This preview shows page 1. Sign up to view the full content.
Unformatted text preview: ften) erased,
people have multiple machines. 1 Warning: Cookies are sent with every request to the server! As a web developer, you should
avoid storing large amounts of data inside cookies. Cookies are limited to 4kb in size.
Typically, cookies are set in an HTTP response to the browser -- the server can specify in the
document.cookie = “key = value”)
An HTTP response header may look like this:
HTTP/1.1 200 OK
Set-Cookie: name2=value2; Expires=Wed, 09-Jun-2021 10:18:14 GMT The “Set-Cookie” directive tells the browser to create a cookie with that key and value, and to
send that cookie back on future requests.
E.g. a future request from the site to the server might be:
GET /spec.html HTTP/1.1
Cookie: name=value; name2=value2
Accept: */* Along with key-value pairs, the server can also set cookie attributes. These attributes tell the
browser when to send the key-value pairs back. (Cookie attributes themselves are not sent back
to the server.)
● Domain and Path
○ Tells the browser that the cookie should only be sent back for the given domain
● Expires and Max-Age
○ Tells the browser when to delete the cookie
■ Expires: provide a date
■ Max-Age: provide a number of seconds to persist
○ If neither are specified, the default is that it will be deleted by the browser after the
user closes the browser.
● Secure and HttpOnly
○ These are binary attributes -- either present or not. They don’t have an associated
○ Secure: tells browsers only to use the cookie under secure/encrypted
Facebook and Google to prevent some security vulnerabilities which we won’t get
into yet.) For example:
Set-Cookie: HSID=AYQEVn….DKrdst; Do...
View Full Document
This document was uploaded on 03/18/2014 for the course EECS 6.170 at MIT.
- Spring '13