Win a copy of Learn Spring Security (video course) this week in the Spring forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Global Variable Vs Cookie

 
Alec Lee
Ranch Hand
Posts: 569
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I came across a javascript example which stores the state of an expandable menu (expanded vs collapsed) in cookie instead of using global variable:http://javascript.internet.com/navigation/click-to-expand-menu.html

This makes me confused . Isn't cookie mainly used for resending information to the SERVER (like jsessionid/login name of previous session). Is there any valid reason to use cookie as a global variable when no server side communication is involved?
 
Eric Pascarello
author
Rancher
Posts: 15385
6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Last time I checked, JavaScript does not have a global variable that spans page refreshes.

Eric
 
Valentin Crettaz
Gold Digger
Sheriff
Posts: 7610
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Alec, global variables are only valid within the same page scope. As Eric pointed out, if you either refresh the page or navigate to another one, the value of your global variables are lost, because the JavaScript context is re-inited. If you want to be able to access certain values across all of your pages, client-side cookies are one solution.
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 64613
86
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
And, if you are using a server-side system such as Servlets/JSP, you can store such values in a server-side session which is more secure than cookies.
 
greg buela
Ranch Hand
Posts: 71
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Bear,
How insecure are cookies? Do you mean somebody can intercept cookie data? Menu state isn't sensible information, but... session id is! And I guess the safest way to maintain session state is through a session id cookie, at least with a modern browser. Am I correct? What are the real risks?
 
Eric Pascarello
author
Rancher
Posts: 15385
6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
How unsecure are cookies?
type this into the browser address bar
javascript:alert(document.cookie);

Eric
 
greg buela
Ranch Hand
Posts: 71
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
All right, but what are the implications of that? Aren't we protected from cross domain access to cookies? Is insecurity limited to physical access to the computer holding the cookies?
 
Eric Pascarello
author
Rancher
Posts: 15385
6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Yes unless you have a XSS hole in your site or if the person using your site wants to screw with you.

Eric
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic