Cookies question

[Don E]

I was looking at some cookies from sites I've visited and I've noticed that much of the name=value(content) pairs are what appear to be encrypted or encoded in some way. Is this done intentionally or a way the browser/server handles certain cookies?

[jeffman]

Run your cookie value through escape() and decode it using unescape(). Cookies are transmitted in HTTP headers, so they must be compatible with, like, everything.

[Don E]

This is what I have. It assigns two cookies. Ignore the commented out code because what I was trying to do there was alert out both cookies but I was having a hard time getting "color" for some reason. Anyhow, as you can see, I escape() and then decode it using unescape(). Is there something here that can encode the cookie name/value so that users are not able to go into the cookies in the browser and see sensitive data for example?

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><title>JS Cookies</title><script type="text/javascript">function makeCookie(form){	var when = new Date();	when.setTime(when.getTime() + 24 * 60 * 60 * 1000);	// 24 hours from now	when.setFullYear(when.getFullYear() + 1);	// One year from now	yname = form.yourname.value;	favcolor = form.yourcolor.value;	document.cookie = escape("visitor")+"="+escape(yname)+";expires="+when.toGMTString();	document.cookie = escape("color")+"="+escape(favcolor)+";expires="+when.toGMTString();	alert(document.cookie); // to see what's in the cookie }function welcome(myForm){	//you = myForm.yourname.value;	var positionVisitor = document.cookie.indexOf("visitor=");	//var positionColor = document.cookie.indexOf("color=");	if ( positionVisitor != -1 /*&& positionColor !=-1*/ )	{		var beginVisit = positionVisitor + 8;		//var beginColor = positionColor + 6;		var endVisit = document.cookie.indexOf(";", beginVisit);		//var endColor = document.cookie.indexOf(";", beginColor); // problem here		if(endVisit == -1 /*&& endColor == -1*/)		{ 			endVisit = /*endColor =*/ document.cookie.length;		}		you = unescape(document.cookie.substring(beginVisit, endVisit));		//col = unescape(document.cookie.substring(beginColor, endColor));		alert("Welcome " + you /*+ ". Your favorite color is " + col*/);	}	else{ alert("No cookies today");}}</script></head><body onLoad="document.form1.reset()"><div align="center">	<h2>Got milk?</h2>        <form name="form1">        What is your name?        <br />        <input type="text" name="yourname" />        <br />        What is your favorite color?        <br />        <input type="text" name="yourcolor" />        <br />        <p>        <input type="button" value="Make cookie" onClick="makeCookie(this.form);" />        </p>        <p>        <input type="button" value="Get Cookie" onClick="welcome(this.form);" />        </p>        </form></div></body></html>

Run your cookie value through escape() and decode it using unescape(). Cookies are transmitted in HTTP headers, so they must be compatible with, like, everything.

[justsomeguy]

The obvious answer is not to store sensitive data in cookies. Other than that, look into various encryption schemes, there are a lot of them out there (the difficulty is that anyone viewing your code can also decrypt the cookies if your encryption is applied through Javascript; most people encrypting cookies do so through something like PHP).

[jeffman]

Setting and reading cookies in PHP is easier anyway, I find. You'd need to know how "sensitive" your data is before choosing an encryption scheme.Have you considered a simple database for all this? Even a flat file can handle a lot and be easily managed.

[Don E]

Yeah, probably best bet. Thanks DD and JSG.

Setting and reading cookies in PHP is easier anyway, I find. You'd need to know how "sensitive" your data is before choosing an encryption scheme.Have you considered a simple database for all this? Even a flat file can handle a lot and be easily managed.