Java Reference
In-Depth Information
given as three-letter abbreviations. The rest are numeric, padded with initial zeros if
necessary. In the pattern language used by
java.text.SimpleDateFormat
, this is
E,
dd-MMM-yyyy H:m:s z
. For instance, this cookie expires at 3:23 P.M. on December 21,
2015:
Set-Cookie: user=elharo; expires=Wed, 21-Dec-2015 15:23:00 GMT
The browser should remove this cookie from its cache after that date has passed.
The
Max-Age
attribute that sets the cookie to expire after a certain number of seconds
have passed instead of at a specific moment. For instance, this cookie expires one hour
(3,600 seconds) after it's first set:
Set-Cookie: user="elharo"; Max-Age=3600
The browser should delete this cookie after this amount of time has elapsed.
Because cookies can contain sensitive information such as passwords and session keys,
some cookie transactions should be secure. Most of the time this means using HTTPS
instead of HTTP; but whatever it means, each cookie can have a secure attribute with
no value, like so:
Set-Cookie: key=etrogl7*;Domain=.foo.example.com; secure
Browsers are supposed to refuse to send such cookies over insecure channels.
For additional security against cookie-stealing attacks like XSRF, cookies can set the
HttpOnly
attribute. This tells the browser to only return the cookie via HTTP and
HTTPS and specifically
not
by JavaScript:
Set-Cookie: key=etrogl7*;Domain=.foo.example.com; secure; httponly
That's how cookies work behind the scenes. Here's a complete set of cookies sent by
Amazon:
Set-Cookie: skin=noskin; path=/; domain=.amazon.com;
expires=Fri, 03-May-2013 21:46:43 GMT
Set-Cookie: ubid-main=176-5578236-9590213; path=/;
domain=.amazon.com; expires=Tue, 01-Jan-2036 08:00:01 GMT
Set-Cookie: session-token=Zg6afPNqbaMv2WmYFOv57zCU1O6KtrMMdskcmllbZ
cY4q6t0PrMywqO82PR6AgtfIJhtBABhomNUW2dITwuLfOZuhXILp7Toya+
AvWaYJxpfY1lj4ci4cnJxiuUZTev1WV31p5bcwzRM1Cmn3QOCezNNqenhzZD8TZUnOL/9Ya;
path=/; domain=.amazon.com; expires=Thu, 28-Apr-2033 21:46:43 GMT
Set-Cookie: session-id-time=2082787201l; path=/; domain=.amazon.com;
expires=Tue, 01-Jan-2036 08:00:01 GMT
Set-Cookie: session-id=187-4969589-3049309; path=/; domain=.amazon.com;
expires=Tue, 01-Jan-2036 08:00:01 GMT
Amazon wants my browser to send these cookie with the request for any page in the
amazon.com
domain, for the next 30-33 years. Of course, browsers are free to ignore
all these requests, and users can delete or block cookies at any time.
