Questions tagged [cookies]

An HTTP cookie is a piece of data stored by the user's web browser. Unless otherwise specified, cookies can be created, read, modified and deleted both by JavaScript and from server-side through HTTP headers.

An HTTP cookie is a piece of data stored by the user's web browser. Unless otherwise specified, cookies can be created, read, modified and deleted both by JavaScript and by server-side through HTTP headers.

Cookies can be used to remember the state of the session, such as authentication, state of GUI controls and personalization through user preferences. They can also be inappropriately used to track the browsing history and to transfer malware.

A server sets a cookie using Set-Cookie HTTP header:

 Set-Cookie: someName=someValue; Expires=Fri, 18-Jan-2013 10:13:13 GMT
 Set-Cookie: someOther=someOtherValue

It is possible to set cookies also on image and similar content that makes them a powerful tracking tool. When cookie is set, it is reported back by the browser:

 Cookie: someName=someValue; someOtherName=someOtherValue

For more security, cookies can be restricted to some domain and path:

 Set-Cookie: name=value; domain=www.foo.com; Path=/hereonly

They can also have additional secure (HTTPS only but accessible through JavaScript) and httponly (HTTP or HTTPS but not accessible through JavaScript) attributes:

 Set-Cookie: goldlocation=somewhere; Domain=.morgan.com; secure; httponly

In this example the cookie is accessible for all subdomains of morgan.com but only through HTTPS and not accessible from JavaScript.

Cookie access control is based on domain, (optionally) path and (optionally) URL scheme (http: vs. https:). The rules governing cookies are not the same as the access control rules of the DOM in JavaScript which are based on the same domain policy, but because cookie access is mostly based on domain name, they are sometimes confused with the usual HTTP same domain policy.

The behaviour of HTTP cookies in real life browsers is not described in any RFC (thus quoting a RFC to describe cookies is almost always wrong). The various RFC are of historical interest.

Browsers are recommended to allow at least 20 cookies per domain and 4KB per cookie. If you are looking for an alternative to cookies that aren't sent in HTTP headers and can store more data, consider local-storage

Implementation Hint

For jquery fans, there is a simple plugin make it easy to deal with cookies (write, read and delete) could be found here.

Questions:

34843 questions

votes

7 answers

How do I access cookies within Flash?

I'm looking to grab cookie values for the same domain within a Flash movie. Is this possible? Let's see I let a user set a variable foo and I store it using any web programming language. I can access it easily via that language, but I would like…

flash actionscript cookies

asked Sep 20 '08 at 22:09

Chris Bartow

14,873
11
43
46

votes

1 answer

Cross-domain login using JSONP and cookies

How can I allow users to log into one domain and automatically be logged into my other domains without them having to submit a form on each domain?

cookies authentication cross-domain jsonp

asked Jun 08 '12 at 21:57

andrewtweber

24,520
22
88
110

votes

1 answer

Django: Get cookie inside test case

I have a view that sets a cookie using response.set_cookie method. I would like to test if the cookie is being set in a TestCase. According to docs, the cookie should be accessible in the client object, but client.cookies.items returns an empty…

django testing cookies testcase

asked May 24 '12 at 13:42

Marco Lima

votes

1 answer

Default expire time for a cookie in Rails

What is the default expire time of a cookie in Rails (3.1.3)? I have found documentation on how to set, how to retrieve, but I fail to see the default expire time.

ruby-on-rails-3 cookies

asked May 18 '12 at 00:03

Hommer Smith

26,772
56
167
296

votes

2 answers

How to access client cookie (with session ID) created by node.js Express?

I thought I understood how Cookies worked, but I guess not since I'm stuck on the following: I cannot display a cookie with document.cookie, testing with alert(document.cookie); in my code. I am playing around with node and have the following code…

javascript node.js cookies express

asked May 06 '12 at 22:24

gotta have my pops

votes

1 answer

Set-Cookie Header is in the response but browser doesn't set Cookie in next request

I'm developping a REST Api which needs to be statefull (no workaround for that, i'm using a native lib with no serializable objects etc.) This Rest API is exposed on a web server on a domain domainA. Response contains a Access-Control-Allow-Origin…

json http session rest cookies

asked Apr 20 '12 at 19:06

mruellan

votes

1 answer

How do I use the --header option to send cookies with Siege?

I have just started to use Siege to do load/stressing test on a new web server. I am trying to test on my most resource/performance heavy script, but the script requires cookies. What is the proper format for using the --header option in siege? I…

cookies webserver load-testing stress-testing

asked Apr 20 '12 at 08:41

Andrew

1,226
2
13
20

votes

4 answers

What is timezone of cookie stored on client's side?

I need to set cookie that expires after 1 hour using PHP setcookie function. Timezone on my server is set to GMT. How should I set cookie expiry date, to make it working across different client's browser timezones?

php cookies timezone

asked Apr 19 '12 at 12:58

Karol

7,803
9
49
67

votes

1 answer

Wininet InternetGetCookie gets empty cookie data

I'm currently working on getting cookie data with Csharp. I'm using DLLImport to invoke InternetGetCookie in wininet.dll, but when i try it the functions returns an ERROR_INSUFFICIENT_BUFFER (error code 122). Can any one help me with this ? This is…

c# cookies wininet dll-reference

asked Apr 16 '12 at 12:56

P.G Wisgerhof

votes

5 answers

Should cookie content be encrypted when using https?

I'm trying to write a cookie in ASP.NET under https, but I see a plain text cookie in the client machine. Shouldn't the cookie be encrypted by default under an https connection?

cookies https

asked Jun 15 '09 at 16:18

Dante

3,833
4
38
55

votes

2 answers

PHP setcookie() not working

On one page I have something like this setcookie('user', 'value' ,6000, '/', 'mydomain.co.uk'); On the subsequent page I have var_dump($_COOKIE); I can see all the automatically generated ones, like PHPSESSID but I cannot see user. If I do echo…

php cookies

asked Mar 13 '12 at 19:11

Alex

5,364
9
54
69

votes

4 answers

How to secure classic ASP ASPSESSIONID cookie?

Is there a way to mark classic ASP ASPSESSIONID* cookies as secure? It appears that the ASP ISAPI handler adds that session id cookie after my page is done rendering so putting code at the end of my page to loop through the Response.Cookie…

session cookies asp-classic

asked Jun 04 '09 at 21:59

slolife

19,520
20
78
121

votes

3 answers

Jquery Tool: Keep selected tab on refresh or save data

I am using jquery tool for tab Ui, Now I want to keep tab selected on page reload. Is there any way to do that? below is my code $(function() { // setup ul.tabs to work as tabs for each div directly under div.panes …

cookies jquery-tools

asked Mar 02 '12 at 07:46

Code Lover

8,099
20
84
154

votes

1 answer

Cookie data size exceeds 4K - But its 'only' 1100 bytes encrypted

I have a Sinatra app using Rack::Session::Cookie use Rack::Session::Cookie, :key => 'my.key', :path => '/', :expire_after => 3600, # In seconds :secret =>…

ruby session cookies sinatra rack

asked Feb 29 '12 at 23:00

Tom Andersen

7,132
3
38
55

votes

6 answers

ASP.NET OutputCache and Cookies

Does anyone know why if is have cookies on my page, the output cache does not work ! Example page <%@ Page Language="VB" AutoEventWireup="false" CodeFile="ct.aspx.vb" Inherits="ct" %> <%@ OutputCache Duration="600" Location="Server"…

asp.net cookies outputcache

asked Feb 23 '12 at 10:28

Symeon Breen

1,531
11
25

Prev 1 2 3

…

100 Next