Closed Bug 1692868 Opened 5 years ago Closed 5 years ago

document.cookie return empty string for the csrf token with httponly set to false

Categories

(Core :: Networking: Cookies, defect)

Product:
Core
Component:
Networking: Cookies
Version:
Firefox 82
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1683593

People

(Reporter: coderrajput, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36

Steps to reproduce:

Not able to access document.cookie in firefox browser in both console as well as in the client script.it returns empty string. even though the httponly param is false. This works fine chrome and edge browser. even with IE.

Actual results:

document.cookie returns ""

Expected results:

should return cookie value

OS: Unspecified → All
Priority: -- → P1
Hardware: Unspecified → All

The Bugbug bot thinks this bug should belong to the 'Core::DOM: Core & HTML' component, and is moving the bug to that component. Please revert this change in case you think the bot is wrong.

Component: Untriaged → DOM: Core & HTML
Product: Firefox → Core

Could you provide some information? E.g., the network requests involved that lead to setting of the cookie? Or ideally a testcase?

Flags: needinfo?(coderrajput)

Thanks anne.

Request:
POST /actionHandler/ajaxSet_userbar.php HTTP/1.1
Host: [2001:558:4030:8:3e9a:77ff:febc:9dc4]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0
Accept: application/json, text/javascript, /; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
csrfp_token: false
Content-Length: 17
Origin: http://[2001:558:4030:8:3e9a:77ff:febc:9dc4]
Connection: keep-alive
Referer: http://[2001:558:4030:8:3e9a:77ff:febc:9dc4]/at_a_glance.php
Cookie: PHPSESSID=j8dn8i2qe1tpd96dc2lbngj234; csrfp_token=7518624c6f
Pragma: no-cache
Cache-Control: no-cache
Response:
HTTP/1.1 500 Internal Server Error
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-type: text/html; charset=UTF-8
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' 'unsafe-eval'; frame-src 'self' 'unsafe-inline' 'unsafe-eval'; font-src 'self' 'unsafe-inline' 'unsafe-eval'; form-action 'self' 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self'; connect-src 'self'; object-src 'none'; media-src 'none'; script-nonce 'none'; plugin-types 'none'; reflected-xss 'none'; report-uri 'none';
Content-Length: 0
Date: Tue, 16 Feb 2021 12:29:23 GMT
Server: Xfinity Broadband Router Server

Here csrf_token is set using document.cookie. Since that is empty, false value is set.
If need more info, let me know

Flags: needinfo?(coderrajput)

This shows a request that includes a cookie and a response that does not set a cookie. Where is the cookie set and where do you attempt to read it using document.cookie?

Flags: needinfo?(coderrajput)

_getAuthKey: function () {
var regex = new RegExp(${CSRFP.CSRFP_TOKEN}=([^;]+)(;|$));
var regexResult = regex.exec(document.cookie);
if (regexResult === null) {
return null;
}
return regexResult[1];
},

Flags: needinfo?(coderrajput)

That still doesn't give me the information where you are setting this and for the record, if you do something like

document.cookie = "a=b;c=d"
console.log(document.cookie)

it will return a=b only, in all browsers. You want to run document.cookie for each cookie that you want to set independently.

Hi anne,
actually i am setting the cookie value from router server using PHP code. For your reference i am pasting the code which is setting the cookie
public static function refreshToken()
{
$token = self::generateAuthToken();

        if (!isset($_SESSION[self::$config['CSRFP_TOKEN']])
            || !is_array($_SESSION[self::$config['CSRFP_TOKEN']]))
            $_SESSION[self::$config['CSRFP_TOKEN']] = array();

        // Set token to session for server side validation
        array_push($_SESSION[self::$config['CSRFP_TOKEN']], $token);

        // Set token to cookie for client side processing
        if (self::$cookieConfig === null) {
            if (!isset(self::$config['cookieConfig']))
                self::$config['cookieConfig'] = array();
            self::$cookieConfig = new csrfpCookieConfig(self::$config['cookieConfig']);
        }

        setcookie(
            self::$config['CSRFP_TOKEN'], 
            $token,
            time() + self::$cookieConfig->expire,
            self::$cookieConfig->path,
            self::$cookieConfig->domain,
            (bool) self::$cookieConfig->secure);
    }

For more info on the code, please refer https://github.com/mebjas/CSRF-Protector-PHP/blob/master/libs/csrf/csrfprotector.php

i am using Lighttpd server at the router

And this is something that works in Chrome and Safari? Can you put up an example site/test/demo that let's me try it out?

Component: DOM: Core & HTML → Networking: Cookies

Waiting on reporter to provide either public test server or upload small test case.

Flags: needinfo?(coderrajput)

https://bugzilla.mozilla.org/show_bug.cgi?id=1683593 also mentioned that document.cookie is empty on IPv6 addresses. That bug says Firefox 87 will be fixed, and I can confirm the problem I got on Firefox 86.0 is gone on 87.0b5.

Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Flags: needinfo?(coderrajput)
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.