Asp Forum - Difference between client and server side cookie

bit-naughty

3/12/2016 1:38:00 PM

Is there any difference between the 2, as in one set by JS on the browser side, and one set in PHP code running on the server? They both result in exactly the same thing happening, right? (ie. for PHP the required data just travels over HTTP to the browser, which then does whatever?)
If, for example I set "x=3" in a cookie in JS, can I then set "x=4" in PHP on the server side? Or even just check what "x" is? How?

Thanks for your help.

34 Answers

Evertjan.

3/12/2016 2:02:00 PM

bit-naughty@hotmail.com wrote on 12 Mar 2016 in comp.lang.javascript:

> Is there any difference between the 2, as in one set by JS on the
> browser side, and one set in PHP code running on the server? They both
> result in exactly the same thing happening, right? (ie. for PHP the
> required data just travels over HTTP to the browser, which then does
> whatever?) If, for example I set "x=3" in a cookie in JS, can I then set
> "x=4" in PHP on the server side? Or even just check what "x" is? How?

Cookies are ALWAYS stored in clientside memory [= "on the browser"].

Cookies are key/value pairs used to store state informations on the browser.
Say you have a website (example.com), when the browser requests a webpage
the website can send cookies to store informations on the browser.

Cookies can be set by serverside code, such as ASP-Jscript, ASP-vbscript or
PHP, by setting a HTTP headers. Cookies can also be set by clienside
[Javascript] code.

Serverside session-variables are sometimes erroneously and foolishly called
"serverside cookies". They are stored on the server.

--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)

Stefan Weiss

3/12/2016 3:20:00 PM

On 03/12/2016 14:38, bit-naughty@hotmail.com wrote:
> Is there any difference between the 2, as in one set by JS on the
> browser side, and one set in PHP code running on the server? They both
> result in exactly the same thing happening, right? (ie. for PHP the
> required data just travels over HTTP to the browser, which then does
> whatever?)

Normally, there is no difference. You can read and set cookies on the
server and on the client (with JS).
The situation changes when the cookie set by the server uses the
HttpOnly flag. If the browser supports this extension (and all major
browsers do), they will not let scripting languages read or change the
value of that cookie. See example below.

> If, for example I set "x=3" in a cookie in JS, can I then set "x=4"
> in PHP on the server side? Or even just check what "x" is? How?

Server-side code (PHP):

setcookie("one", "1");
setcookie("two", "2", 0, "", "", false, true); // HttpOnly
setcookie("three", "3");

HTTP response header:

Set-Cookie: one=1
Set-Cookie: two=2; httponly
Set-Cookie: three=3

Client (JS):

console.log(document.cookie); // "one=1; three=3"

document.cookie = "one=11";
console.log(document.cookie); // "one=11; three=3"

document.cookie = "two=22";
console.log(document.cookie); // "one=11; three=3" (!!)

document.cookie = "three=33";
console.log(document.cookie); // "one=11; three=33"

Next HTTP request header:

Cookie: one=11; two=2; three=33

Server-side code (PHP):

var_export($_COOKIE);

// array (
// 'one' => '11',
// 'two' => '2',
// 'three' => '33',
// )

Note that the client was unable to see or modify the value of the "two"
cookie because it was protected by the HttpOnly flag.

- stefan

Evertjan.

3/12/2016 10:32:00 PM

Stefan Weiss <krewecherl@gmail.com> wrote on 12 Mar 2016 in
comp.lang.javascript:

> Normally, there is no difference. You can read and set cookies on the
> server and on the client (with JS).

There are no cookies "on the server".

--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)

Aleksandro

3/12/2016 11:23:00 PM

On 12/03/16 19:32, Evertjan. wrote:
> Stefan Weiss <krewecherl@gmail.com> wrote on 12 Mar 2016 in
> comp.lang.javascript:
>
>> Normally, there is no difference. You can read and set cookies on the
>> server and on the client (with JS).
>
> There are no cookies "on the server".

There are while I am taking care of a request that sent them.

Evertjan.

3/13/2016 9:49:00 AM

Aleksandro <aleksandro@gmx.com> wrote on 13 Mar 2016 in
comp.lang.javascript:

> On 12/03/16 19:32, Evertjan. wrote:
>> Stefan Weiss <krewecherl@gmail.com> wrote on 12 Mar 2016 in
>> comp.lang.javascript:
>>
>>> Normally, there is no difference. You can read and set cookies on the
>>> server and on the client (with JS).
>>
>> There are no cookies "on the server".
>
> There are while I am taking care of a request that sent them.

Take care, that is nonsense.

I even don't understand your sentense.

--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)

Ben Bacarisse

3/13/2016 10:43:00 AM

"Evertjan." <exxjxw.hannivoort@inter.nl.net> writes:

> Aleksandro <aleksandro@gmx.com> wrote on 13 Mar 2016 in
> comp.lang.javascript:
>
>> On 12/03/16 19:32, Evertjan. wrote:
>>> Stefan Weiss <krewecherl@gmail.com> wrote on 12 Mar 2016 in
>>> comp.lang.javascript:
>>>
>>>> Normally, there is no difference. You can read and set cookies on the
>>>> server and on the client (with JS).
>>>
>>> There are no cookies "on the server".
>>
>> There are while I am taking care of a request that sent them.
>
> Take care, that is nonsense.
>
> I even don't understand your sentense.

He's saying that there are sometimes cookies "on the server" --
specifically they are sent there every time a client makes a request for
which a cookie is relevant. Where are they while the server is using
them if not "on the server"? It's a small point, but it's not wrong.

--
Ben.

Evertjan.

3/13/2016 11:05:00 AM

Ben Bacarisse <ben.usenet@bsb.me.uk> wrote on 13 Mar 2016 in
comp.lang.javascript:

> "Evertjan." <exxjxw.hannivoort@inter.nl.net> writes:
>
>> Aleksandro <aleksandro@gmx.com> wrote on 13 Mar 2016 in
>> comp.lang.javascript:
>>
>>> On 12/03/16 19:32, Evertjan. wrote:
>>>> Stefan Weiss <krewecherl@gmail.com> wrote on 12 Mar 2016 in
>>>> comp.lang.javascript:
>>>>
>>>>> Normally, there is no difference. You can read and set cookies on the
>>>>> server and on the client (with JS).
>>>>
>>>> There are no cookies "on the server".
>>>
>>> There are while I am taking care of a request that sent them.
>>
>> Take care, that is nonsense.
>>
>> I even don't understand your sentense.
>
> He's saying that there are sometimes cookies "on the server" --
> specifically they are sent there every time a client makes a request for
> which a cookie is relevant. Where are they while the server is using
> them if not "on the server"? It's a small point, but it's not wrong.

No, not "are", cookies only exist where they are stored, and they are stored
only in client/browser memory.

A request for setting a cookie or a response on reading a cookie is not a
cookie, as then the key/value-combination can and will even be on an
intermediate internet server or in your router memory for a moment, but I
consider that not "are" in the sense of "existing".

<% session.cookie("myKey") = "myvalue"; %> [ASP-Jscript]

IS NOT a cookie, but a serverside command to set the http-header for making
a cookie in the browser. The cookie only comes into existence whn it is
created by the browser in it's memory.

> Where are they while the server is using
> them if not "on the server"?

No, the server is using ONLY the content of the cookie, the key/value pair.

If the value of a cookie is 2, multiplying that value with 3 is not
multiplying the cookie with 3.

--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)

Ben Bacarisse

3/13/2016 11:47:00 AM

"Evertjan." <exxjxw.hannivoort@inter.nl.net> writes:

> Ben Bacarisse <ben.usenet@bsb.me.uk> wrote on 13 Mar 2016 in
> comp.lang.javascript:
>
>> "Evertjan." <exxjxw.hannivoort@inter.nl.net> writes:
>>
>>> Aleksandro <aleksandro@gmx.com> wrote on 13 Mar 2016 in
>>> comp.lang.javascript:
>>>
>>>> On 12/03/16 19:32, Evertjan. wrote:
>>>>> Stefan Weiss <krewecherl@gmail.com> wrote on 12 Mar 2016 in
>>>>> comp.lang.javascript:
>>>>>
>>>>>> Normally, there is no difference. You can read and set cookies on the
>>>>>> server and on the client (with JS).
>>>>>
>>>>> There are no cookies "on the server".
>>>>
>>>> There are while I am taking care of a request that sent them.
>>>
>>> Take care, that is nonsense.
>>>
>>> I even don't understand your sentense.
>>
>> He's saying that there are sometimes cookies "on the server" --
>> specifically they are sent there every time a client makes a request for
>> which a cookie is relevant. Where are they while the server is using
>> them if not "on the server"? It's a small point, but it's not wrong.
>
> No, not "are", cookies only exist where they are stored, and they are stored
> only in client/browser memory.

The data are stored in both places. You are in fact stipulating that
it's not a cookie (in your terms) either in transit or when it is stored
on the server.

> A request for setting a cookie or a response on reading a cookie is not a
> cookie, as then the key/value-combination can and will even be on an
> intermediate internet server or in your router memory for a moment, but I
> consider that not "are" in the sense of "existing".

OK. That's one point of view but then you can't say things like "a
cookie is sent to the server in the HTTP request header". The cookie
ceases to be a cookie once in transmission. I think that just
complicates the way have to talk about these things.

<snip>
>> Where are they while the server is using
>> them if not "on the server"?
>
> No, the server is using ONLY the content of the cookie, the key/value
> pair.

I think that's unnecessarily fussy and does not match the usage in the
RFCs. They refer to "sending cookies" and the one specifically about
cookies defines them as a name/value pairs that are passed to the user
agent and returned to the server.

<snip>
--
Ben.

Thomas 'PointedEars' Lahn

3/13/2016 12:46:00 PM

Ben Bacarisse wrote:

> He's saying that there are sometimes cookies "on the server" --
> specifically they are sent there every time a client makes a request for
> which a cookie is relevant.

In fact, only cookie *names* and *values* are sent with every HTTP request
that applies to their â??domainâ?, â??pathâ? and â??secureâ? attributes, unless they
have expired (as specified by the â??expiresâ? attribute in a former HTTP
response header â??Set-Cookieâ? field value or in the value assigned to the
document.cookie property).

> Where are they while the server is using them if not "on the server"?

Still stored on the client machine. Cookies are data (stored in local
files) only whose *names* and *values* are incorporated into a HTTP request
header â??Cookieâ? field value.

> It's a small point, but it's not wrong.

Yes, it is.

<https://en.wikipedia.org/wiki/HTTP_cookie#Implemen...

--
PointedEars
FAQ: <http://PointedEars.... | SVN: <http://PointedEars.de...
Twitter: @PointedEars2 | ES Matrix: <http://PointedEars.de/es-...
Please do not cc me. / Bitte keine Kopien per E-Mail.

bit-naughty

3/13/2016 2:07:00 PM

Evertjan is right.

comp.lang.javascript

Difference between client and server side cookie

bit-naughty

Evertjan.

Stefan Weiss

Evertjan.

Aleksandro

Evertjan.

Ben Bacarisse

Evertjan.

Ben Bacarisse

Thomas 'PointedEars' Lahn

bit-naughty

x Login to ForumsZone