WHAT ARE HTTP COOKIES?

Before we jump into Flash and JScript, let's take a moment to really understand cookies and the function they serve in the world of HTTP and web applications. It is actually not entirely necessary for you to understand cookies before you can use them for data storage with the code I have provided here; however, the section that follows will help provide you with a broader perspective on the technology we will be exploring.

First of all, one of the biggest challenges developers face when designing applications for the web is the fact that HTTP is inherently stateless. In other words, HTTP defines a protocol for clients (usually browsers) to make requests to servers and for servers to respond to those requests. That's essentially it. How can a server know that two consecutive requests were from the same client? Why is that you can enter a username and password once, and not have to re-authenticate every time you make a new request? A server cannot depend on clients' IP addresses being unique because any number of users could be using a single proxy server and therefore all appear to have the same IP address. Netscape's answer (which has since become a widely adopted standard) was cookies.

A cookie (named as such for no particular reason) is a relatively small piece of data about 4 kilobytes or 4,096 characters that servers can store locally on clients' computers. The most common usage of cookies is storing session or shopping cart IDs and user authentication information. Ad servers also sometimes use cookies to help identify or target viewers. Without getting into too much detail (the HTTP cookie specification is quite complex in its entirety and well beyond the scope of this chapter), let's consider a simple application of cookies.

Let's say one day you get tired of typing in your username password at your favorite news site, and you finally check the checkbox below the password field labeled "Remember my login information." When you click the Submit button and the server finds that checkbox checked, it will send back a cookie header in the HTTP response, which might look something like this:

 HTTP/1.1 200 OK  Set-Cookie: credentials="cantrell;lucy"; Version="1"; \Path="/"; expires=Wednesday,  01-Jan-03 00:00:00 GMT 

The first line of the header specifies the protocol and version (HTTP/1.1) and the response code (200 OK ) indicating to your browser that the request was processed successfully on the server. The next line of the header is telling your browser to set a cookie named credentials to the value of "cantrell;lucy" (cantrell being the user name, lucy being the password).

When your browser parses that portion of the header, it will make an appropriate entry in its cookie database, and from then until midnight on January 1, 2003, it will send the cookie name/value pair in any request to the domain that originally set the cookie. For instance, if the cookie was set by the domain planetearthgazette.com, then any request back to http://www.planetearthgazette.com using the same browser that was used at the time the cookie was set will contain a request header with the cookie information. The server then watches for the cookie in certain requests and, where it finds it, automatically uses the username and password to authenticate the user.