2

I'm currently using this to check if a cookie name exist in the browser:

document.cookie.indexOf('myCookie=')

This works if the cookie was set via PHP's setcookie() but this doesn't appear to work on PHP sessions.

E.g. if the "cookie" was set through session_start();, you can see in the browser inspector the cookie name with an expiration of "Session". I can't seem to access that session cookie name via JS. Any ideas?

To be clear: I need to check if the PHP session cookie name is present in the browser, not the session data.

Improve this question
5
  • It's been a while since I've used PHP, isn't a session stored into session storage, instead of cookies? $_SESSION? What's your reasoning for needing to check the session exists? Could you determine that in PHP for example? Commented May 10, 2020 at 21:46
  • @Isolated I need to check if the session cookie name is no longer present in the browser so I can maybe invalidate cached pages. This could potentially solve my problem here Commented May 10, 2020 at 22:02
  • @Isolated AFAIK PHP session does not use the browser's sessionStorage, it uses cookie storage to store a session id. Commented May 10, 2020 at 22:06
  • that's certainly an interesting use-case for it, if the JavaScript is cached though, would that not defeat the purpose? In all honesty, you may find more value in your other question, my knowledge of PHP is so limited now I wouldn't want to point you in the wrong direction. Commented May 10, 2020 at 22:06
  • @Isolated the JS is cached but the PHP cookie is not Commented May 10, 2020 at 22:09

1 Answer 1

Reset to default
3

It is possible to set the PHP session cookie to be available only via HTTP (i.e. not in JS) if your session.cookie_httponly PHP configuration setting is enabled. In other words, you need to disable it / set it to false for your session cookie to be accessible in JS.

You can check its value like so:

<?php
var_dump(ini_get('session.cookie_httponly'));

Generally, this setting is enabled for security reasons, so I would highly suggest questioning the necessity of doing this.

Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

I have this enabled, but I don't think this answers the question sorry. Kindly clarify how could this help JS check if the session cookie name is present?
Check that session.use_cookies is enabled. Check the value of your session.name to confirm that you are looking for the right cookie name. If you are attempting to access the cookie on a page hosted on a different host name from the one to which the cookie uses, check that session.cookie_samesite is enabled.
Offhand, I'm not sure of any other reasons why JS wouldn't be able to see your PHP session cookie. document.cookie should include any session cookies that aren't HTTP-only if they were set on the same domain hosting the page from which you're accessing it.
I have session.use_cookies enabled and I'm sure about the session name, I can see it browser inspector. JS just doesn't read it but it does read setcookie() cookies.
Ok after some testing session.cookie_httponly must be actually disabled for this to work. I was just confused with your wording. You may want to clarify it so I can accept this answer. Basically, what I want to do can be achieved if session.cookie_httponly is disabled.
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.