| [View full width] document.cookie="myLanguage=JavaScript; expires=Tue, 25-Dec-2007 12:34:56 GMT; path=/;  domain=.example.com; secure"
|
Although the expiration date of a cookie is by far the most commonly used feature, there are others as well: path This sets the path to tie the cookie to. The default value is the current path. If this is set to /, the whole website receives the cookie. domain This specifies which domain(s) to use. By specification, at least two dots are required in the domain name, but many browsers ignore that. If this is set to .example.com, then www.example.com and subdomain.example.com receive the cookie. secure If this is set (just by putting it in the cookie string), the cookie is transmitted only via a secured connection (HTTPS).
The preceding code sets a cookie that is tied to the .example.com domain and will be transmitted via HTTPS connections only. Do note that the associated listing (cookieoptions.html) most probably will not work on your system unless you change the domain name to the actual domain name you are using. Warning When you want to overwrite a cookie, make sure that you are using the same cookie features (name, path, domain, secure) as when you set the cookie; the expiration date and the cookie value may change, of course. Otherwise, the browser creates a new cookie.
Using HTTP Only Cookies Recent versions of Microsoft's Internet Explorer web browser support an additional option for cookies: HttpOnly. If this is set, the cookie is transmitted via HTTP only but cannot be read out using JavaScript. This option has been introduced to avoid some security issues on some websites allowing the theft of sensible cookie data with JavaScript. However, HttpOnly is proprietary and is supported only in Microsoft browsers. More information on HttpOnly cookies can be found at http://msdn.microsoft.com/workshop/author/dhtml/httponly_cookies.asp. |
|
