HTTP Cookie Headers
When a client contacts a server, it normally uses the Hyper Text Transfer Protocol (HTTP). When the user requests a page, for example, the browser sends an HTTP request to the server, specifying the page address and several other attributes. When the server replies to a client's request, it returns an HTTP response which also features a header, containing important information about the file being returned, such as its size.
An HTTP header consists of several fields. Each field has the following syntax:
The server sets a cookie in an HTTP response, while the client provides its cookies to the server-side application during an HTTP request. The following definition is sent to client in an HTTP response to assign a new cookie:
Set-Cookie: name=value; expires=date; path=pathname; domain=domainname; secure
name is the name of the cookie by which you can reference it later.
value is a regular string to be stored as a cookie. It is recommended that the string be encoded using the "%XX" style, which is equivalent to the
escape() function's output. Generally speaking, the
name=value pair is the only required attribute of the
expires is an optional attribute that specifies the cookie's expiration date and time. The
date string should have the following format:
Wdy, DD-Mon-YYYY HH:MM:SS GMT
Here's an example:
Thu, 31-Dec-1998 00:00:00 GMT
toGMTString() method converts an instance of the
Date object to the required date format. If the
expires attribute isn't specified, the cookie expires when the user's session ends.
When searching for valid cookies, the browser compares the
domain attribute of each cookie to the current server's domain name. The browser looks for a trail match. For example, a
domainname of ".internet.com" would tail match "www.internet.com" as well as "ipw.internet.com". A
domainname must consists of at least two periods in a top-level domain (e.g., com, edu, net, org, gov, mil, int), and at least three in any other one (e.g., co.il, ac.il). The default value of the
domain attribute is the host name of the server that set the cookie.
path attribute specifies a subset of URLs in a domain for which a cookie is valid. After the domain is matched, the pathname component of the URL is compared with
pathname (the value of the
path attribute), and, if successful, the cookie is considered valid and is sent along with the HTTP request. The path "/foo" would match "/foobar" and "/foo/bar/html". "/" is the most general path. If a path is not specified, it defaults to the path of the document or script that set the cookie.
If you specify the word
secure in the
Set-Cookie field, the cookie will only be transmitted across a secured communication channel between the client and the server. If this attribute is not specified, the cookie will be sent over any channel, including an unsecured one.
When a script requests an url from an HTTP server, the browser matches the URL against all cookies (which were previously loaded from the client's hard drive to its memory), and if any of them match, a line containing the
value pairs of all matching cookies are included in the HTTP request. The format is straightforward:
Cookie: name1=value1; name2=value2 ...
According to Netscape's official documentation, a client can hold up to 300 cookies. A cookie can be up to 4KB, including its name and value, which is exactly 4000 characters. A maximum of 20 cookies per server or domain are allowed.
Created: December 4, 1997
Revised: December 4, 1997