Cookies
- It is a binding sent by the server back to the client
for storage
- The client then when returning to a web-site (i.e. the server),
can send this binding back to the same server as a reminder (storing
transactions, preferences, etc)
- see description of
setDomain() and setPath() methods of a Cookie to understand
how the client's browser know to what URLs it should send what
Cookies!!!
- Cookies can persist on the client machine across reboots.
- Can give a lifetime to a cookie, at which time it is deleted
on the client machine.
Binding
- Key=Value pair. This is text information only.
E.g. Handle=grewe
- A Cookie only stores one Key/Value
(or Name/Value) pair!!!
|
Typical Uses of Cookies
- Store identifcation information for E-commerce, etc.
- Low-security method of retaining password information....without
explicitly asking for password each time user visits site.
- Customization of a site, possibly remember last order or
pages visited on site, and when user returns to web-site anew,
present them with similar information highlighted.
- Focus Advertising, based on previous purchases,etc.
|
Problems with Cookies
- Limited number of cookies a browser will accept per site
(e.g. 20)
- Limited number of total cookies a browser will accept
(e.g. 300).
- Limited amout of storage given to each cookie.
- These are a function of browser and version of it...search
documentation on browsers for detail.
- Some people find cookies invade their privacy, and there
is the option on most browsers to disable their use...so you can't
count on being able to use them.
- Sites that save critical information like credit card numbers,
etc. in a cookie pose security problems.
|
Secure Cookies
Cookies have a secure flag, indicating that the cookie should only be sent over a secure channel. The rationale is as follows: supposing that we set a session ID cookie in response to the user logging in over a secure connection. Since the session ID is what to the server "represents" the user name and password, we don't want that session ID to ever be sent over an insecure connection and be vulnerable to eavesdropping. Setting the secure flag asks the client not to ever send that cookie over an insecure connection. In theory, "secure" and "insecure" are left to the interpretation of individual clients, but in practice "secure" means "HTTPS connection".
Of course, setting setSecure() doesn't magically turn insecure connections into secure connections. It indicates to browser not to send this cookie if connection not secure. In order to set up a secure connection, you have to make sure that the client is making an HTTPS request and that your server is set up to deal with HTTPS.
|
How to Create a Cookie using Java Servlets
The Steps to Create a Cookie in Servlet
1)Servlet invoked by client machine, which passes
information to it in its request that will be stored in the
cookie.
2) Servlet creates instance of the Cookie
class and can call constructor with an initial binding.
Cookie c = new Cookie(name, value);
3) OPTIONAL: As desired set other attributes using
Cookie's setXXX() methods.
c.setXXX(...);
Click
Here for Details
4) Send cookie to client using addCookie(c)
mehtod of the HttpServletResponse class, before sending any
other content. This method inserts the Cookie into the
HTTP response header.
response.addCookie(c);
|
The Steps to recieve a Cookie in a Servlet
1) The Servlet is invoked by client machine,
who's browser sends along with the request the Cookie(s) it
has associagted with the Servlet web-site.
2) Servlet queries to see if there are any Cookies it
has been sent in the HTTP request (specifically the header)
that invoked it via the getCookies()
method that is part of
the HttpServletRequest class.
Cookie c[] = request.getCookies();
- Note: if there are no cookies being sent in the
HTTP request header, then this method call will return
a zero-length, non-null array!!!!
3) Have Servlet loop through any Cookies sent and retrieved
in step 2 calling getName()
method to find the Cookie
it wants to retrieve its information.
4) Once you have from step
3 the Cookie you are looking for, then you can call the
Cookie's getValue() method
to get the value associated with the name of the binding
you wish.
|
|
Creating Cookie Example:
Suppose there is an HTML form that asks the user for their
choice of a handle that will be used on the site which allows
chat. This will be used to identify the user to other
people on the chat. When the client submits the handle
information, we want to invoke a Java Servlet that will in
turn create a Cookie with this information stored. This
is useful, so that if the user returns to the web-site, they
do not have to enter in this information again.
1) Create HTML form that upon submit invokes a Sevlet
2) Servlet, reads in handle parameter sent to it and
creates a cookie which it sends to the client.
3) TIME PASSES including possible client reboots.
4) Client returns to web-site, and this time sends the
cookie.
5) Server processes the request this time with the information
in the cookie it received.
|
>Source
code for example
|
Accepting Cookie Example:
This Servlet is responsible for accepting and using the
cookie generated in the Creating a Cookie Example above.
Specifically, it will look for the appropriate cookie that
has the user's pre-specified handle and greet them using it.
1) Servlet, accepts any cookies past to it and
looks for the one in the above example.
3) It uses the value bound to this cookie as a handle
to greet the client with in a generated HTML page it returns
to the client.
|
>Source code
for example
|
Exercise
|