The page referenced from section 4.4 of the FAQ describes a generally sound strategy for using cookies but suffers from an additional issue relating to "privacy" filters employed by content inserting/re-writing proxies.
The problem is that some of these filters identify the character sequence "cookie" within Javascript source code and replace it with an alternative string. A c.l.j. thread describing an occurrence of this problem had "cookie" replaced by "ignore" by ZoneAlarm, and Proximatron has a similar filter available (but not active) by default.
The effect of changing occurrences of document.cookie
into document.ignore within source code is that attempts
to write to the property just result in a new string property being
assigned to the document object, but no cookie is created. And reading
from the property returns the same string, or an undefined value
if nothing has yet been written to the property.
The problem with the irt.org code is that the Get_Cookie
and Set_Cookie functions are
not written with a consideration that document.cookie may
not refer to a string.
Get_Cookie will error if "cookie" has been replaced with
"ignore" because it treats the document.cookie
value as if it was a string. But changing that one function so that it
does not attempt to read document.cookie if the value is
not a string may prevent the error but would still undermine that strategy used.
However, the problem can be completely avoided by wrapping the content
of the Get_Cookie and Set_Cookie functions
in typeof tests and only executing the rest of the
function if typeof returns "string".
function Get_Cookie(name) {
if(typeof document.cookie == "string"){
var start = document.cookie.indexOf(name+"=");
var len = start+name.length+1;
if ((!start)&&
(name != document.cookie.substring(0,name.length))){
return null;
}
if (start == -1) return null;
var end = document.cookie.indexOf(";",len);
if (end == -1) end = document.cookie.length;
return unescape(document.cookie.substring(len,end));
}else{
/* document.cookie is not a string so return an
empty string. When tested this will type-convert to
boolean false (accurately) giving the impression that
client-side cookies are not available on this system:-
*/
return "";
}
}
function Set_Cookie(name,value,expires,path,domain,secure) {
if(typeof document.cookie == "string"){
document.cookie = name + "=" +escape(value) +
( (expires) ? ";expires=" + expires.toGMTString() : "") +
( (path) ? ";path=" + path : "") +
( (domain) ? ";domain=" + domain : "") +
( (secure) ? ";secure" : "");
}//else document.cookie is not a string so do not write to it.
}
function Delete_Cookie(name,path,domain) {
if (Get_Cookie(name)) document.cookie = name + "=" +
( (path) ? ";path=" + path : "") +
( (domain) ? ";domain=" + domain : "") +
";expires=Thu, 01-Jan-70 00:00:01 GMT";
}
}
Cookie reading and writing is unlikely to be done sufficiently often that the extra overhead of the tests will impact on the performance of the resulting script.