34

I want to store user-clicked data in a cookie which never has to go to the server. Its like a session-added data, which I want to persist over sessions, as in the data just keeps adding to the cookie, and it is stored for a long time, and only gets deleted when the user removes browsing history. The cookie is pure-client only cookie and it never has to go the server, as I don't need the user generated data at the server, so I want to get rid of the additional overhead the cookie creates in sending back and forth between browser and server. Is it possible to achieve this?

Siva Bathula
  • 746
  • 1
  • 8
  • 19
  • Can you show us the code for what you have tried? – Mark Schultheiss Jun 18 '12 at 12:17
  • 'localstorage' is ruled out, as i need to support older browsers, of all the major ones. Mark - I have achieved all the functionality, except for "pure client side only cookie". I am creating the cookie with the appropriate name - value pair, expiry date and the path using code which I found on quirksmode. I am able to control the cookie using javascript. Just that I am unable to achieve the "client only cookie" part. I hope you got my question? – Siva Bathula Jun 18 '12 at 13:20
  • Mark - I can provide the code, but its the mundane code block which everyone has used and suggested by many sites including quirksmode. I just need to achieve the "client only cookie - one which doesn't ever reach the server". – Siva Bathula Jun 18 '12 at 13:23

4 Answers4

14

I know it´s a little late for you, but this answer is for all who have the same problem.

  1. With HTML5 you can use web storage.

  2. (Just an idea! - not tested!) You could define a cookie (via javascript on client) and set the "secure"-attribute. In this case, the cookie will only be sent to the server on HTTPS connections. To make sure the cookie never leaves the browser, you just never open a HTTPS connection ;-)

EDIT

Now it´s 2022 and I would not recommend solution 2) anymore. Instead of setting the secure flag on the cookie, set the path to a path on the server which is never used.

Franz Deschler
  • 2,456
  • 5
  • 25
  • 39
  • 1
    I had the same idea with 2), but it doesn't work. You cannot access secure cookies from JS (at least not in FF). 1) works great! – PeterG Feb 25 '14 at 22:22
  • 1
    Oh right. I forgot the js access. I tried to find a solution also for browsers which don´t support the web storage yet. You could try to set a cookies path value to a path that doesn´t exist. So the cookie should never be sent. (not testet. pls try and answer the result) – Franz Deschler Feb 26 '14 at 09:41
  • 2
    Do not use `path=/notExistingPath` if you want your cookie to work on IE or Edge browsers – amanteaux Nov 29 '16 at 15:38
  • @amanteaux I've taken the liberty of removing the extra 'Update' part of the answer that you were referring to as not working in IE/Edge — in case people think the 11 upvotes refer to that part of the answer. Just tested latest Chrome and it doesn't work there either. Ma Jerez has another answer solely dedicated to the approach, so it can be further debated there. – EoghanM Jun 02 '20 at 13:30
9

If browser compatibility is a concern you can use a some javascript to wrap around various different technologies. Older versions of IE support (supprise supprise) a proprietary version of localstorage called userData (I don't think it's exactly the same, but should do what you need).

A wrapper script like https://github.com/andris9/jStorage or https://github.com/marcuswestin/store.js should do what you need it to do.

ste
  • 818
  • 2
  • 9
  • 16
Dan Smith
  • 5,685
  • 32
  • 33
  • Thanks a lot @Bulk, I will give this a shot. But personally I would prefer a browser independent cookie solution, in that case my failure cases would be knocked down to two - browser enforced size limit on the cookie and disabled cookies on the browser(the user data/ local storage can also be similarly disabled and guess this failure case can be excluded). – Siva Bathula Jun 18 '12 at 19:18
  • 1
    I can't say for certain by I'm 99% sure there is no "cookie" based solution to this but feel free to keep looking :) – Dan Smith Jun 19 '12 at 08:57
4

I'm 100% sure that there is no way to force cookies to be client-side only, they are allways sent to server. There is however possible to do the opposite: server-side only cookies (not readable by javascript) by setting HttpOnly flag on cookie.

jzkpk
  • 41
  • 1
1

Use an impossible path to set the cookie:

document.cookie = "cookieName=...; expires=... ; path=/never_reached/ablkappmqlnahsuia";
Ma Jerez
  • 4,887
  • 3
  • 23
  • 21
  • @amanteaux has a comment on another answer which suggests that this method will not work in IE or Edge; presumably because the cookie will also not be readable from javascript. – EoghanM Jun 02 '20 at 13:20
  • Actually just checked in Chromium, and setting the path with a non existent path will prevent the cookie being set. Maybe this was a hack that no longer works? – EoghanM Jun 02 '20 at 13:25