How does browser send back cookie to the server during post requests. How is this different than the form data that is sent during a post ?
Also are the values of cookies for a particular domain automatically sent back to the domain for all its subsequent requests ?
Thanks,
Murtaza
There is no different between how cookies are sent for GET and POST requests.
Form data is data such as fields from an HTML Form, eg. name, username, file, etc...
Any cookies sent back in a response from a domain will be sent back to the server in subsequent requests. This is true in web browsers at least, if you are doing this in code, you might have to write additional code to handle cookies.
This should work for AJAX calls made by your browser as well as full pages. Every request, be it full pages, images or AJAX calls will have the Cookies attached if they are going to an appropriate domain and path.
These primers on cookies and HTTP POST would be useful:
http://en.wikipedia.org/wiki/HTTP_cookie
http://en.wikipedia.org/wiki/POST_(HTTP)
Related
I have a resource (an html web page, but it could be anything else like json/xml describing a book) and retrieve it with a GET request:
http://127.0.0.1/welcome
This resource is in Japanese (because kawai desu). Now, I do a GET request on this resource, asking server for another language:
http://127.0.0.1/welcome?lang=en
So the server responses with the English version of the resource. But from now on, since I called ?lang=en, I want to set the default language of the user in a cookie. So server adds a cookie to its response:
Cookie: language=en
Browser now have the language=en cookie. Then, I ask for the resource without GET parameters and the server delivers the English version because the browser sent the Cookie:language=en request header:
http://127.0.0.1/welcome
Returns the English version.
These queries look like retrieving (a resource with a cookie), idempotents (doesn't change a bit when send several times) and safe (server-modification less) queries to me: am I right to use GET requests even if they involve cookies?
Two GET requests have the same URI http://127.0.0.1/welcome
but different results: how does caching (browser and proxy) handle
this?
GET response for http://127.0.0.1/welcome?lang=en could be cached too: will (proxy/CDN, browser) cached responses include the language=en cookie (so user language for the website switches to en)?
When user is on the page you can use session or cookies to check who is he.
But when AJAX is used, for example, for sending an answer, sending page have no contact with user. How can it check is it real registered user, or just spambot sending this by headers?
What is the common practice for AJAX user validation?
AJAX requests contain the same cookies like regular requests. Besides that you can send any arguments like session IDs with the AJAX request.
Actually, for the server it makes absolutely no difference if a request is made through an XmlHttpRequest object or not. Most frameworks add an X-Requested-With: XMLHttpRequest header though but that's completely optional.
So.. whatever means you use to pass your session data, simply ensure it's also available to the script called with your AJAX request:
If you have a session id passed via GET/POST, include it in your request's arguments.
If cookies are needed, ensure they are send to the file. If it's in the same folder like the current file or a descendant of it you are usually safe. If it's on another (sub-)domain you might get problems - not only with cookies but alsowith cross-domain AJAX which usually isn't allowed due to the same-origin policy browsers have.
Can an AJAX response set a cookie? If not, what is my alternative solution? Should I set it with Javascript or something similar?
According to the w3 spec section 4.6.3 for XMLHttpRequest a user agent should honor the Set-Cookie header. So the answer is yes you should be able to.
Quotation:
If the user agent supports HTTP State Management it should persist,
discard and send cookies (as received in the Set-Cookie response
header, and sent in the Cookie header) as applicable.
Yes, you can set cookie in the AJAX request in the server-side code just as you'd do for a normal request since the server cannot differentiate between a normal request or an AJAX request.
AJAX requests are just a special way of requesting to server, the server will need to respond back as in any HTTP request. In the response of the request you can add cookies.
For the record, be advised that all of the above is (still) true only if the AJAX call is made on the same domain. If you're looking into setting cookies on another domain using AJAX, you're opening a totally different can of worms. Reading cross-domain cookies does work, however (or at least the server serves them; whether your client's UA allows your code to access them is, again, a different topic; as of 2014 they do).
Also check that your server isn't setting secure cookies on a non http request. Just found out that my ajax request was getting a php session with "secure" set. Because I was not on https it was not sending back the session cookie and my session was getting reset on each ajax request.
I am interested to see what people are storing in my session and cookies when I visit websites. Is there any way to see what's in there between request and when I'm on pages in Safari, Chrome, or Firefox?
In Firefox you can use among others Firebug to check the cookies being sent forth and back. Check the Net panel for complete request and response headers. The cookies are present as Set-Cookie response header whenever the session starts and as Cookie request header on all subsequent requests in the same session.
Here's a screenshot of the transferred headers when requesting this topic:
(note that I removed the user cookie value from the screenshot, else someone else would be able to copy it and login as myself)
You cannot check in the client side in any way what's been stored in the server side session since that's usually not exposed in the cookie values. Only the session identifier is stored as cookie value. You can at highest make some guesses based on the behaviour of the website across the requests.
I know when you request a page normally it is typically the case that you would use server side session data and set cookies via HTTP headers, but does it work the same when the content is requested via AJAX?
An AJAX request contains the same request/response information as a traditional HTTP request. You can set cookies on the client once the async callback is executed, etc.