Unable to access cookie anymore
Results 1 to 6 of 6

Thread: Unable to access cookie anymore

  1. #1
    Senior Member mungyun's Avatar
    Join Date
    Apr 2004
    Location
    Illinois
    Posts
    172

    Unable to access cookie anymore

    Ok, i've never seen a problem like this before and have no idea on what i need to do to fix it.

    A friend of mine has a web page that has a list of products and next to them has two check boxes. One is a compare and the other is add so shopping cart. When you hit the compare check box a cookie gets filled with all of the ones you checked just fine. Even if you uncheck something, it correctly removes it from the cookie. You can also browse to another page, check other compare check boxes, browse back to the previous page and you are still just fine. All of those cookie entries are done browserside with JS and work just fine.

    Well, once you choose to check out with whatever items you have, a call gets made to the server and the server changes the cookie to include a little info on what the items in your cart are. All is fine and dandy except if you decide you want to go back and compare or add/remove items from the cart. Client side cant access the cookie anymore and change anything.

    From everything ive heard, you should be able to access the cookie from anything as long as its the same site that originally made the cookie, which it is.

    Any ideas?

    ps: I'm heading out the door so this was a little rushed, if you need any more explanation or code snippets, let me know. Thanks!
    I believe in making the world safe for our children, but not our childrenís children, because I donít think children should be having sex. -- Jack Handey

  2. #2
    Senior Member
    Join Date
    Oct 2003
    Location
    MA
    Posts
    1,053
    So..
    -Client goes to site and creates cookie based on selection
    -Server reads cookie and generates a page depending on the users selection
    -Client reads cookie again and now it does work right?

    Maybe try having the server set the cookie again so it reads the cookie, displays the information, then sets the same cookie that was on the client in the first place. Maybe that is an easy work around?

  3. #3
    Senior Member t34b4g5's Avatar
    Join Date
    Sep 2003
    Location
    Australia.
    Posts
    2,391
    what is the session cookie expirey set to? maybe up the expirery so that you can go back and forth.

  4. #4
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,178
    It sounds as if the problem is server side as it is apparently locking the cookie prematurely.

    In theory it should do this when it has confirmed the payment instructions (Credit Card?).

    I don't know how it is supposed to work but I have certainly seen systems where you go to the payment screen and cannot return. You either pay or start over.

    I would guess that this is by design. You tell it you want to check out and it takes you at your word and locks the cookie. Perhaps you should look at inserting a confirmation/warning screen at this point?

    Is all of this taking place over a secure link or does checking out take you to the secure link?
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  5. #5
    Senior Member mungyun's Avatar
    Join Date
    Apr 2004
    Location
    Illinois
    Posts
    172
    Quote Originally Posted by oofki
    So..
    -Client goes to site and creates cookie based on selection
    -Server reads cookie and generates a page depending on the users selection
    -Client reads cookie again and now it does work right?

    Maybe try having the server set the cookie again so it reads the cookie, displays the information, then sets the same cookie that was on the client in the first place. Maybe that is an easy work around?
    basically once the cookie is changed and accessed by the server, the client can no longer edit it. from everything ive read it should be able to no problem. Also the reason that the site is doing most of cookie work client side is for caching purposes.

    The cookie expiration isnt the problem either. it has plenty of time set.

    Nihil, Yes the idea is that the cookie should be locked after payment instructions (securely). The cookie gets locked even before the payment method. Its in the checkout page where it shows you what you put in your cart and either tells you to log in to pay or shows you payment methods for you to choose from. It would for security reasons, make sense that the cookie gets locked after the server made changes and not allow the client to change it anymore for obvious reasons. I havent found any articles yet to back that up but im still looking.
    I believe in making the world safe for our children, but not our childrenís children, because I donít think children should be having sex. -- Jack Handey

  6. #6
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,178
    Hi mungyun,

    Sorry, I forgot to ask: is this a bespoke/home grown application, or is it off the shelf?

    This is a simple applications logic problem as far as I can see. If it is a COTS application I would look at the manual and the settings options. If not then you will need to alter the process logic to suit your requirement.

    It seems reasonable to me that once you have chosen a payment method then the cart should be locked. As soon as you leave the mall and go to the payment page that should also lock it.

    My advice: check the program logic documentation and data flow diagrams. You might even get mileage out of the data dictionary as I presume the system sets flags? Of course you do use a structured design development and documentation methodology?..........don't you?

    I think that it might be a good idea to walk through the whole business process logic?

    To be honest I don't see what the problem is........... if people have enough brains to shop on line, they have the brains to know when to close their trolley? Then all they have to do is accept and pay, or cancel the whole transaction.

    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

Similar Threads

  1. Cracking Windows 2000 And XP Passwords With Only Physical Access
    By Irongeek in forum The Security Tutorials Forum
    Replies: 14
    Last Post: March 22nd, 2005, 02:53 AM
  2. Authenticated users not gaining Directory Service Access
    By PacSec in forum Operating Systems
    Replies: 2
    Last Post: August 25th, 2004, 11:31 PM
  3. Remote And Local Access Explained
    By n01100110 in forum The Security Tutorials Forum
    Replies: 15
    Last Post: September 3rd, 2003, 11:45 PM
  4. XP access drom 98/98se
    By nsbuttar in forum Microsoft Security Discussions
    Replies: 5
    Last Post: April 19th, 2003, 10:36 AM
  5. bypassing an access list
    By deadpaperplate in forum Non-Security Archives
    Replies: 2
    Last Post: October 10th, 2001, 03:24 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides