Crispy JavaScript Cookies: HTTP Cookie Headers - Doc JavaScript | WebReference

Crispy JavaScript Cookies: HTTP Cookie Headers - Doc JavaScript

HTTP Cookie Headers

When a client contacts a server, it normally uses the Hyper Text Transfer Protocol (HTTP). When the user requests a page, for example, the browser sends an HTTP request to the server, specifying the page address and several other attributes. When the server replies to a client's request, it returns an HTTP response which also features a header, containing important information about the file being returned, such as its size.

An HTTP header consists of several fields. Each field has the following syntax:

Field-name: Information

The server sets a cookie in an HTTP response, while the client provides its cookies to the server-side application during an HTTP request. The following definition is sent to client in an HTTP response to assign a new cookie:

Set-Cookie: name=value; expires=date; path=pathname; domain=domainname; secure

name is the name of the cookie by which you can reference it later. value is a regular string to be stored as a cookie. It is recommended that the string be encoded using the "%XX" style, which is equivalent to the escape() function's output. Generally speaking, the name=value pair is the only required attribute of the Set-Cookie field.

expires is an optional attribute that specifies the cookie's expiration date and time. The date string should have the following format:


Here's an example:

Thu, 31-Dec-1998 00:00:00 GMT

If you provide a date in the past, the cookie is instantly deleted. JavaScript's built-in toGMTString() method converts an instance of the Date object to the required date format. If the expires attribute isn't specified, the cookie expires when the user's session ends.

When searching for valid cookies, the browser compares the domain attribute of each cookie to the current server's domain name. The browser looks for a trail match. For example, a domainname of "" would tail match "" as well as "". A domainname must consists of at least two periods in a top-level domain (e.g., com, edu, net, org, gov, mil, int), and at least three in any other one (e.g.,, The default value of the domain attribute is the host name of the server that set the cookie.

The path attribute specifies a subset of URLs in a domain for which a cookie is valid. After the domain is matched, the pathname component of the URL is compared with pathname (the value of the path attribute), and, if successful, the cookie is considered valid and is sent along with the HTTP request. The path "/foo" would match "/foobar" and "/foo/bar/html". "/" is the most general path. If a path is not specified, it defaults to the path of the document or script that set the cookie.

If you specify the word secure in the Set-Cookie field, the cookie will only be transmitted across a secured communication channel between the client and the server. If this attribute is not specified, the cookie will be sent over any channel, including an unsecured one.

When a script requests an url from an HTTP server, the browser matches the URL against all cookies (which were previously loaded from the client's hard drive to its memory), and if any of them match, a line containing the name and value pairs of all matching cookies are included in the HTTP request. The format is straightforward:

Cookie: name1=value1; name2=value2 ...

According to Netscape's official documentation, a client can hold up to 300 cookies. A cookie can be up to 4KB, including its name and value, which is exactly 4000 characters. A maximum of 20 cookies per server or domain are allowed.

Created: December 4, 1997
Revised: December 4, 1997