my web site suddenly started to write a cookie named arp_scroll_position in Chrome.
I did not change anything on my application to make this cookie appear, which is why that is very confusing.
In other browsers however this cookie is not set. I just tested Safari, Firefox and even Chrome Canary for that.
I also see this cookie on some other (but not all) websites. So it seems sort of being randomly placed.
I wish to have a cookieless application (no cookie usage warning & respecting the privacy of my users), so this cookie that just pops up in Chrome does counteract that a bit.
So my questions are: Where does this cookie come from? How can I prevent that cookie to be set at all?
Additional info: I use Twitter Bootstrap, but some other sites using bootstrap do not have this cookie.
Old question, but in case someone else stumbles into this:
Maybe you are using a Chrome extension called "Auto Refresh Plus (arp)". It sets a cookie with that name, see source code
Deactivate the extension, delete that cookie in the developer console, and reload the page. Cookie should be gone.
Related
I'm working with an outlook web add-in and a Rails webapp. The web add-in is loaded as an iframe when it's enabled through Outlook on the Web. The page is a login page from our Rails app. Our Rails app has a standard Devise setup for the authentication process.
When the login page is loaded and we input the proper credentials and click on login, the cookies are lost throughout the process and we get redirected back to the login page again.
When we take a look at the Network tab in the develop console, we see that /users/sign_in is being requested and returns with the proper response headers and cookies to be set. Hitting /users/sign_in successfully would usually redirect the iframe to /dashboard/stats with all the proper sessions and cookies in the header. However, this isn't the case, and we see that the request headers for /dashboard/stats do not have the proper cookies/sessions, instead they're missing. As a result, in the Rails app, we see that there are no proper cookies/devise session and will send a 401 and redirect back to the login page /users/sign_in.
This issue only occurs for Internet Explorer 11 (Version: 11.0.9600.19230) on Windows 7.
I've tested this same thing with a later version of IE11 on Windows 10 and it works fine: all the cookies and session attributes are being set properly and we login successfully. I've also tested this on Chrome, Safari, and Firefox, and the same scenario passes. Unfortunately, we need to support this version of IE11 on Windows 7 (or the latest version).
I was wondering if anybody has ran into a similar issue and/or has any insights as to what might be the solution here for these missing cookies.
After digging through the forums, it seems that it's an issue related to the P3P header. Keep in mind that I've only found it to be an issue in the above IE11 version. The latest version I have (IE 11.316.17763.0) doesn't share the same issue.
Basically, in IE11, if the page inside the iframe doesn't have a P3P header, the browser will block the cookies. You can check if your page is blocked on IE11 by clicking on View > Webpage privacy report...
If the issue is present in your IE11 version, you'll see that your page is "Blocked" on the Cookies column.
The issue is solved by including the P3P header in your webapp's response headers.
You can read more in this post.
If you are unsure of the value of the P3P header, I would suggest reading through this related post.
However, it seems that the P3P concept is outdated and has been suspended, and based on the first post above, you don't need to worry too much about the value of the header.
Lastly, I would recommend for people to scope the addition of the P3P header only if you detect that the request was sent from an IE11 browser. This is something that only IE seems to enforce: Other current modern browsers do not have this issue.
I'm not sure if this is the right stack to ask this in so if not please let me know!
I am trying to get a handle on what cookies are used on a site and what they are for. When I initially did a cookie scan I noticed a cookie names NID which was set by google.
I have tried to research this cookie and can see it is used by Google for advertising purposes.
But I am confused about why and where this is being set, the site I am looking at does not use advertising anywhere, although it does use embedded YouTube videos.
Can anyone shed any light on when and why this cookie is set?
according to Google
Most Google users will have a preferences cookie called ‘NID’ in their browsers. A browser sends this cookie with requests to Google’s sites. The NID cookie contains a unique ID Google uses to remember your preferences and other information, such as your preferred language (e.g. English), how many search results you wish to have shown per page (e.g. 10 or 20), and whether or not you wish to have Google’s SafeSearch filter turned on.
For me, the cookie was hammered incessantly by the url https://www.google.com/s2/favicons?domain=example.org Which was being used by CookieBro & FeedBro RSS feeder browser addons for retrieving icons associated with various domains. The cookie can be dropped by either an addon or by google itself.
I used cookie log via cookiebro addon for firefox & chrome to detect these cookies in realtime, its one of a kind. However I did not realize it was cookiebro dropping them until the next step below.
To see what background connection is occuring when these cookies are placed, enter the following firefox url: about:cache?storage=disk&context= and you will see when and where the google url being connected to.
It is said this cookie is for targeting & ADS and the google's settings are integrated to make the cookie inconvenient to delete for Google users.
I work for an e-commerce site. Part of what we do is to offer customized items to some clients. Recently some non-technical management promised that we could incorporate our check-out process into one such client's website. The only way we've figured out how to do this is by using an iframe (I know, I don't like it either). The issue is that most customers of this site are unable to check out because we use cookies to determine which custom items to display. Browsers are recognizing our cookies as third party and almost everybody has third party cookies turned off, as they should. I'm going to be shocked if the answer is yes, but is there any workaround for this? ie can the site hosting our iframe somehow supply the necessary cookie?
Try an invisible, interstitial page.
Essentially the hosting site would issue a redirect to a site within your domain, which is then free to set cookies (because at this point is is actually the first party). Then your site immediately redirects back to the hosting site. At this point your newly-created cookies will be invisible to the hosting site but visible to your iFramed page henceforth.
Unfortunately the hosting site will have to do this every time a cookie is to be updated but the double-redirect can happen so quickly they'll hardly notice. Hopefully your system only needs the cookies to be set once.
Instead of using a cookie, pass the information in the each url request as name/value pairs.
It is a bit of a pain to add the name/value to every url...I know...oh well...it will work.
I'm going to be shocked if the answer is yes, but is there any workaround for this? ie can the site hosting our iframe somehow supply the necessary cookie?
Your iframed page itself, which is the third party in this scenario, could send a P3P Cookie Policy header – some browsers then accept third-party cookies by default, whereas others (mainly Safari) will not be convinced to do so at all if not by the user manipulating the default settings themselves.
What you could also do, is pass the session id not (only) by cookie, but as a GET or POST parameter as well – f.e. under PHP this can be done quite easily by configuring the session options. You should consider if that’s worth the slightly increased risk of session stealing.
The interstitial page solution should work but it might be a lot of trouble for your hosting site, so here's another solution that will allow you to work cookieless.
Write an HttpModule that responds to the BeginRequest event, reads the querystring, and inserts corresponding cookie headers into the Context.HttpRequest object (Note: you can't use AddCookie, you have to use AddHeader, because cookies added by a module directly are disposed of before they hit your application proper). That way the hosting site can simply issue a request (within the iFrame) that contains the necessary value in the querystring, the module will convert it into a cookie (that only exists in memory, not on the wire), and your application will be deceived into thinking that there's a cookie there. No code changes required, you just need to add the module in web.config.
This only works if you are using IIS 7.0+ in integrated pipeline mode. If you're on an earlier version of IIS or if you have to run in classic mode, you'll need an ISAPI filter instead.
Ryan , John
For the Chrome v80 update with SameSite flags, want to set the samesite=none;secure for the site hosting our iframe and somehow supply the necessary samesite=none;secure cookie. We have apache 2.2 and tomcat 6 setup, so would appreciate a solution and advice on how to make it work. Currently with flag enabled the iFrame is not punching out successfully.
Thanks
I am dealing with a ticketing system that was written about 10 years ago using Coldfusion 8. When a user is authenticated and logins, the user's information about his ID is saved in CF cookies, and the site uses those cookies to fill it the user's ID, name, etc. when the user is filling out tickets.
This application works fine in Internet Explorer 6.0 However we are slowly migrating to Internet Explorer 8, so there are some users here that already started using IE8 fulltime. We've been getting complaints from some of these IE8 users, in which mid-session, the cookies are lost/become null, and the user can't complete the tickets. Users are able to login just fine, but sometimes in mid-session, errors like "NAME UNDEFINED" appear. They don't seem to be isolated to particular tickets because I've looked at all the complaints we have, and they're discovered in all sorts of tickets. I check the logs/screenshots and sure enough, the cookie for the employee ID is null. I've searched all over the web and I can't find good fixes for this.
I thought about converting cookies to session variables, but that would be a massive undertaking and require a lot of testing.
Any thoughts? Thanks in advance.
Any chance the domain is changing? You could be switching between www.servername.com and servername.com? Unless you were writing domain cookies a change in the domain would cause the written for one domain cookies to be unaccessible from another. You can enable domain cookies in your Application.cfm or Application.cfc file. Either set <cfset this.setDomainCookies = true /> in Application.cfc or set the setDomainCookies="true" attribute on your <cfapplication /> tag. This will write cookies accessible from any subdomain.
Have the cookies expired? You can set an expiration date for the cookie. Perhaps it is expiring before the user's session expires?
Have you tried using the IE development toolbar to track the cookies? You can use it to view cookies set for your site.
In one of my application , our users are facing the same issue.It started all of sudden without any change in code.We suggest them to clear cache and tr-try and it works.But i need to know the root cause and its fix.
Thank you
We have a strange problem when implementing sessions with ColdFusion in IE6.
After login and after a refresh on the page all the session variables are lost.
Its some kind of config in the Administrator? Could you give me some troubleshooting tips to this issue?
Thanks in advance!
I've seen this before, but it's been a long time. I remember creating a test page to dump out the cookies for the site and they'd change on every refresh. I don't remember if we ever found a solution. I want to say that the issue cleared up after another update from Microsoft, but it was so long ago I honestly don't remember.
What's happening is you're getting new values for the CFID and/or CFTOKEN cookies that CF creates and uses to keep track of the browser's state. (The web is by its nature stateless, but that's not very helpful when you need to do transactions.)
Here are some of the possible issues I've seen other people mention:
Inconsistently using www.domain.com and domain.com. The site may work either way, but unless you're using domain cookies the cookies will care
Privacy settings in IE being too restrictive
Special characters in the domain name (underscore is mentioned specifically)
Lack of P3P policy on the web server (back to the privacy settings)
As for solutions, have you tried using J2EE session variables? Some people have had success with those in solving this.
I think it is because your IE6 is not accepting cookies?