Announcement

Collapse
No announcement yet.

Cookies and secure pages?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Cookies and secure pages?

    Has anyone had any luck using cookies on their 3Dcart sites? I can get them to work just fine until a secure page is loaded (https) once that happens the cookies no longer functions and wont work again until it is cleared.

    Here is an example of the cookie I am using:
    Code:
    <script type="text/javascript">
    function mycookie(){
    var ca = document.cookie.split(';');
    for(var i=0; i<ca.length; i++){
    var c = ca[i];
    while (c.charAt(0)==' ')c = c.substring(1,c.length);
    if (c.indexOf("mycookie=") == 0)return 1;
    }
    var date = new Date();
    var days = 14;
    date.setTime(date.getTime()+(days*24*60*60*1000));
    document.cookie = "mycookie=1"+"; expires="+date.toGMTString()+"; path =/";
    return 0;
    }
    
    if(mycookie()==0){
    document.write('There is no cookie.')
    }
    else{
    document.write('A cookie has been set.')
    }
    </script>
    Thoughts anyone might have would be greatly appreciated.
    Nick

  • #2
    it has more to do with the protocol than it does for the cookies themselves.

    Because the cookie was created in a vulnerable state (http) and the server is now working within the secure context (https) the cookie is ignored and thus no longer applies. Within the context of https, you'll have to handle your cookies separately.

    I might be wrong, and if I am, someone please correct me, but I don't think you can read an http cookie's data within https.. so it would be difficult to pass data from one context to the other. Maybe try a query string instead?

    Comment


    • #3
      Originally posted by jleclair View Post
      I don't think you can read an http cookie's data within https?
      No, you are correct, https usually can't read a cookie created in http... however, it should create a new cookie. And more importantly, if you return to the http that cookie should still function.

      I'm not even necessarily trying to pass a http cookie on a https page. What is happening is I will write and read a cookie on page A (http) and then go to page B (https) and come back to page A and the cookie no longer registers.

      Also something I just noticed, when a secure page is loaded, the cookie's expiration date is overwritten to "At end of session"

      I am now wondering if this "issue" will be resolved once we are on our actual domain and not on .3dcartstores.com ...?

      Comment


      • #4
        Originally posted by nickc12 View Post
        No, you are correct, https usually can't read a cookie created in http... however, it should create a new cookie. And more importantly, if you return to the http that cookie should still function.

        I'm not even necessarily trying to pass a http cookie on a https page. What is happening is I will write and read a cookie on page A (http) and then go to page B (https) and come back to page A and the cookie no longer registers.

        Also something I just noticed, when a secure page is loaded, the cookie's expiration date is overwritten to "At end of session"

        I am now wondering if this "issue" will be resolved once we are on our actual domain and not on .3dcartstores.com ...?
        It wont matter when you get on your domain. Its been this way for months. The cookies we use worked fine up until about 8 months ago and something changed. Dosent matter how you write the cookie. Once you go to secure its useless.

        Comment


        • #5
          I have been troubleshooting cookies recently. Apparent erratic behavior is beginning to make sense to me, but I welcome further insight.

          HTTPonly (HTTP cookie - Wikipedia, the free encyclopedia) cookies was a new area for me. It looks like 3dcart began setting all cookies as httponly in January of 2013 (http://forums.3dcart.com/announcemen...s-5-1-1-a.html).

          I have noticed that my cookies are set as accessible to scripts (desired behavior) when I am not logged in to the Online Store Manager. But if I am logged into the Store Manager (which is https) and use the "View Store" link to go to my site, at that point my cookies are set as inaccessible to scripts (httponly). Consequently, under these circumstances my javascripts cannot read the cookies and the scripts fail to perform correctly.

          Nickc12, perhaps testing your cookies (a) when logged into the Store Manager and (b) when logged out of the Store Manager and anything else that might trigger https might provide a clue.
          - Chuck

          PoshPineappleNSB.com

          Comment

          Working...
          X