CS6320:  SW Engineering of Web Based Systems

 

Cookies
  • It is a binding  sent by the server back to the client for storage
  • The client then when returning to a web-site (i.e. the server), can send this binding back to the same server as a reminder (storing transactions, preferences, etc)
    • see description of setDomain() and setPath() methods of a Cookie to understand how the client's browser know to what URLs it should send what Cookies!!!
  • Cookies can persist on the client machine across reboots.
  • Can give a lifetime to a cookie, at which time it is deleted on the client machine.

 

Binding

  • Key=Value pair.  This is text information only.

  • E.g.   Handle=grewe
  • A Cookie only stores one Key/Value (or Name/Value) pair!!!

 
Typical Uses of Cookies
  • Store identifcation information for E-commerce, etc.
  • Low-security method of retaining password information....without explicitly asking for password each time user visits site.
  • Customization of a site, possibly remember last order or pages visited on site, and when user returns to web-site anew, present them with similar information highlighted. 
  • Focus Advertising, based on previous purchases,etc.
Problems with Cookies
  • Limited number of cookies a browser will accept per site (e.g. 20)
  • Limited number of total cookies a browser will  accept (e.g. 300).
  • Limited amout of storage given to each cookie.
  • These are a function of browser and version of it...search documentation on browsers for detail.
  • Some people find cookies invade their privacy, and there is the option on most browsers to disable their use...so you can't count on being able to use them.
  • Sites that save critical information like credit card numbers, etc. in a cookie pose security problems.

Secure Cookies

 

Cookies have a secure flag, indicating that the cookie should only be sent over a secure channel. The rationale is as follows: supposing that we set a session ID cookie in response to the user logging in over a secure connection. Since the session ID is what to the server "represents" the user name and password, we don't want that session ID to ever be sent over an insecure connection and be vulnerable to eavesdropping. Setting the secure flag asks the client not to ever send that cookie over an insecure connection. In theory, "secure" and "insecure" are left to the interpretation of individual clients, but in practice "secure" means "HTTPS connection".

CookieObject.setSecure(true)

Of course, setting setSecure() doesn't magically turn insecure connections into secure connections. It indicates to browser not to send this cookie if connection not secure. In order to set up a secure connection, you have to make sure that the client is making an HTTPS request and that your server is set up to deal with HTTPS.

 


 
 
 
How to Create a Cookie using Java Servlets
 
The Steps to Create a Cookie in Servlet
 
1)Servlet invoked by client machine, which passes information to it in its request that will be stored in the cookie.

2) Servlet creates instance of the Cookie class and can call constructor with an initial binding.
 

Cookie c = new Cookie(name, value);
3) OPTIONAL:  As desired set other attributes using Cookie's setXXX() methods.
 
c.setXXX(...);

Click Here for Details

4) Send cookie to client using addCookie(c)  mehtod of the HttpServletResponse class, before sending any other content.  This method inserts the Cookie into the HTTP response header
response.addCookie(c);
The Steps to recieve a Cookie in a Servlet
1) The Servlet is invoked by client machine, who's browser sends along with the request the Cookie(s) it has associagted with the Servlet web-site. 

2) Servlet queries to see if there are any Cookies it has been sent in the HTTP request (specifically the header) that invoked it via the getCookies() method that is part of the HttpServletRequest class.
 

Cookie c[] = request.getCookies();
  • Note: if there are no cookies being sent in the HTTP request header, then this method call will return a zero-length, non-null array!!!!
      if(c.length == 0)
        //there are NO cookies
3) Have Servlet loop through any Cookies sent and retrieved in step 2 calling getName()  method to find the Cookie it wants to retrieve its information.

4)  Once you have from step 3 the Cookie you are looking for, then you can call the Cookie's getValue() method to get the value associated with the name of the binding you wish.


 
 
Creating Cookie Example:
 

Suppose there is an HTML form that asks the user for their choice of a handle that will be used on the site which allows chat.  This will be used to identify the user to other people on the chat.  When the client submits the handle information, we want to invoke a Java Servlet that will in turn create a Cookie with this information stored.  This is useful, so that if the user returns to the web-site, they do not have to enter in this information again.

1) Create HTML form that upon submit invokes a Sevlet
2) Servlet, reads in handle parameter sent to it and creates a cookie which it sends to the client.
3) TIME PASSES including possible client reboots.
4) Client returns to web-site, and this time sends the cookie.
5) Server processes the request this time with the information in the cookie it received.

>Source code for example


 

 
Accepting Cookie Example:
 

This Servlet is responsible for accepting and using the cookie generated in the Creating a Cookie Example above.  Specifically, it will look for the appropriate cookie that has the user's pre-specified handle and greet them using it.

1)  Servlet, accepts any cookies past to it and looks for the one in the above example.
3) It uses the value bound to this cookie as a handle to greet the client with in a generated HTML page it returns to the client.

>Source code for example


 

 Exercise

© Lynne Grewe