Apache Server configuration support - Can you set a cookie from a CGI executed by an SSI virtual include?

Author

Can you set a cookie from a CGI executed by an SSI virtual include?

garey

2006-11-28, 7:28 pm

The subject says it all. I'm using a CGI to generate a snippet of HTML
and pasting it into the page via a  tag. I would like to set a cookie from the CGI that I can later
inspect, but I am having no luck. So I wonder, is it even possible?

shimmyshack

2006-11-29, 7:31 am

as a cookie is set on the browser side, the instruction to do so being
just a response header, you must make sure that the header is sent
first before any response body output, along with the other response
headers.
The CGI script would therefore create that header in the proper place
if it were returning the whole page, but you are including it, which
means that unless you delay output of the response body that comes from
the html page that is including the cgi, and set the header before the
first byte of the response body is sent you cannot use this method.
You can do this in Aapche 2 but it might not be the right way to go for
other reasons. You can also set cookie headers without the need for the
CGI, but this might not be what you are lookng for.

you will have to adapt this but here is a way to detect what cookie the
client is sending you, and set a header based on its value (whereas you
might want to detect say a variable in the query string and set a
header _which will be a set cookie header_ )

SetEnvIf Cookie "language=(.+)" prefer-language=$1 Header append Vary
cookie

or another example:

SetEnvIf User-Agent cookiemonster$ cookiemonster_on
Header add Cookie "I like cookies" env=cookiemonster_on

i woke up in a funny mood this morning

R Krause

2006-11-29, 1:19 pm

garey wrote:
> The subject says it all. I'm using a CGI to generate a snippet of HTML
> and pasting it into the page via a  tag. I would like to set a cookie from the CGI that I can later
> inspect, but I am having no luck. So I wonder, is it even possible?

Two other alternatives worth considering if only as a last resort:

1) Have the CGI script insert a <SCRIPT SRC=""> block into the output
stream. The SRC attribute should point to a CGI script on your domain
that sets your cookie and returns a blank page (i.e. no script). You
can dynamically generate a query string to pass to the CGI script that
will aid in generating the cookie. For example:

<SCRIPT SRC="setcookie.cgi?userid=e42d10fd20b42faa9e1"></SCRIPT>

By convention, the browser always loads and processes a SCRIPT block
before presenting the final page to the user. Therefore it is
guaranteed to run the your cookie-setting script unless scripting is
unavailable (in which case, most likely cookies will be too). In that
case insert a <NOSCRIPT> block to inform the user that scripting must
be re-enabled.

2) Use Javascript itself to create the cookie by modifying the
document.cookie property directly. It works similar to above but
instead of a SRC attribute, the cookie setting code will be inserted
directly into the SCRIPT block. There's plenty of examples of how to do
this online.

--Randall

shimmyshack

2006-11-29, 1:19 pm

yeah sure thats an idea, you could use an img tag as well which would
work if scripting was disabled, however as already sai, this is a bit
of a cludge and is a last resort, and images might not even be
requested predictably.

gmills

2006-11-29, 1:19 pm

Randall -

Sounds like a great idea. Thanks for the help.

Garey

R Krause wrote:
> garey wrote:
>
> Two other alternatives worth considering if only as a last resort:
>
> 1) Have the CGI script insert a <SCRIPT SRC=""> block into the output
> stream. The SRC attribute should point to a CGI script on your domain
> that sets your cookie and returns a blank page (i.e. no script). You
> can dynamically generate a query string to pass to the CGI script that
> will aid in generating the cookie. For example:
>
> <SCRIPT SRC="setcookie.cgi?userid=e42d10fd20b42faa9e1"></SCRIPT>
>
> By convention, the browser always loads and processes a SCRIPT block
> before presenting the final page to the user. Therefore it is
> guaranteed to run the your cookie-setting script unless scripting is
> unavailable (in which case, most likely cookies will be too). In that
> case insert a <NOSCRIPT> block to inform the user that scripting must
> be re-enabled.
>
> 2) Use Javascript itself to create the cookie by modifying the
> document.cookie property directly. It works similar to above but
> instead of a SRC attribute, the cookie setting code will be inserted
> directly into the SCRIPT block. There's plenty of examples of how to do
> this online.
>
> --Randall

gmills

2006-11-29, 1:19 pm

Thanks for the info. It's what I suspected.

Garey

shimmyshack wrote:
> as a cookie is set on the browser side, the instruction to do so being
> just a response header, you must make sure that the header is sent
> first before any response body output, along with the other response
> headers.
> The CGI script would therefore create that header in the proper place
> if it were returning the whole page, but you are including it, which
> means that unless you delay output of the response body that comes from
> the html page that is including the cgi, and set the header before the
> first byte of the response body is sent you cannot use this method.
> You can do this in Aapche 2 but it might not be the right way to go for
> other reasons. You can also set cookie headers without the need for the
> CGI, but this might not be what you are lookng for.
>
> you will have to adapt this but here is a way to detect what cookie the
> client is sending you, and set a header based on its value (whereas you
> might want to detect say a variable in the query string and set a
> header _which will be a set cookie header_ )
>
> SetEnvIf Cookie "language=(.+)" prefer-language=$1 Header append Vary
> cookie
>
> or another example:
>
> SetEnvIf User-Agent cookiemonster$ cookiemonster_on
> Header add Cookie "I like cookies" env=cookiemonster_on
>
> i woke up in a funny mood this morning