14.1 What Are Cookies? | JavaScript by Example (2nd Edition)

The Web protocol, HTTP, was designed to be stateless to keep transactions between a browser and server brief and cut down on the overhead of keeping connections open . Stateless means that after a transaction takes place between the browser and server, the connection is lost and neither the browser nor server have any recollection of what transpired between one session and the next . But as the Internet grew and people started filling up shopping carts with all kinds of goodies , ordering everything from groceries to music, books, prescription drugs, and even cars and homes , it became necessary for merchants to remember what their customers purchased, their preferences, registration numbers , IDs, and so on. Enter Netscape way back in 1994 with the cookie. A cookie is a local file used to store information, and it is persistent; that is, it is maintained between browser sessions and remains even when the user shuts down his computer. The cookie idea became very popular and is now supported by all major browsers.

The term "cookie" comes from an old programming trick for debugging and testing routines in a program. A text file, called a "magic cookie" was created. It contained text that was shared by two routines so that they could communicate with each other. The cookie feature started by Netscape ^[1] is also just a little piece of textual data that is stored in a file (often called the cookie jar) on the hard drive of the client (browser). It contains information about the viewer that can be retrieved and used at a later time to welcome him to your site, and based on past visits , show him a new book by his favorite author, display the latest stock quotes, or take him to CNN Europe when he wants to view the news. The HTTP server sends the cookie to the browser when the browser connects for the first time and from then on, the browser returns a copy of the cookie to the server each time it connects. The information is passed back and forth between the server and browser via HTTP headers.

^[1] See www.netscape.com/newsref/std/cookie_spec.html for cookie specification.

Cookies can make a Web page personal and friendly, and store important information about the user's language, reading, or music preferences, how many times he has visited your site, track items in a shopping cart, and more. But they can also be annoying, and some question the security of putting unknown data on their hard drive. Love 'em or hate 'em, they're an intrinsic part of the Web. But you do have a say about whether or not to use them. If you don't like cookies, you can turn them off, and remove all of them from your hard drive. For example, if using IE, you can delete cookies by going to the Tools menu and then to Internet options (see Figure 14.1); in Navigator, look at the Tools menu, go to Cookie Manager, and from there you can block all cookies for this site (see Figure 14.2).

Figure 14.1. Internet Explorer ”Enabling and disabling cookies.

graphics/14fig01.jpg

Figure 14.2. Netscape 7 ”Enabling and disabling cookies.

graphics/14fig02.jpg

Unlike Grandma's old-fashioned cookie jar that could be packed full of sugar cookies (and the calories kept out of sight), Web browser cookies occupy a limited amount of space. Browsers usually can't store more than 300 cookies and servers not more than 20. Storage is usually limited to only 4 kilobytes per cookie, so you can't store a lot of information. The actual filename that holds the cookie data varies on different platforms. Netscape Navigator (Windows) stores cookies in a file named cookies.txt in Navigator's system directory; IE stores them in the Window\Cookies directory, and on the Mac, they are found in a file called MagicCookie .

14.1.1 Cookie Ingredients

Cookies are often sent from a CGI program on the server side to the browser through HTTP request and response headers, but with JavaScript you can set cookies on the local browser, eliminating the need for the CGI program to handle them, and thereby cutting down on server activity. The cookie's default lifetime is the length of the current session. Then they are destroyed . See the expiration attribute below.

Cookies are composed of text in the form of key/value pairs, often nicknamed "crumbs," and up to 20 pairs can be stored in a single cookie string. The browser stores only one cookie per page.

When making cookies, the crumbs consist of name =value pairs, called attributes, that must be terminated with a semicolon. Within the string, semicolons, commas, or whitespace characters are not allowed. The HTTP Set-Cookie header has the following format:

FORMAT

 Set-Cookie: name=value; [expires=date};[path=path]; [domain=domainname]; [secure];

Example:

 Set-Cookie: id="Bob";expires=Monday, 21-Oct-05 12:00:00 GMT;domain="bbb.com"; path="/"; secure;

14.1.2 The Attributes of a Cookie

When setting the cookie, it is important to understand the components of a cookie. It has a name and a value and another set of optional attributes to determine the expiration date, the domain, path, and whether the cookie must be sent over a secure communications channel (HTTPS). All of these attributes are assigned as strings.

Name

The actual cookie text consists of the name of the cookie and the value stored there. It can be a session ID, a user name, or whatever you like.

FORMAT

 nameofcookie=value;

Examples:

 id=456; email=joe@abc.com; name=Bob;

Don't confuse the value with what the cookie is named. The name of the cookie is on the left-hand side of the = sign and the cookie text that gets stored there is on the right-hand side. The value assigned is a string. To add multiple values to the string, you must use unique characters to separate the values, such as Bill*Sanders*345 . (With JavaScript you can also use the built-in escape() method, which returns URL encoding for a string, acceptable to the browser. See "Assigning Cookie Attributes" on page 482.)

Expiration Date

The cookie normally expires when the current browser session ends, which gives it little value, but you can specify an expiration date that will let it persist, by using the following format:

FORMAT

 ;expires=Weekday, DD-MON-YY  HH:MM::SS GMT

Example:

 ;expires= Friday, 15-Mar-04 12:00:00 GMT

The day of the week is specified by Weekday , the day of the month by DD , the first three letters of the month by MON , and the last two numbers of the year by YY (e.g., 03 or 04 ). The hour , minutes, and seconds are specified in HH:MM:SS and the GMT time zone is always used. Some cookies last for days, but it's possible for them to even last for years . It's up to the designer to decide how long a cookie should live. Setting the expiration date also limits the amount of possible damage that could be done if the cookie is intercepted by some hacker. Once the cookie has expired it is called stale and is automatically destroyed.

Domain Name

The domain name, not commonly used, specifies a general domain name to which the cookie should apply. It allows the cookie to be shared among multiple servers instead of just the one you're on. If you don't use the full http://domain syntax, then a leading dot must precede the domain name.

FORMAT

 ; domain=.domain_name ; domain=http://somedomain.com

Example:

 ; domain=.kajinsky.com ; domain=http://kajinksy.com

Path

The path is used to specify where the cookie is valid for a particular server. Setting a path for the cookie allows other pages from the same domain to share a cookie.

FORMAT

 ; path=pathname

Example:

 ; path=/home

Secure

If a cookie is secure, it must be sent over a secure communication channel (HTTPS server).

FORMAT

 ; secure