Java Reference
In-Depth Information
Cookies
Many websites use small strings of text known as
cookies
to store persistent client-side
state between connections. Cookies are passed from server to client and back again in
the HTTP headers of requests and responses. Cookies can be used by a server to indicate
session IDs, shopping cart contents, login credentials, user preferences, and more. For
instance, a cookie set by an online bookstore might have the value
ISBN=0802099912&price=$34.95 to specify a book that I've put in my shopping cart.
However, more likely, the value is a meaningless string such as ATVPDKIKX0DER,
which identifies a particular record in a database of some kind where the real informa‐
tion is kept. Usually the cookie values do not contain the data but merely point to it on
the server.
Cookies are limited to nonwhitespace ASCII text, and may not contain commas or
semicolons.
To set a cookie in a browser, the server includes a
Set-Cookie
header line in the HTTP
header. For example, this HTTP header sets the cookie “cart” to the value “ATVPD‐
KIKX0DER”:
HTTP/1.1 200 OK
Content-type: text/html
Set-Cookie: cart=ATVPDKIKX0DER
If a browser makes a second request to the same server, it will send the cookie back in
a
Cookie
line in the HTTP request header like so:
GET /index.html HTTP/1.1
Host: www.example.org
Cookie: cart=ATVPDKIKX0DER
Accept: text/html
As long as the server doesn't reuse cookies, this enables it to track individual users and
sessions across multiple, otherwise stateless, HTTP connections.
Servers can set more than one cookie. For example, a request I just made to Amazon
fed my browser five cookies:
Set-Cookie:skin=noskin
Set-Cookie:ubid-main=176-5578236-9590213
Set-Cookie:session-token=Zg6afPNqbaMv2WmYFOv57zCU1O6Ktr
Set-Cookie:session-id-time=2082787201l
Set-Cookie:session-id=187-4969589-3049309
In addition to a simple name=value pair, cookies can have several attributes that control
their scope including expiration date, path, domain, port, version, and security options.
For example, by default, a cookie applies to the server it came from. If a cookie is orig‐
inally set by
www.foo.example.com
, the browser will only send the cookie back to
www.foo.example.com
. However, a site can also indicate that a cookie applies within an
