0

I currently have a need for a log in page. I want to be able to tell the user if the cookies are disabled to please enable them and then not show the form. Currently, I am just simply hiding the form container with a display:none in the css. But, I figure that the user could very easily just remove that class in google chrome dev tools and still send the request to the back end. It all has to be done on one page using SOAP requests.

Should I call a function that then builds that renders the HTML if it does indeed pass my cookie is detected requirements?

pcproff
  • 582
  • 1
  • 6
  • 25
  • possible duplicate of [this link](http://stackoverflow.com/questions/4603289/how-to-detect-that-javascript-and-or-cookies-are-disabled) – Sean Kwon Mar 09 '17 at 01:38
  • Well, sure, the user *could* un-hide the HTML element. The user could also make login requests without ever bothering to use that HTML element. The user could send any request the user wants. This isn't a bad thing. What exactly are you trying to prevent/fix? – David Mar 09 '17 at 01:39
  • Sean Kwon I know how to check for cookies and detect them I just would like some advice on which way would be the most efficient way to keep users away from the log in form. – pcproff Mar 09 '17 at 01:39
  • I am trying to prevent them from accessing and sending a POST request with the form if cookies are disabled. Not looking for code just looking to see what the web expert scenario would be. I just feel that hiding the element is easy to overcome. – pcproff Mar 09 '17 at 01:41
  • @pcproff: You can't. You can't prevent the user from sending a login request to your system. You *can* show/hide the form client-side and provide instructions client-side which tell them that they need to enable cookies. If they try to login anyway without cookies, just have that login fail. The user can *try* to do anything they want, but if you know they're doing something wrong then you just respond with an error. – David Mar 09 '17 at 01:44
  • @David well put. I am just trying to figure out how I can tell the backend that the user does not have cookies supported from client side to backend. The funny thing is logged into S.O after leaving work and my cookies were disabled and I didn't notice and it just kept refreshing the screen with no message but it kept letting me send log in attempts. – pcproff Mar 09 '17 at 01:46
  • @pcproff: Perhaps this begs the question... Why can't the user login without cookies? What actually changes on the backend? – David Mar 09 '17 at 01:49
  • @David the backend will send me some information via cookie set that I can test against. – pcproff Mar 09 '17 at 01:50
  • @pcproff: If they don't have that information, what then? That is, what if the user *does* have cookies enabled but then immediately clears cookies after logging in? Where I'm going with this is that I'm wondering if this really *is* a problem, or if the user is simply going to have to login again because they didn't follow the instructions in the first place (to enable cookies). – David Mar 09 '17 at 02:05
  • @David this is a good point and I am glad for your feedback. How is a scenario like this handled. – pcproff Mar 09 '17 at 02:37
  • 1
    @pcproff: In general one would perform UX functionality like that client-side, as you already do. If the user sending undesirable requests is somehow *hazardous* then the back end would need to guard against that. But if the only thing that would result from the user tinkering with the interface is that they get a less-than-ideal UX, well, let them. There's little reward in putting in more work and making the code more complex just to satisfy users who want to tinker anyway. – David Mar 09 '17 at 02:42
  • @David great point. Maybe, I was overthinking it this whole time. – pcproff Mar 09 '17 at 02:44

0 Answers0