asfman
android developer
posts - 90,  comments - 213,  trackbacks - 0

Cookies

Privacy filters on proxies

The page referenced from section 4.4 of the FAQ describes a generally sound strategy for using cookies but suffers from an additional issue relating to "privacy" filters employed by content inserting/re-writing proxies.

The problem is that some of these filters identify the character sequence "cookie" within Javascript source code and replace it with an alternative string. A c.l.j. thread describing an occurrence of this problem had "cookie" replaced by "ignore" by ZoneAlarm, and Proximatron has a similar filter available (but not active) by default.

The effect of changing occurrences of document.cookie into document.ignore within source code is that attempts to write to the property just result in a new string property being assigned to the document object, but no cookie is created. And reading from the property returns the same string, or an undefined value if nothing has yet been written to the property.

The problem with the irt.org code is that the Get_Cookie and Set_Cookie functions are not written with a consideration that document.cookie may not refer to a string.

Get_Cookie will error if "cookie" has been replaced with "ignore" because it treats the document.cookie value as if it was a string. But changing that one function so that it does not attempt to read document.cookie if the value is not a string may prevent the error but would still undermine that strategy used.

However, the problem can be completely avoided by wrapping the content of the Get_Cookie and Set_Cookie functions in typeof tests and only executing the rest of the function if typeof returns "string".

function Get_Cookie(name) {
    if(typeof document.cookie == "string"){
        var start = document.cookie.indexOf(name+"=");
        var len = start+name.length+1;
        if ((!start)&&
            (name != document.cookie.substring(0,name.length))){
               return null;
           }
        if (start == -1) return null;
        var end = document.cookie.indexOf(";",len);
        if (end == -1) end = document.cookie.length;
        return unescape(document.cookie.substring(len,end));
    }else{
        /* document.cookie is not a string so return an
           empty string. When tested this will type-convert to
           boolean false (accurately) giving the impression that
           client-side cookies are not available on this system:-
        */
        return "";
    }
}

function Set_Cookie(name,value,expires,path,domain,secure) {
    if(typeof document.cookie == "string"){
        document.cookie = name + "=" +escape(value) +
            ( (expires) ? ";expires=" + expires.toGMTString() : "") +
            ( (path) ? ";path=" + path : "") +
            ( (domain) ? ";domain=" + domain : "") +
            ( (secure) ? ";secure" : "");
    }//else document.cookie is not a string so do not write to it.
}

function Delete_Cookie(name,path,domain) {
    if (Get_Cookie(name)) document.cookie = name + "=" +
       ( (path) ? ";path=" + path : "") +
       ( (domain) ? ";domain=" + domain : "") +
       ";expires=Thu, 01-Jan-70 00:00:01 GMT";
    }
}

Cookie reading and writing is unlikely to be done sufficiently often that the extra overhead of the tests will impact on the performance of the resulting script.

comp.lang.javascript FAQ notes T.O.C.

posted on 2006-06-14 00:51 汪杰 阅读(253) 评论(2)  编辑 收藏 引用

FeedBack:
# re: Cookies(http://jibbering.com/faq/)
2006-06-14 08:42 | 汪杰
When numbers are converted to boolean, zero becomes false and all other numbers are true. With the excepting of the special numeric value NaN (Not a Number) which is used when another type is converted to a number but that conversion does not result in a meaningful number. NaN is always false. The values of positive and negative infinity, while not finite numbers, are non-zero numeric values and always type-convert to boolean true.

  回复  更多评论
  
# re: Cookies(http://jibbering.com/faq/)
2006-06-14 08:42 | 汪杰
Type conversion rules are even simpler for string to boolean conversion as all non-empty strings always become true and empty strings become false.

  回复  更多评论
  
只有注册用户登录后才能发表评论。

<2007年11月>
28293031123
45678910
11121314151617
18192021222324
2526272829301
2345678

常用链接

留言簿(15)

随笔分类(1)

随笔档案(90)

文章分类(727)

文章档案(712)

相册

收藏夹

http://blog.csdn.net/prodigynonsense

友情链接

最新随笔

搜索

  •  

积分与排名

  • 积分 - 467490
  • 排名 - 6

最新随笔

最新评论

阅读排行榜

评论排行榜