Problem with "fetch" and JavaScript-based cookie test

lebr2003 · January 22, 2026, 6:21pm

Hi,

there is an issue with a fetch request. Sometimes it works, sometimes it doesn’t. I can’t identify a clear pattern for when it fails. On mobile devices it fails more often than on laptops.

I suspect this is related to InfinityFree’s JavaScript-based cookie test. When the request fails, the fetch call receives the following response instead of the expected output.

Error Message

<html>
    <body>
        <script type="text/javascript" src="/aes.js"></script>
        <script>
            function toNumbers(d) {
                var e = [];
                d.replace(/(..)/g, function(d) {
                    e.push(parseInt(d, 16))
                });
                return e
            }
            function toHex() {
                for (var d = [], d = 1 == arguments.length && arguments[0].constructor == Array ? arguments[0] : arguments, e = "", f = 0; f < d.length; f++)
                    e += (16 > d[f] ? "0" : "") + d[f].toString(16);
                return e.toLowerCase()
            }
            var a = toNumbers("f655ba9d09a112d4968c63579db590b4")
              , b = toNumbers("98344c2eee86c3994890592585b49f80")
              , c = toNumbers("98c3862474363354a836bb90229f6bee");
            document.cookie = "__test=" + toHex(slowAES.decrypt(c, 2, a, b)) + "; max-age=21600; expires=Thu, 31-Dec-37 23:55:55 GMT; path=/";
            location.href = "https://share.leanderbrunar.net/tracking/track.php?download=1&album=testalbum%20%E2%80%93%20test&i=1";
        </script>
        <noscript>
            This site requires JavaScript to work, please enable JavaScript in your browser or use a browser with JavaScript support.
        </noscript>
    </body>
</html>

Other Information

Here is the code of the fetch request I am triggering:

    // download-tracking
    document.querySelectorAll(".download-button").forEach(button => {
        button.addEventListener("click", function () {
            
            fetch(`tracking/track.php?download=1&album=${encodeURIComponent(h1 + " – " + h2)}`)
                .catch(error => console.error('Tracking-Fehler:', error));
        });
    });

The problem occurs only with this specific fetch request; every other fetch on the site works without issues.
Could you please help me understand what is causing this?

Thanks!

Admin · January 22, 2026, 8:19pm

The payload you get is part of this security system:

In short, to access any website hosted with us, you first need to generate a cookie with Javascript to prove you are really a browser, and then need to present that cookie to access the website. Once you’re in, you should be good.

However, to prevent people from copying a cookie once and using it forever, the cookie parameters get rotated regularly, forcing all visitors to generate a new cookie.

This works fine if the time on the page is not that long, and you’re regularly visiting a new page. However, if you’re spending a long time on a page (or are just unlucky with the timing), then the fetchs calls may fail because the cookie is no longer valid.

Unfortunately, there is not a lot you can do to really fix this. All I can recommend is to check whether your fetch call received that response, and if it did, just refresh the current page to get a fresh cookie.

lebr2003 · January 22, 2026, 9:09pm

I’m actually not staying on the page for a long time at all. In some cases it happens almost immediately: I load the page and then trigger the fetch right away.

All other fetch requests on the same page work perfectly fine. Only this one specific fetch does not get through the security system and returns the JavaScript cookie challenge instead.

All requests are on the same domain, so there is no cross-domain or mixed-origin situation involved. That’s why I’m confused why only this single endpoint is affected while the others are not.

I only notice this problem with this particular fetch when using a mobile device.

Admin · January 23, 2026, 8:15am

Do you have any ad blockers or other browser settings or extensions that could interfere with the request? Given how the URL is very clearly a tracking URL, an anti-tracking extension could be stripping cookies from the request to protect your privacy. That would also cause the request to fail.

If this happens with only one URL on one type of device, I don’t think it’s a hosting problem.

system · January 30, 2026, 8:15am

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.