When a web server sends a cookie to a client, an HTTP header entry in the following fashion is used:
Then the client receives this cookie information and, according to the client capabilities and/or its configuration, takes one of the following four actions:
Actually, the first and the last actions are the same. It is not possible for the web server to find out whether a cookie has been refused by the user, refused by the client configuration, or ignored by the client due to a lack of cookie support. If accepted, cookies are then sent back to the server if a combination of requirements is met. The associated HTTP header entry then looks like this: Cookie: session=abcd1234 A cookie can be tied to a domain and a path. Therefore, a cookie is usually sent back only to the server it originated from. It is possible to overwrite the domain value in a cookie, but some browsers then automatically refuse this cookie. Also, there are some limitations for cookies. Not all browsers support them in a similar fashion, but the following requirements are the minimum set a browser must support:
Note There is no official cookie specification that is supported across browsers, but all relevant clients support a proprietary "preliminary" specification Netscape published in the 1990s. It is still available for viewing at http://wp.netscape.com/newsref/std/cookie_spec.html. |