Why doesn't document.cookie show all the cookie for the site?
JavascriptCookiesJavascript Problem Overview
I go to a forum which uses vBulletin 3.8. When I log in, I use firebug to see what cookies were set. I see these cookies:
> __utmb, __utmc, __utma, __utmz, bbsessionhash, vbseo_loggedin, bbpassword, bbuserid, bblastactivity, bblastvisit
They all had a value set, and the domain was identical.
But when I use JavaScript to view them, it only saw these cookies: > __utmb, __utmc, __utma, __utmz, vbseo_loggedin, bblastactivity, bblastvisit
In firebug, I only see these three cookies: bbsessionhash, bbpasword and bbuserid, that were actually set. HTTPOnly in column HTTPOnly. What does it mean and is that the reason I can't see those cookies in JavaScript using document.cookie
?
Javascript Solutions
Solution 1 - Javascript
From http://en.wikipedia.org/wiki/HTTP_cookie:
> Cookies are not directly visible to
> client-side programs such as
> JavaScript if they have been sent with
> the HttpOnly flag. From the point of
> view of the server, the only
> difference with respect of the normal
> case is that the set-cookie header
> line is added a new field containing
> the string HttpOnly': > >
Set-Cookie: RMID=732423sdfs73242; expires=Fri, 31-Dec-2010 23:59:59 GMT; path=/; domain=.example.net; HttpOnly> > When the browser receives such a > cookie, it is supposed to use it as > usual in the following HTTP exchanges, > but not to make it visible to > client-side scripts. > <s>The
HttpOnly` flag is not part of any standard, and is not implemented in all browsers.
Update from 2017: a lot of time had passed since 2009, and HttpOnly
header flag is became a standard, defined in the section 5.2.6 of RFC6265, with the storage semantics described in the same document (look for "http-only-flag" throughout the RFC text).
There is no way to access anything about the HttpOnly
cookies from "non-HTTP" APIs, e.g. JavaScript. By design, neither reading, nor writing such cookies is possible.