About Cookies

Cookie-test

Example to show you how to set and retrieve a cookie. Try it.

Description

A cookie is simply a small (up to 20 times 4k per domain) bit of info which servers can store in a browser's client. Look on your hard drive for a cookie.txt. More cookie info.


User Configurable Variables

You may modify these variables to your heart's content. They are just meant as examples to help show how the subroutines work.

$expDate = "Wednesday, 09-Nov-99 00:00:00 GMT";
The cookie will last in the browser until this date after which, it is deleted.

$theDomain = ".engr.iupui.edu";
The browser will send a cookie if the domain and the path of the current URL match that which is in the cookie.

$path = "/cgi-bin/";
The browser will send a cookie if the domain and the path of the current URL match that which is in the cookie.

All about Cookies

State of mind

Since http is a stateless protocol, meaning each transaction is distinct and there is no memory from one to the next, tracking a browser through a site can be difficult at best. A user could visit a site, leave, and come back a day or a minute later, possibly from a different IP address. The site maintainer previously had no way of knowing if this was the same browser or not.

Imagine if unix or DOS made you login before every single command you type! This is basically what http does. This makes it very difficult to create an interactive application. But now, there are cookies! ;)


Cookies are covert little things.

Cookies can provide a way to maintain stateful connections between client and server.

A cookie is a small chunk of data, given to you by a server and stored on your hard drive. It can be used to track your path through a web site and develope a profile of you for advertisers. They can of course be used for good things like shopping carts also.


They're about yay big.

No, they can't fill up your hard drive. The cookie spec says that the client may only hold at most 300 cookies in its jar and that a server may only put 20 into it. A server can cheat on the 20 cookie limit by using a different domain for each set of 20. i.e. Set 20 with www.engr.iupui.edu, 20 more with .engr.iupui.edu, and 20 MORE with .iupui.edu. Once that fills up, the most senior ones are bumped out. Cookies can only be 4k a piece so at most you may have 1.2 megs of your hard disk being used for a commercial site's cookie jar.

You can imagine huge corporations battling over your jar in a holy cookie war where Netscape.com tries to fill up your cookie jar and bump out all the Microsoft.com cookies you have and vice versa. But that would never happen. Would it? ;)


I'm Hungry. Where they at?

During a browsing session Netscape stores your cookies in memory, but when you quit they go into a file called cookies.txt on semi normal systems, but on a Macintosh the cookie jar is called MagicCookie and resides in the preferences folder.


How they work.

How you get them.

Cookies are passed to you in a Set-cookie: http header with 5 possible fields seperated with a semicolon and a space. The fields can be described as follows :

cookie-name=cookie-value;
The name and the value combine to form the 4k limit on a cookie.

expiration=expiration-date;
At this date the cookie will be deleted from your jar automatically. The format is Wdy, DD-Mon-YYYY HH:MM:SS GMT

path=cookie-path;
Used to determine when a browser should show its cookies to the server. Hope mom ain't lookin!

domain=server-domain;
Again, used to determine when a browser should show a cookie to the server.

secure
Send the word "secure" at the end of a Set-cookie header and the cookie will only be sent back to the server over a https connection.

How they get them.

Your browser will send a cookie to a server with its request for a document when that document matches the path and domain attribute of a cookie.

For example, if you have a cookie with a path of "/stuff" and a domain of ".netscape.com" then anytime you request a document from "netscape.com/stuff" your browser will send that cookie along with that request where netscape.com may extract it from the environmental variable, HTTP_COOKIE.

See cookie-test.pl for an example.


EEEK! Get 'em off me!!

Here are a couple of tricks for keeping cookies out of your jar. Keep in mind, that cookies are kept in memory (not on disk) during a session. They do not need to be written to disk for them to be useful to a server.


That's not enough.

If you crave more cookies see...
http://www.netscapeworld.com/netscapeworld/nw-07-1996/nw-07-cookies.html
Cookie I-D Drafts
http://www.emf.net/~mal/cookiesinfo.html
http://home.netscape.com/newsref/std/cookie_spec.html
ftp://ietf.org/internet-drafts/draft-ietf-http-state-mgmt-04.txt
http://www.illuminatus.com/cookie.fcgi
http://www.jasmin.com/cook0696.html
A Cookie FAQ

BIS perl page
Last modified: Wed Feb 18 12:22:46 EST 1998