5

The Request.Browser.Cookies property (of type bool) attribute stores information whether client's browser supports cookies and whether or not they are enabled.

How reliable is the property Request.Browser.Cookies? Is it guaranteed to be correct ? Or should I rather implement redirection technique suggested by Software Monkey in this question?

Please note: This in not a question "are cookies reliable" ? This is a question: "Is the information whether users browser accepts cookies reliable?"

Community
  • 1
  • 1
Rasto
  • 17,000
  • 40
  • 141
  • 232
  • 2
    Please define what reliability/guaranteed for what behaviour. – Richard Mar 11 '11 at 16:37
  • Is it always set correctly ? That is that information can be only obtained from the request. Only the browser can put it there. I'm asking if this information must be always set or there are some cases when the browser do not set it. For example because it does not support it or because user has configure their browser to not to send this information to server. – Rasto Mar 11 '11 at 16:49
  • Is it possible for you to set up some test cases with different browsers to get a "feeling" for if it works or not? In the meantime if it takes a long time to get an answer. – Phil Mar 11 '11 at 17:24
  • @Phil: that is good idea but I'm spending all the time here answering comments :) I'd need to install some text browsers as I have only major ones that probable supports it - that would take some time. Anyway I guess last Richards answer is good enough for me if nobody wants to add some more info. – Rasto Mar 11 '11 at 17:56
  • Sigh. I pulled the trigger and shot myself. –  Mar 11 '11 at 18:27
  • @Will: no problem it is also my fault - question was not clear at the beginning. – Rasto Mar 11 '11 at 19:06

2 Answers2

2

With the revised question, a new answer:

The documentation property HttpBrowserCapabilitiesBase.Cookies says:

This property does not indicate whether cookies are currently enabled in the browser, only whether the browser can support cookies.

It appears to be set based on detection of the user's browser and the browser capability database on the server. So it will reliably tell you if the browser is capable of storing cookies if and only if:

  1. The request's user agent string is correct.
  2. The browser is in the database and the database is correct for the browser.

Condition #1 would be broken if the user agent HTTP header was changed (eg. by developer tools or a proxy). Condition #2 would be broken if the browser is newer than the database, or there is a defect in the database.

tl;dr version: there is no guarantee, treat this information as "best effort". And of course the user could have disabled cookies (eg. "in private" browsing mode).

Original answer to a different question:

If you want to rely on the cookies you send in a response always coming back exactly the same, then the answer is: usually, but don't rely on this.

Possible reasons:

  • Non-HTTP only cookies can be modified by client side script (and that script could be injected locally).
  • A browser bug.
  • Using a non-browser to make request (eg. wget.exe) that doesn't handle cookies for the user.
  • A proxy that modifies the request or response.
  • Local clock on client system modified to cause cookie expiration.
  • User modifying the cookie store of the browser.
Richard
  • 100,436
  • 21
  • 189
  • 251
  • I don't think this is an answer to my question. I got the feeling that people don't understand what I'm asking but I don't know how to make it clearer... I have already edited the question. I don't care if the cookies itself are safe or not or whether they can be modified or if they are reliable. I'm asking if the information stored in `Request.Browser.Cookies` is reliable. That property should be `true` if users browser supports cookies and `false` otherwise. **It does not store cookies**. – Rasto Mar 11 '11 at 17:16
  • 1
    @drasto: Are you trying to ask "is the information in the ASP.NET browser capability database a guarantee of the ability of the client for an arbitrary request with respect to cookies"? – Richard Mar 11 '11 at 17:25
  • yes I think you got it. Please also read my other comments so I don't have to repeat myself. – Rasto Mar 11 '11 at 17:37
  • 1
    thank you it is perfect now. I'll probably accept it later. I'll just wait a little to give you a chance to collect some extra reputation for upvotes (people who votes don't read accepted questions too much). – Rasto Mar 11 '11 at 17:49
1

I understand people are not getting the gist of your question. But you seem to have doubts about the method's reliability. I mean, I could ask "is Request.QueryString reliable? will it return all the parameters in the request URL?" and the answer would be "yes", unless you have some information that contradicts that. So do you have information that Request.Browser.Cookies isn't reliable? As far as I know it is. Have you encountered a situation where it does not work correctly?

kprobst
  • 14,949
  • 5
  • 29
  • 52
  • Haha yeah, I 2nd that. You generally want to avoid using cookies. It's old technology. – Brian McCarthy Mar 11 '11 at 17:34
  • As I already suggested in another comment - information about browser capabilities are gotten from the browsers themselves. Therefore it depends on browsers whether they send information about cookies being disabled or not. I can have a browser that ignores cookies but still send an information that they are enabled. If there is such browser that is widely used then the answer to my question is "no it's not reliable" otherwise the answer is "yes, it is reliable, you don't need to double check it using redirecion technique" – Rasto Mar 11 '11 at 17:35
  • 1
    I would say that there are tons of different browsers out there (beyond the 'big four') that either don't support cookies or report their support incorrectly. I don't know whether or not the browsercap definitions in the framework cover all of these, so I guess you're safer if you do a secondary check. – kprobst Mar 11 '11 at 17:40
  • @Brian McCarthy: I should avoid using cookies ? Cookies are old technology ? So what should I use instead of them in your opinion ? – Rasto Mar 11 '11 at 17:41
  • @kprobst: add your last comment: if you formulated that as an answer and if you were sure that browsercap definitions in the framework does not cover (or that it does) all of these that would be accepted answer. – Rasto Mar 11 '11 at 17:46
  • 2
    @drasto I'm pretty sure the browsercaps do NOT cover all possible browser versions and combinations, which is why your secondary check is a good idea. Like Richard said, this method you're asking about is a "best effort" and never 100% foolproof. Generally I just try to set a cookie and watch what happens :) – kprobst Mar 11 '11 at 17:50