Java Reference
In-Depth Information
section, need to be set. The fi nal two parts, domain and secure, are for advanced use beyond the scope
of a beginners' book, but you'll look at them briefl y just for completeness.
You're probably used to the idea of there being directories on your hard drive. Rather than storing every-
thing on your computer in one place on the hard drive, you divide it into these directories. For example,
you might keep your word-processing fi les in My Documents, your image fi les in My Images, and so on.
You probably also subdivide your directories, so under My Images you might have subdirectories called
My Family and My Holiday.
Well, web servers use the same principle. Rather than putting the whole web site into one web directory,
it's common and indeed sensible to divide it into various different directories. For example, if you visit
the Wrox web site at www.wrox.com and then click one of the topic categories, you'll fi nd that the path
to the page navigated to is now www.wrox.com/Books/.
This is all very interesting, but why is it relevant to cookies?
The problem is that cookies are specifi c not only to a particular web domain, such as www.wrox.com,
but also to a particular path on that domain. For example, if a page in www.wrox.com/Books/ sets a
cookie, then only pages in that directory or its subdirectories will be able to read and change the cookie.
If a page in www.wrox.com/academic/ tried to read the cookie, it would fail. Why are cookies restricted
like this?
Take the common example of free web space. A lot of companies on the Web enable you to sign up for
free web space. Usually everyone who signs up for this web space has a site at the same domain. For
example, Bob's web site might be at www.freespace.com/members/bob/. Belinda might have hers at
www.freespace.com/members/belinda. If cookies could be retrieved and changed regardless of the
path, then any cookies set on Bob's web site could be viewed by Belinda and vice versa. This is clearly
something neither of them would be happy about. Not only is there a security problem, but if, unknown
to each other, they both have a cookie named MyHotCookie, there would be problems with each of
them setting and retrieving the same cookie. When you think how many users a free web space pro-
vider often has, you can see that there is potential for chaos.
Okay, so now you know that cookies are specifi c to a certain path, but what if you want to view
your cookies from two different paths on your server? Say, for example, you have an online store at
www.mywebsite.com/mystore/ but you subdivide the store into subdirectories, such as /Books and
/Games. Now let's imagine that your checkout is in the directory www.mywebsite.com/mystore/
Checkout. Any cookies set in the /Books and /Games directories won't be visible to each other or pages
in the /Checkout directory. To get around this you can either set cookies only in the /mystore directory,
since these can be read by that directory and any of its subdirectories, or you can use the path part of
the cookie string to specify that the path of the cookie is /mystore even if it's being set in the /Games
or /Books or /Checkout subdirectories.
For example, you could do this like so:
document.cookie = “UserName=Paul;expires=Tue, 28 Dec 2020 00:00:00” +
“;path=/mystore;”;
Now, even if the cookie is set by a page in the directory /Books, it will still be accessible to fi les in the
/mystore directory and its subdirectories, such as /Checkout and /Games.
