47

As the question says can you find out if a cookie exists within Javascript if it is a HttpOnly? I don't need to access the information inside of it, just know it has one.

A little more information on the situation is that there was originally a web server which used a cookie as an authentication token, and it was set to httponly as it was not used by the client so it added to the security.

However now there is a change needed where the client needs to know if it has the cookie (as the site can work without the user being logged in, but if they are logged in (the auth cookie would exist) the site needs to display certain things and hide others.

There are other security precautions in place on the web server so there is no harm in the scenario where the client has an incorrect auth cookie, but the site makes it look like they are logged in, as it would delete the cookie and reject the user.

Improve this question
2
  • 2
    Can you not alter the server-side code to communicate the authentication status to the client as part of page creation?
    – Neil
    Commented Feb 19, 2012 at 22:22
  • 1
    There is no server side code really, its a pure html/javascript web site which also allows the users to login to persist information outside of localStorage (that's where the web-server kicks in). Originally the client was required to log in before accessing the site, however now the user can use the entire site without logging in using localStorage. This call to find out if the cookie exists is to show the login boxes or not and other remote functionality if they are logged in.
    – Grofit
    Commented Feb 19, 2012 at 22:34

4 Answers 4

Reset to default
60

I had the same problem. I solved it with the server setting another cookie, not httponly, every time it refreshed the httponly session cookie, with the same max-age and no sensitive data. Now, if one of them is present, the same goes for the other, and the client can know if the httponly counterpart is there.

Improve this answer
2
  • 6
    This is the best answer in my opinion. This also helps in case, the user suddenly clears all his cookies from a particular site.
    – Algorini
    Commented Jan 14, 2021 at 7:31
  • 3
    This is the best answer. The selected answer is a hack that opens new problems.
    – burnedfaceless
    Commented Jun 23, 2022 at 18:44
54

You can indirectly check to see if it exists by trying to set it to a value with javascript if it can't be set, then the HTTP Only Cookie must be there (or the user is blocking cookies).

function doesHttpOnlyCookieExist(cookiename) {
  var d = new Date();
  d.setTime(d.getTime() + (1000));
  var expires = "expires=" + d.toUTCString();

  document.cookie = cookiename + "=new_value;path=/;" + expires;
  return document.cookie.indexOf(cookiename + '=') == -1;
}
Improve this answer
8
  • 3
    Do you mind explaining which part of this isn't working on Firefox? I'm on 66.0.3 here and it seems to work perfectly fine... getting exactly the same results as on Chrome, Edge and IE11.
    – Mathijs Flietstra
    Commented Apr 24, 2019 at 11:22
  • Safari 13 overwrite cookie
    – vitaliytv
    Commented Jan 25, 2020 at 6:02
  • Just tested on Safari 13.1, Firefox 76.0.1 and Chrome 83 on macOS Catalina. Worked like a charm on all 3, thanks for the brilliant trick! :D
    – Ali Almohsen
    Commented Jun 2, 2020 at 19:43
  • 8
    In my opinion, you shouldn't rely on this solution because it's an implementation detail. Maybe in the future, major browsers will consider this a security vulnerability and in turn allow both cookies to co-exist sharing the same name. This might very well happen because browsers already provide this feature.
    – Charming Robot
    Commented Jul 27, 2020 at 21:48
  • 1
    This one doesn't seem to be working anymore on ios 14. I tried with ipad and iphone ios 14.x on both Chrome and Safari, neither of them worked.
    – Nghia Le
    Commented Jan 11, 2021 at 12:29
13

Whenever you need to check whether the cookie exists or not, you can send a request to the server that requires authentication & check the response. If its something like 401 Unauthorized or 403 Forbidden, then the cookie probably doesn't exist & you can prompt the user for login.

On the other hand, if the cookie exists, it'll be automatically sent by the browser resulting in a 200 OK response.

Improve this answer
12

No. And see Rob's comments below.

See this, which you probably already saw - http://en.wikipedia.org/wiki/HTTP_cookie#Secure_and_HttpOnly

An HttpOnly cookie is not accessible via non-HTTP methods, such as calls via JavaScript (e.g., referencing "document.cookie")...

Edit: Removed undefined response, I wrote a script that you may not be using :)

Improve this answer
3
  • "It will return undefined"? Cookies are obtained through document.cookie, which is an always-existing string. The HttpOnly cookie just doesn't show up, but it's definitely not "undefined"
    – Rob W
    Commented Feb 19, 2012 at 22:01
  • I mean if you try to access it and get a return value. Right?
    – Mike
    Commented Feb 19, 2012 at 22:02
  • Cookies in JavaScript have to be obtained through string manipulation on document.cookie. For example, document.cookie can look like value=woow%20; value2=another%20woot. To find the value of the cookie whose key name is value, you can use (example): var test = /(?:;\s*|^)?woow=([^;]*)/.exec(document.cookie); If the cookie exists, you can get the value through test[1]. If it doesn't test === null, and trying to do test[1] will throw a null error.
    – Rob W
    Commented Feb 19, 2012 at 22:09

Not the answer you're looking for? Browse other questions tagged or ask your own question.