About reading and writing remote sessions

I’ve recently done some research on third party cookie settings in various browsers. Here are the results.

Disclaimer: I have not went through quality control of the results, so it may contain mistakes.

The tests

Here are some alternative ways the remote page is loaded:

jsredirect
The origin server redirects to the remote server using JS.
jsonp
The origin server loads a script element on the remote server.
iframe
The origin server loads a page on the remote server redirecting back to a receiver on the origin server with query parameters about cookie data, and the loaded page push data to the parent frame.
redirect
The origin server redirects to the remote page using HTTP headers.

I separate between various ways the remote server sets the cookie:

http
The remote server is redirecting back to the origin server using HTTP header redirection, and in the same first response it is setting the Set-Cookie header.
http200
The remote server sets the cookie (with Set-Cookie) with a status code of 200, and a JS script is afterwards redirecting back to the origin site.
js
The remote server is responding with a status code of 200, and a the cookie is set using JS and JS also handles the redirection back to the origin site afterwards.

All tests have performed with and without setting the P3P header on the remote server.

I’ve not testing hidden image elements (or other media elements), but I suspect that the results would be identical as JSONP.

I tested four cookie operatoins for all test cases:

r
Read. Implied if write was successfull. If write fails, read is tested.
w
Write. Implies read. Does it work to set a cookie?
u
Update cookie. Does it work to update a cookie value already set.
d
Delete cookie. Does it work to delete a cookie.

Interesting findings

Here are a summary of what I learned from the research.

All default browser settings are kind to remote read

If you want to read a cookie from a remote site, your good to go with all the approaches with all browsers default setting.

Remote write is more complex

If you want to write a cookie on a remote site, things get more complex.

  • Firefox default settings allows you to do this.
  • Opera does not allow you to write cookie with jsonp nor with hidden iframes; one exception is that it allows you to write cookies in an iframe if you use JS to set the cookie.
  • Safari is very kind and allows you to write remote cookies on a remote site, with one exception: if you are using an iFrame and tries to set the cookie with JS. This is more or less the complete opposite behaviour of Opera.
  • IE allows you to write remote cookies only if you set the P3P header (except in the Low setting). On IE medium + medium high, you may write remote cookies with all approaches except setting cookie with JS in an iframe. On IE High, you are also restricted to not be able to set cookies with JS.

Status code does not matter

When you are using Set-Cookie on the remote server using HTTP header, no browser regardless of settings care about if the status code is 200 or a redirect (back to the origin site).

No browser distinguish between write, update and delete

Operations write, update and delete are always treated the same way, regardless of browser and settings.

Always set P3P headers

IE puts heavy cookie access restrictions unless you set P3P headers – so do that.

Block Third-Party is usally kind towards remote reading, except Firefox

All browsers except Firefox is pretty kind towards allowing you to read cookies on a remote source. With Firefox’s strict setting to block third party cookies, there are no way to read remote cookies wihtout doing a redirect.

Reccomended approach to read remote cookies

Most reliable way to read a remote cookie (without using redirects) is

  • JSONP with setting cookie HTTP header, or
  • iFrame setting cookie using HTTP header.

Works in all browser settings except Firefox block third party setting.

Reccomended approach to write remote cookies

Most reliable way to write a remote cookie (without using redirects) is using two appraches in parallell:

  • Use hidden iFrame and set cookies both in HTTP header and using JS.

Works in all browser settings except Firefox block third party setting.

Leave a Reply