ansaurus

Question

Answer 1

+1 A:

Try setting a value on the server, and reading it on the client. If cookies are enabled, you should be able to read the same value. If not, they are disabled. Note that the site might have httpOnly enabled.

Marius 2010-02-18 11:04:02

server side detection is the most reliable way

Dapeng 2010-03-02 11:19:36

Answer 2

+8 A:

In XHTML documents, there is no document.cookie at all (up to Firefox 2 or forever on if you send the document as application/xml). I had to learn painfully, that it can be set on document, however:

document.cookie = "foo";

This is valid JS, and the browser shrugs its shoulders and sets the property cookie of the variable document. But the special magic to transform this in an HTTP header doesn't get called.

To put it in a nutshell: No, you can't be sure, that the absence of document.cookie is always identical with disabled cookies, and vice versa.

Boldewyn 2010-02-18 11:04:45

Obviously, it also relies on JavaScript being turned on. The user could have left cookies turned on, but turned off JavaScript.

Paul D. Waite 2010-02-23 13:18:46

@Paul: The question implies JS is on, or not? Otherwise the code is also not reliable if the client computer is turned off.

initall 2010-02-23 13:26:50

I didn’t read that implication from the question. It asked if using the JavaScript code in question was “reliable”. JavaScript being on is a secondary concern, but that’s why I added this point as a comment to what I thought was the best answer, and put the word “Obviously” at the start. (If the client computer is turned off, it doesn’t matter whether cookies are enabled or not. If JavaScript is turned off, presumably it still does.)

Paul D. Waite 2010-02-23 15:30:47

I don't see this behaviour on my XHTML page. I tried |javascript:alert(document.cookie);| and |javascript:alert(document.cookie = 'foo=bar');| in Firefox 3.0 and later. No problems at all. Can you elaborate?

janmoesen 2010-03-01 10:50:32

@janmoesen: Seems they have fixed this one on XHTML documents (to prove that I wasn't phantasizing: http://simonwillison.net/2003/Jul/3/accessingCookies/ ). It was there in FF2. However, it stays valid, because you can also serve documents as `application/xml` (perhaps together with some in-browser XSLT or stuff) and then you have the same problem again.

Boldewyn 2010-03-01 11:49:49

Answer 3

A:

Not reliable at all. If you're using PHP, session variables are more effective - even when cookies are turned off on the client side.

stillstanding 2010-02-23 13:09:53

Why should this be the case? Be more specific. If Cookies are turned off and your session management relies on cookies, both methods fail. You're able to check for cookie acceptance both in PHP and JS with the PHP advantage of being always processed, independant from JS availability.

initall 2010-02-23 13:15:26

PHP automatically alters the URL so it contains the PHPSESSID when cookies are disabled. Besides, if a paranoid user has cookies disabled, chances are Javascript is also disabled, so what's the use of the document.cookie test and alert reply then?Might as well do the checking on the server side. If Javascript is enabled, try setting the cookie (within JS) and submit a form first before testing.

stillstanding 2010-02-23 13:30:06

@rockjock: Only in the stone age of PHP up to 4.1.2, see http://de.php.net/manual/en/session.configuration.php#ini.session.use-trans-sid - The "use" was not the question if you already rely on JS.

initall 2010-02-23 13:35:41

Answer 4

+3 A:

The only reliable way to me in this scenario (check if cookies are disabled, you don't mind about the javascript issues, and need a client-side solution) is to use a set function for a test cookie, then a get function to read it back. If the test cookie can't be read back, cookies are off.

You can write your own implementation of it reading a great resource from quirksmode, use a jQuery plugin or an out-of-box solution.

GmonC 2010-02-28 03:21:16

Answer 5

A:

var gotCookie = (navigator.cookieEnabled) ? true : false;

if(typeof navigator.cookieEnabled == 'undefined' && !gotCookie) {
    document.cookie = 'test';
    gotCookie       = (document.cookie.indexOf('test') != -1) ? true : false;
    }

if gotCookie == true, then you've gotCookie :)

note: when there's no cookie set, document.cookie seems to be unavailable even if cookie is enabled in the browser. that's why we set it with document.cookie = 'test', then check it on the next line. of course, assuming that js is enabled.

widyakumara 2010-03-01 07:26:07

Answer 6

A:

Opera 7.10 will not understand document.cookie, so it is not reliable. Try using this one instead:

<script type="text/javascript">
var cookieEnabled=(navigator.cookieEnabled)? true : false

//if not IE4+ nor NS6+
if (typeof navigator.cookieEnabled=="undefined" && !cookieEnabled){ 
document.cookie="testcookie"
cookieEnabled=(document.cookie.indexOf("testcookie")!=-1)? true : false
}

//if (cookieEnabled) //if cookies are enabled on client's browser
//do whatever

</script>

It is compatible with most browsers and the ones which will not work with it are not used anymore. I have tested it with Internet Explorer 8.0, Firefox 3.6, Google Chrome 4.0, Opera 10.10 both within HTML and XHTML. While using HTML version with Internet Explorer 8.0 I had to confirm execution of the script.

Sergiy Byelozyorov 2010-03-01 19:47:22

ansaurus

tags:

views:

answers:

Is !document.cookie reliable?

related questions