be able to set a cookie for the target page PHP to read before serving it up to the client, correct?
"That big tube down the side was officially called a "systems tunnel", which is aerospace contractor speak for "big tube down the side."

korona
Posts: 495
Joined: Sun Jul 04, 2010 8:40 pm UTC

Re: Just what does it actually do when a user disables cooki

Postby korona » Mon Mar 10, 2014 7:15 pm UTC

Cookies (and also session variables) require client cooperation. There is no way to memorize data between two HTTP requests without client cooperation.

User avatar
Xeio
Friends, Faidites, Countrymen
Posts: 5091
Joined: Wed Jul 25, 2007 11:12 am UTC
Location: C:\Users\Xeio\
Contact:

Re: Just what does it actually do when a user disables cooki

Postby Xeio » Mon Mar 10, 2014 7:23 pm UTC

korona wrote:Cookies (and also session variables) require client cooperation. There is no way to memorize data between two HTTP requests without client cooperation.
Well, it's not impossible. But it can be difficult or unreliable, and I'd doubt any framework really supports it be default.

The server could try to track you by IP, or user string. But then this breaks down when you have multiple users coming from the same IP and other similar issues.

An interesting demonstration of this: https://panopticlick.eff.org

korona
Posts: 495
Joined: Sun Jul 04, 2010 8:40 pm UTC

Re: Just what does it actually do when a user disables cooki

Postby korona » Mon Mar 10, 2014 7:37 pm UTC

You can disable JavaScript, install a browser plugin that randomizes your user agent and redirect your traffic through randomly chosen proxys. There are a lot of things that must be taken care of but it is not possible to trace your requests in general.

User avatar
Archgeek
Posts: 128
Joined: Wed May 02, 2007 6:00 am UTC
Location: Central US
Contact:

Re: Just what does it actually do when a user disables cooki

Postby Archgeek » Mon Mar 10, 2014 7:54 pm UTC

Well that's just plain interesting. I'm going to have check out that link with a few configurations...it seems legacy systems are amusingly unique.

However, I'm not worried about privacy concerns here--I'm operating from the server side and trying to figure out if I can redirect from an index page to another page that grabs or generates some information, and have the page deliver that information across a redirect back to the index page via a cookie. I've got it working by shoving it in the URL, but I'd rather the user not be able to bookmark said piece of information.

(I'm using twisted sorceries to determine if the user has javascript enabled--solely to provide a more useful error message if a certain condition comes up (the condition is javscript agnostic, but the solution proffered in the error message is gentler if JS is enabled)--in such a way as to not get in their way, or trip up another module by POSTing with JS on the index page, and if they bookmark index.php?JSsupport=1, that could present a problem, for them.)
"That big tube down the side was officially called a "systems tunnel", which is aerospace contractor speak for "big tube down the side."

User avatar
PeteP
What the peck?
Posts: 1451
Joined: Tue Aug 23, 2011 4:51 pm UTC

Re: Just what does it actually do when a user disables cooki

Postby PeteP » Mon Mar 10, 2014 7:58 pm UTC

Edit: Ninjad but don't want to rewrite

Archgeek wrote:Ah, so if PHP sends a cookie in the request and the client doesn't have them enabled or supported, it just won't send it back on the next request, then? That's about what I was starting to suspect.
But if the page wants to redirect to another page with a piece of information that's not a session variable and also not show the user the information in the URL, it should be able to set a cookie for the target page PHP to read before serving it up to the client, correct?

If it goes directly to the target php page then it isn't a cookie. HTTP is a stateless protocol, different requests are independent and cookies are set during such a request. Cookies are an option to save data on the user site which gets sent by the user with every request to the same site. If you don't want the user to read the data in the url you can just add a number to the URL which is uniquely associated with the data saved on server side, but then you can just use sessions. If the data isn't secret but you don't want it in the url, well you could do something weird like putting it in an invisible form on the first page and redirecting by sending it with js. Or you could try recognizing the request by looking at other information like Xeio said.

You seem to want to do something specific? I recommend just asking for recommendations how to do that since if the user doesn't accept cookies you simply can not use them.

Edit: Yeah I suggest just passing along a session id, it doesn't matter that much if they bookmark the link with the session id, since the session will probably be over when they use a bookmark.

User avatar
Archgeek
Posts: 128
Joined: Wed May 02, 2007 6:00 am UTC
Location: Central US
Contact:

Re: Just what does it actually do when a user disables cooki

Postby Archgeek » Mon Mar 10, 2014 10:17 pm UTC

Okay, this is getting plain weird. 'Not sure if it's due to PHP or IE8 (blugh), but a test hack indicates the cookie does come through ...but only if it is set to true. The redirect in question is of the header(location:) sort, so there is another request happening...I think, and all cookies are set to blocked, so this is a bit odd.

I sure wish I could just use a session variable, but I've been told that we explicitly don't want to start any sessions until after the check module has exited and we're back on the index page.
"That big tube down the side was officially called a "systems tunnel", which is aerospace contractor speak for "big tube down the side."

User avatar
Thesh
Made to Fuck Dinosaurs
Posts: 5534
Joined: Tue Jan 12, 2010 1:55 am UTC
Location: Colorado

Re: Just what does it actually do when a user disables cooki

Postby Thesh » Tue Mar 11, 2014 1:24 am UTC

Xeio wrote:Well, it's not impossible. But it can be difficult or unreliable, and I'd doubt any framework really supports it be default.


There are cookieless tracking systems available that track via query string instead of cookies. Basically, every link on the page gets your session id appended. You can lose session just by removing the querystring from the URL, of course.

ASP.NET also uses a similar system with post data, via the View State.
Honesty replaced by greed, they gave us the reason to fight and bleed
They try to torch our faith and hope, spit at our presence and detest our goals

User avatar
Xanthir
My HERO!!!
Posts: 5228
Joined: Tue Feb 20, 2007 12:49 am UTC
Location: The Googleplex
Contact:

Re: Just what does it actually do when a user disables cooki

Postby Xanthir » Thu Mar 13, 2014 4:47 am UTC

Archgeek wrote:I'm wondering if cookies can still be used server-side, for various odd reasons, when the client-side browser has them disabled. Does disabling cookies only cause client-side scripts to refuse to set and read cookies, while the server can do as it sees fit, or does it also prevent cookies set by the server from being sent back in the client requests?
(I'm trying to see if some redirect tomfoolery can return its result to a previous page sans $_GET for all browsers and settings.)

Your server sees cookies if and only if the browser sends them with its request. If the user has disabled cookies, that most likely means that you can't store any, and none will be sent with requests.

The browser can't prevent you from sending cookie headers in your response, but it can of course simply ignore them.
(defun fibs (n &optional (a 1) (b 1)) (take n (unfold '+ a b)))

User avatar
WarDaft
Posts: 1583
Joined: Thu Jul 30, 2009 3:16 pm UTC

Re: Just what does it actually do when a user disables cooki

Postby WarDaft » Tue Jun 24, 2014 1:58 pm UTC

Thesh wrote:
Xeio wrote:Well, it's not impossible. But it can be difficult or unreliable, and I'd doubt any framework really supports it be default.


There are cookieless tracking systems available that track via query string instead of cookies. Basically, every link on the page gets your session id appended. You can lose session just by removing the querystring from the URL, of course.

ASP.NET also uses a similar system with post data, via the View State.

You could jump straight off the deep end and make every means of navigating your site a form POST submission styled to look less obvious, and encode everything the button should do and the session id together into one hidden 'action' field and then encrypt it. It'd be impossible to strip the tracking from it without the user rendering the site non-functional.

Of course, the easy way to make a site non-functional if users don't want to be tracked is to just make it non-functional if users don't want to be tracked.
All Shadow priest spells that deal Fire damage now appear green.
Big freaky cereal boxes of death.

User avatar
Xanthir
My HERO!!!
Posts: 5228
Joined: Tue Feb 20, 2007 12:49 am UTC
Location: The Googleplex
Contact:

Re: Just what does it actually do when a user disables cooki

Postby Xanthir » Tue Jun 24, 2014 3:36 pm UTC

Your suggestion breaks the back button anyway, making it pretty non-functional. ^_^
(defun fibs (n &optional (a 1) (b 1)) (take n (unfold '+ a b)))

User avatar
WarDaft
Posts: 1583
Joined: Thu Jul 30, 2009 3:16 pm UTC

Re: Just what does it actually do when a user disables cooki

Postby WarDaft » Tue Jun 24, 2014 3:47 pm UTC

Uh, how exactly? Hidden value field named 'action' (or whatever you want) if the quotes didn't make that clear, not the action of the form, which you can make whatever you want and won't break back button functionality...
All Shadow priest spells that deal Fire damage now appear green.
Big freaky cereal boxes of death.

User avatar
Xanthir
My HERO!!!
Posts: 5228
Joined: Tue Feb 20, 2007 12:49 am UTC
Location: The Googleplex
Contact:

Re: Just what does it actually do when a user disables cooki

Postby Xanthir » Tue Jun 24, 2014 5:22 pm UTC

Browsers will give you warning messages when you go back to the result of a post.
(defun fibs (n &optional (a 1) (b 1)) (take n (unfold '+ a b)))

User avatar
WarDaft
Posts: 1583
Joined: Thu Jul 30, 2009 3:16 pm UTC

Re: Just what does it actually do when a user disables cooki

Postby WarDaft » Wed Jun 25, 2014 4:05 am UTC

I just mocked up a very (very very) quick test and it doesn't seem to warn for going back with hidden post values, just refresh, but I only checked Chrome, Firefox (which didn't even prompt for refresh of non user entered post data), and IE for browsing local files because I don't have a server installed on my laptop. Going 'back' here for this very post didn't trigger any prompts and it has user entered data.
All Shadow priest spells that deal Fire damage now appear green.
Big freaky cereal boxes of death.

User avatar
Thesh
Made to Fuck Dinosaurs
Posts: 5534
Joined: Tue Jan 12, 2010 1:55 am UTC
Location: Colorado

Re: Just what does it actually do when a user disables cooki

Postby Thesh » Wed Jun 25, 2014 5:16 am UTC

If you do a redirect after the post, you won't get a warning, however the page you redirect to won't have access to the post data.
Honesty replaced by greed, they gave us the reason to fight and bleed
They try to torch our faith and hope, spit at our presence and detest our goals

AndyG314
Posts: 99
Joined: Mon Feb 11, 2008 5:16 pm UTC
Location: Waltham MA
Contact:

Re: Just what does it actually do when a user disables cooki

Postby AndyG314 » Fri Oct 24, 2014 5:50 pm UTC

thoughtfully wrote:I don't think server-side cookies are a thing, at least not distinctly from any other state it could be storing server-side. Disabling cookies in your client just stops the client from accepting/storing cookies from the server. The server can still keep track of you by IP address and user agent strings, for instance.

A cookie is data used by the server stored on the client, a server side cookie is essentially an oxymoron, it's just data at that point.

thoughtfully wrote:The server can always do "as it sees fit" on the server side. Cookies are a special case where client cooperation is required. Bad Netscape! :)

Cookies are in general a pretty elegant solution, and quite useful. Somebody found a way to use them for evil, but that doesn't make the underlying a bad one. There are lots of ways to track you that don't involve cookies. In fact cookie tracking is fairly easy to defeat.
If it's dead, you killed it.

User avatar
thoughtfully
Posts: 2244
Joined: Thu Nov 01, 2007 12:25 am UTC
Location: Minneapolis, MN
Contact:

Re: Just what does it actually do when a user disables cooki

Postby thoughtfully » Fri Oct 24, 2014 6:35 pm UTC

Frames are very useful, too, but they break the model. Breaking the model isn't necessarily bad, but it is inviting surprises down the line that might not be so pleasant.

The web started out as a stateless system. It's very analagous to adding state to a functional programmming language. Yuck!

But yeah, when push comes to shove, I guess I still want some state around, because it's so practical. Just not pretty.
Image
Perfection is achieved, not when there is nothing more to add, but when there is nothing left to take away.
-- Antoine de Saint-Exupery

osroot
Posts: 26
Joined: Fri Aug 22, 2014 1:09 am UTC
Location: Germany, near Hamburg

Re: Just what does it actually do when a user disables cooki

Postby osroot » Mon Nov 10, 2014 6:25 pm UTC

Maybe it is too obvious, or I didn't understand your goal:

If you have Indexpage and a script that packs information and you want that information on the indexpage.
Why don't you include the information-script in the index-page per 'include' or 'require' ?

User avatar
Archgeek
Posts: 128
Joined: Wed May 02, 2007 6:00 am UTC
Location: Central US
Contact:

Re: Just what does it actually do when a user disables cooki

Postby Archgeek » Thu Nov 20, 2014 3:30 pm UTC

That won't work out because the script in question is Javascript, which is client-side, and the index page server-side in PHP. I need to get the answer to "is JS enabled?" sent from the client to the server. I could do this using AJAX, but I needed that information in a PHP class that's already run. So I have to redirect elsewhere, write a script to the page that submits a form telling the server JS is working and redirects back to the original page. I need to keep that information intact across the redirect, and I think I wound up using POST or tucking it questionably in SESSION (questionable because the script needing to do all this is a cross-tab session manager).
"That big tube down the side was officially called a "systems tunnel", which is aerospace contractor speak for "big tube down the side."

User avatar
chridd
Has a vermicelli title
Posts: 779
Joined: Tue Aug 19, 2008 10:07 am UTC
Location: ...Earth, I guess?
Contact:

Re: Just what does it actually do when a user disables cooki

Postby chridd » Sat Nov 29, 2014 8:08 pm UTC

Archgeek wrote:(I'm using twisted sorceries to determine if the user has javascript enabled--solely to provide a more useful error message if a certain condition comes up (the condition is javscript agnostic, but the solution proffered in the error message is gentler if JS is enabled)--in such a way as to not get in their way, or trip up another module by POSTing with JS on the index page, and if they bookmark index.php?JSsupport=1, that could present a problem, for them.)
...can't you just detect JavaScript on the error message page?

In particular, have the server send the non-JavaScript-enabled error message always, and then have a script on the error page change it to the JavaScript-enabled error message.
~ chri d. d. /tʃɹɪ.di.di/ (Phonotactics, schmphonotactics) · they (for now, at least) · Forum game scores
mittfh wrote:I wish this post was very quotable...
flicky1991 wrote:In both cases the quote is "I'm being quoted too much!"

User avatar
Xanthir
My HERO!!!
Posts: 5228
Joined: Tue Feb 20, 2007 12:49 am UTC
Location: The Googleplex
Contact:

Re: Just what does it actually do when a user disables cooki

Postby Xanthir » Mon Dec 01, 2014 1:58 am UTC

Yeah, progressive enhancement is really always the way to go with these kinds of things.
(defun fibs (n &optional (a 1) (b 1)) (take n (unfold '+ a b)))

User avatar
Archgeek
Posts: 128
Joined: Wed May 02, 2007 6:00 am UTC
Location: Central US
Contact:

Re: Just what does it actually do when a user disables cooki

Postby Archgeek » Tue Dec 02, 2014 5:16 pm UTC

chridd wrote:...can't you just detect JavaScript on the error message page?

In particular, have the server send the non-JavaScript-enabled error message always, and then have a script on the error page change it to the JavaScript-enabled error message.

Ooof, now there's an idea. There is no error page as the error is in a built-in css whozzitz another PHP class injects, but conditionally injecting a little script to change the message in the whoozzitz iff JS is in play...that makes sense. I'll have to try that if the project ever comes back out of mothballs. Thank you very much. I'd say I don't know why I didn't think of that myself, but the answer is that I didn't know the might of JS DOM manipulation then, and so wouldn't (and indeed didn't) think of that. Funny how causality works.
"That big tube down the side was officially called a "systems tunnel", which is aerospace contractor speak for "big tube down the side."


Return to “Coding”

Who is online

Users browsing this forum: No registered users and 10 guests