setting value of a cookie - colon in the name

Question

Im new to setting cookie values through javascript and my knowledge of both is basic - although Im comfortable with tweaking JQuery.

In summary, Im working on a web site which must display a cookie policy by law.

We have a third-party solution will pop up a jquery controlled div container with a message and a couple of buttons: 'remind me later' and 'settings'. If the user clicks settings they can then 'save and close' or change the security level, and the popup will disappear.

We have tweaked this third party solution and added an 'accept' button whereby the user can just acknowledge the 'default' cookie settings and continue using the site.

So far so good!

We know that this third-part solution is writing to a cookie with the following basic values:

Cookie name: wsjnudge_javascript:jQuery_ws.jpecrJs.display(jQuery.ws.jpecrJs())_= true;

If this value is set to true then the popup message prompting to change cookie settings will not display again until the cookie expires.

The problem is the cookie name has a colon ( : ) in its name, and when we parse the the cookiename via javacript, it creates a cookie with the name:

wsjnudge_javascript%253AjQuery_ws.jpecrJs.display(jQuery.ws.jpecrJs())_

So the colon ( : ) is being replaced with %253A

We have written a bit of Jquery / javascript code to set the value of this cookie and attempt to encode the colon:

First by setting a var:

var acceptCookieEncode = encodeURIComponent
 ("wsjnudge_javascript:jQuery_ws.jpecrJs.display(jQuery.ws.jpecrJs())_");

And then by having a click function to write to the cookie and close the popup:

jQuery(document).on('click','.continue',function(){

jQuery.cookie( acceptCookieEncode, 'true', { expires: 365 });
jQuery('#wsjnudge').remove();

So, in summary the close function is working, but the cookie name is incorrect because of the colon, so in effect we are creating and setting the value to the wrong cookie name..

I understand that I might have to use base64 but I have absolutely no idea how I would implement this, and evidently I am not correctly using the encodeURIcomponent to parse the URI correctly.

I apologize if the formatting of this message is incorrect. First-time poster, but regular user of StackOverflow, and thanks in advance for any help.

Dan.

Answer 1

Cookies do not have a standard escaping mechanism. The ; character, for example, simply cannot be used in a cookie at all; unlike with URL-encoding or HTML-encoding there is no scheme that will allow a character taken directly from a cookie to represent a semicolon.

So what people tend to do is ad-hoc encoding - they encode the cookie with some arbitrary form of encoding, and decode it again after pulling it back out. URL-encoding, which is what encodeURIComponent() does, is the most popular ad-hoc encoding method, but still not one you can expect tools to use unconditionally.

The jQuery cookie plugin adopts this form of encoding, and calls encodeURIComponent() for you on the cookie name and value. So if you pass the name wsjnudge_javascript:jQuery... to it, the cookie you'll be setting will have the real name wsjnudge_javascript%3AjQuery. When you call encodeURIComponent() yourself on top of that as in your example code, the output you will get is double-encoded: wsjnudge_javascript%253AjQuery....

Presumably neither of these names are any use to the third-party code you are using, which is probably looking for the cookie with the real name wsjnudge_javascript:jQuery.... You cannot set this cookie with the jQuery cookie plugin because of its built-in non-cookie-standard URL-encoding. You can by setting it directly in JavaScript, eg:

document.cookie= 'wsjnudge_javascript:jQuery_ws.jpecrJs.display(jQuery.ws.jpecrJs())_= true';

though either way note you may need to add some parameters to that to match whatever the third-party code is using - if the path and domain parameters don't match then you can end up with two copies of the same cookie.

In theory, according to RFC 6265 which is the nearest thing we have to a standard for cookies, it shouldn't be allowable to include a colon in a cookie name without surrounding the name in double quotes. However, in practice browsers (that I've tested) do allow it, and don't treat the double quotes as anything special - so the real cookie name in that case would end up containing double quotes, which wouldn't be recognised by the third-party script.

Putting colons in cookie names is somewhat inadvisable because of this, but that is presumably part of the third-party script so you're stuck with it. The cookie name in general is very weird and I'm worried that it appears to contain executable JavaScript code.

I can't tell if this is really what's happening without the third-party source code, but if the third-party script does indeed extract that JavaScript code from the cookie name and execute it with eval() then that's a really bad idea. Apart from the grievous ugliness, it would allow anyone who could inject a cookie into your domain (eg from a vulnerable related-domain) to escalate that cookie injection into a full-blown cross-site-scripting vulnerability.

It depends on what your site does and what user data/interactions it has whether you're worried about that kind of attack. Personally I would be uncomfortable with doing that on one of my sites...