Recipe 3.6 Logging Cookies

Problem

You want to record all the cookies sent to your server by clients and all the cookies your server asks clients to set in their databases; this can be useful when debugging web applications that use cookies.

Solution

To log cookies received from the client:

CustomLog logs/cookies_in.log "%{UNIQUE_ID}e %{Cookie}i" CustomLog logs/cookies2_in.log "%{UNIQUE_ID}e %{Cookie2}i"

To log cookie values set and sent by the server to the client:

CustomLog logs/cookies_out.log "%{UNIQUE_ID}e %{Set-Cookie}o" CustomLog logs/cookies2_out.log "%{UNIQUE_ID}e %{Set-Cookie2}o"

Using the %{Set-Cookie}o format effector for debugging is not recommended if multiple cookies are (or may be) involved. Only the first one will be recorded in the logfile. See the Discussion text for an example.

At the time of this writing, the Apache package includes no way to record all cookie values, but one of the authors of this book is working on one. When it's available, it should be mentioned on this book's web site, http://Apache-Cookbook.Com/.

Discussion

Cookie fields tend to be very long and complex, so the previous statements will create separate files for logging them. The cookie log entries can be correlated against the client request access log using the server-set UNIQUE_ID environment variable (assuming that mod_unique_id is active in the server and that the activity log format includes the environment variable with a %{UNIQUE_ID}e format effector).

At the time of this writing, the Cookie and Set-Cookie header fields are most commonly used. The Cookie2 and corresponding Set-Cookie2 fields are newer and have been designed to correct some of the shortcomings in the original specifications, but they haven't yet achieved much penetration.

Because of the manner in which the syntax of the cookie header fields has changed over time, these logging instructions may or may not capture the complete details of the cookies.

Bear in mind that these logging directives will record all cookies, and not just the ones in which you may be particularly interested. For example, here is the log entry for a client request that included two cookies, one named RFC2109-1 and one named RFC2109-2:

PNCSUsCoF2UAACI3CZs RFC2109-1="This is an old-style cookie, with space characters      embedded"; RFC2109-2=This_is_a_normal_old-style_cookie

Even though there's only one log entry, it contains information about two cookies.

On the cookie-setting side, here are the Set-Cookie header fields sent by the server in its response header:

Set-Cookie: RFC2109-1="This is an old-style cookie, with space characters embedded";      Version=1; Path=/; Max-Age=60; Comment="RFC2109 demonstration cookie" Set-Cookie: RFC2109-2=This_is_a_normal_old-style_cookie; Version=1; Path=/; Max-      Age=60; Comment="RFC2109 demonstration cookie"

And here's the corresponding log entry for the response:

PNCSUsCoF2UAACI3CZs RFC2109-1="This is an old-style cookie, with space characters      embedded"; Version=1; Path=/; Max-Age=60; Comment="RFC2109 demonstration cookie"

As you can see, the logging of the Cookie field in the request header was handled correctly, but only one of the Set-Cookie fields in the response header was logged.

See Also

• RFC 2109, "HTTP State Management Mechanism" (IETF definition of Cookie and Set-Cookie header fields) at ftp://ftp.isi.edu/in-notes/rfc2109.txt

• RFC 2165, "HTTP State Management Mechanism" (IETF definition of Cookie2 and Set-Cookie2 header fields) at ftp://ftp.isi.edu/in-notes/rfc2165.txt

• The original Netscape cookie proposal at http://home.netscape.com/newsref/std/cookie_spec.html