1st party cookie treated as 3rd party cookie by ZoneAlarm

1 view
Skip to first unread message

PvG

unread,
Jun 16, 2003, 5:45:28 AM6/16/03
to
Hello everybody,

I made a website which opens a pop-up window when it is loaded. Inside
this window visitors find information about news on the website.
Of course I only want this window to open once only, otherwise it will
be quite annoying to the visitors if it opens each time they go to the
index.html.

I searched the web and found scripts that can handle this problem,
like this one: http://javascript.internet.com/cookies/only-popup-once.html

Under normal circumstances this works fine. But on my PC, for example,
I have set up a Firewall (ZoneAlarm) which is configured to block
third-party cookies. All other cookies are allowed, I checked that.

When I browse to my website now, the cookie script does not work as it
should, because for some reason ZoneAlarm treats it as a third party
cookie, but it is not. Somehow I cannot figure out why it does that.
I tried to disable the third-party cookie block in ZoneAlarm and then
it works just fine.

What can I do to make it clear to ZoneAlarm that this is NOT a
third-party but a first-party cookie.

Every hint is welcome.

Thanks,
Philipp

PvG

unread,
Jun 17, 2003, 5:27:28 PM6/17/03
to
P...@gmx.net (PvG) wrote in message news:<41ebaba2.0306...@posting.google.com>...

Hi!

Nobody!?

Today I saw that ZoneAlarm replaces the command "document.cookie" with
"document.ignore".
But still I don't get why, since I the script is running on the
homepage of my domain...

Thanks,
Philipp

Grant Wagner

unread,
Jun 18, 2003, 10:57:44 AM6/18/03
to
PvG wrote:

<url: http://www.pcworld.com/news/article/0,aid,65344,00.asp />

"Zone Labs is tackling Internet irritations with a scheduled November update to its ZoneAlarm
Pro firewall and computer security program, which the company says will block online ads,
including pop-up and -down ads, and will prevent Web sites from planting cookies on your
computer."


For some reason, cookies have been been designated as a "way of stealing personal information"
and are not understood by the vast majority of people, including many in Information
Technology. As a result, many people and companies block cookies completely. Zone Alarm has
obviously taken this approach. I'm sure the "feature" can be disabled in your copy of Zone
Alarm, but the fact remains that a large percentage of the people visiting a public Internet
web site will have cookies disabled completely.

You have two choices:

1) Detect that cookies are disabled and insist the user enable them to access your site.
Normally this would probably be a bad thing, but many online banking and e-commerce sites take
this approach. If you take this approach, I would suggest you provide the user with a document
outlining precisely what you are using cookies for and describe how cookies work in order to
maximize the buy-in to enabling them for your site.

2) Don't rely on cookies being enabled in order to use your site.

Please note that almost all browsers have a way of blocking all cookies, but allow users to
specify a list of sites which can place cookies on their computer, but as with the
misinformation regarding cookies, many people are unaware of this functionality and will simply
go elsewhere when presented with a site that won't work without enabling cookies.

--
| Grant Wagner <gwa...@agricoreunited.com>

* Client-side Javascript and Netscape 4 DOM Reference available at:
* http://devedge.netscape.com/library/manuals/2000/javascript/1.3/reference/frames.html
* Internet Explorer DOM Reference available at:
* http://msdn.microsoft.com/workshop/author/dhtml/reference/dhtml_reference_entry.asp
* Netscape 6/7 DOM Reference available at:
* http://www.mozilla.org/docs/dom/domref/
* Tips for upgrading JavaScript for Netscape 6/7 and Mozilla
* http://www.mozilla.org/docs/web-developer/upgrade_2.html


Richard L. Trethewey

unread,
Jun 18, 2003, 12:08:31 PM6/18/03
to
>
>
> Hi!
>
> Nobody!?
>
> Today I saw that ZoneAlarm replaces the command "document.cookie" with
> "document.ignore".
> But still I don't get why, since I the script is running on the
> homepage of my domain...
>
> Thanks,
> Philipp

The following is not very likely to be the cause of your problem, but just in
case it is...

If you are setting the cookie from within the pop-up window, and the pop-up
window is created with something like: window.open("","",chromaStuff) - that is,
no content document URL is specified, you can have problems with how the browser
sets the location value for the window/document - like in setting a cookie,
because there is no clearly-defined base URL for such a window. MSIE usually
offers up the parent window's URL. Netscape sends nothing, an empty string.
The solution is to either feed the window.open() function the URL for a document
residing in your site, or set the cookie from JavaScript within the parent
document. Good luck!

Richard L. Trethewey


PvG

unread,
Jun 20, 2003, 11:14:26 AM6/20/03
to
Grant Wagner <gwa...@agricoreunited.com> wrote in message news:<3EF07C30...@agricoreunited.com>...

Grant,

thanks for your comments. You are right to say that I cannot totally
rely on cookies and there is always a way for the user to block them.

What irritates me is that my firewall is configured to block
third-party cookies only. And to my knowledge, a third-party cookie is
one that is set by a different domain than the one that is sending the
main page. For example an advertisement banner that is supplied by
another company.

But the javascript for my cookie is in the head of the index.html of
my domain.

Another point is, that other websites can set cookies and write them
to my harddisk, like Ebay, for example.

That's why i think I might have a wrong way of thinking here or maybe
I miss out something that makes ZoneAlarm consider my cookie as a
third-party one.

Thanks,
Philipp

PvG

unread,
Jun 20, 2003, 11:18:44 AM6/20/03
to
"Richard L. Trethewey" <rtret...@aol.com> wrote in message news:<3EF08E37...@aol.com>...

Richard,

thanks for the hint, a good idea. Unfortunately this is not the cause
of my problem. The cookie is set by the main window, not by the
pop-up.

The code that I use is located in the head of my index.html

I found it at the loacation that I posted in my original message.

Just in case the code itself is the problem, here it is:

--------------------

var expDays = 1;

function GetCookie (name) {
var arg = name + "=";
var alen = arg.length;
var clen = document.cookie.length;
var i = 0;
while (i < clen) {
var j = i + alen;
if (document.cookie.substring(i, j) == arg)
return getCookieVal (j);
i = document.cookie.indexOf(" ", i) + 1;
if (i == 0) break;
}
return null;
}

function SetCookie (name, value) {
var argv = SetCookie.arguments;
var argc = SetCookie.arguments.length;
var expires = (argc > 2) ? argv[2] : null;
var path = (argc > 3) ? argv[3] : null;
var domain = (argc > 4) ? argv[4] : null;
var secure = (argc > 5) ? argv[5] : false;
document.cookie = name + "=" + escape (value) +
((expires == null) ? "" : ("; expires=" + expires.toGMTString())) +
((path == null) ? "" : ("; path=" + path)) +
((domain == null) ? "" : ("; domain=" + domain)) +
((secure == true) ? "; secure" : "");
}

function DeleteCookie (name) {
var exp = new Date();
exp.setTime (exp.getTime() - 1);
var cval = GetCookie (name);
document.cookie = name + "=" + cval + "; expires=" +
exp.toGMTString();
}
var exp = new Date();
exp.setTime(exp.getTime() + (expDays*24*60*60*1000));
function amt(){
var count = GetCookie('UFKB_GmbH_Counter')
if(count == null) {
SetCookie('UFKB_GmbH_Counter','1')
return 1
}
else {
var newcount = parseInt(count) + 1;
DeleteCookie('UFKB_GmbH_Counter')
SetCookie('UFKB_GmbH_Counter',newcount,exp)
return count
}
}

function getCookieVal(offset) {
var endstr = document.cookie.indexOf (";", offset);
if (endstr == -1)
endstr = document.cookie.length;
return unescape(document.cookie.substring(offset, endstr));
}

function checkCount() {
var count = GetCookie('UFKB_GmbH_Counter');
if (count == null) {
count=1;
SetCookie('UFKB_GmbH_Counter', count, exp);

window.open("news.html","UFKB_GmbH_News","location=no,menubar=no,status=no,scrollbars=no,resizable=no,top=100,left=100,width=480,height=320");

}
else {
count++;
SetCookie('UFKB_GmbH_Counter', count, exp);
}
}

---------------------

OnLoad of the page the function checkCount() is called.

Thanks,
Philipp van Gemmern

Richard Cornford

unread,
Jun 22, 2003, 7:16:55 PM6/22/03
to
"PvG" <P...@gmx.net> wrote in message
news:41ebaba2.03062...@posting.google.com...
<snip>

> But the javascript for my cookie is in the head of
> the index.html of my domain.

> Another point is, that other websites can set cookies and write them
> to my harddisk, like Ebay, for example.

> That's why i think I might have a wrong way of thinking here or maybe
> I miss out something that makes ZoneAlarm consider my cookie as a
> third-party one.

ZoneAlarm is capable of inserting text into, and re-writing, incoming
HTML pages. It might be that it is preventing client side cookies by
re-writing any occurrences of the identifier 'cookie' that it find
within script sections or pages. That would leave server created HTTP
cookies unaffected (Ebay) and eliminate all client-side JavaScript
cookies.

You could check that possibility by viewing the HTML source in the
browser or examining the browser cache versions of the page to see if,
and how, they differ from the pages sent from your server.

Richard.


PvG

unread,
Jun 24, 2003, 8:06:18 AM6/24/03
to
"Richard Cornford" <Ric...@litotes.demon.co.uk> wrote in message news:<bd5dd9$9si$1$8302...@news.demon.co.uk>...

Yes, you are right. To confirm this, I only have to check the HTML by
right-clicking and saying "view source". ZoneAlarm overwrites the
document.cookie property with document.ignore

I managed to solve my problem now by doing this: The problem occured
when I tried to set the cookie with JavaScript from the index.html
What I did now is, I changed the the popup from xyz.html to xyz.php,
then set the cookie from the popup window using PHP. With my
index.html I still can use JavaScript to read the cookie. Means, I can
check with JavaScript from index.html if the cookie exists and then I
do not open the popup. :)

Thanks,
Philipp

Spamless

unread,
Jun 24, 2003, 7:17:52 PM6/24/03
to
In article <41ebaba2.03062...@posting.google.com>, PvG wrote:

> I managed to solve my problem now by doing this: The problem occured
> when I tried to set the cookie with JavaScript from the index.html
> What I did now is, I changed the the popup from xyz.html to xyz.php,
> then set the cookie from the popup window using PHP. With my
> index.html I still can use JavaScript to read the cookie. Means, I can
> check with JavaScript from index.html if the cookie exists and then I
> do not open the popup. :)

You could use a trick. Encrypt stuff on the page so that ZoneAlarm
doesn't see the "document.cookie"

You can escape the code and simply use

eval(unescape([the escaped code]))

Some sites may do this to sneak code past filters.

Reply all
Reply to author
Forward
0 new messages