Interacting with Cookies from JSP - JSP

Interacting with Cookies from JSP

JSP technology does enable you to interact with cookies.There is a javax.servlet.http.Cookie class that can be instantiated. Instances can then be used to leave cookies on the client with the addCookie(Cookie cookie) method of the Http Servlet Response.

Listing provides an example of a basic JSP that will store a cookie on the client machine. Listing cookies.jsp

The first scriptlet in this example is used to obtain the current cookie information.This is done with a call to the getCookies() on the HttpServletRequest object.This array is then queried to obtain our test cookie if it exists. The example JSP then creates the new cookie object, providing both a name and a value for the cookie.This block is only invoked when the cookie does not already exist. At the foot of the page, the cookie information is displayed.This is only invoked when the cookie exists. Thus, when you first visit this page in a browser, the output states that a cookie has been added to your machine. However, when a subsequent visit is made, the cookie information is displayed. See Figure to see the output.


The lifetime for this cookie ends when the browser is closed. The maxAge value of –1, which is seen in Figure denotes this. Persistent cookies, which will be discussed later, must be used to enable cookies to persist beyond this.

Cookie Versions

Both Internet Explorer and Netscape browsers understand cookies.There are, however, two different versions of cookies: version 0, which is the original Netscape specification, and also a more recent version referred to as RFC 2109.The standards are defined at the following URLs:

Interacting with Cookies from JSP 239

The output from Listing after a cookie has been created.

The output from Listing after a cookie has been created

You have control over the version of your cookie with the following two methods:

void setVersion (int version) int getVersion()

The accepted version numbers are 0 for the original Netscape specification, and 1 for the new RFC 2109. Currently, 2109 is not widely in use, but it may well become more popular in the future.The default is version 0.

Cookie Comments and Cookie Security

Cookies can also have comments set for them, which are typically used to describe the purpose of the cookie. Cookie comments are set and retrieved with the following methods:

void setComment (String comment) String getComment()

It is also possible to specify that a cookie be sent using a secure protocol. HTTP on its own is not a secure protocol, and it might be that your cookie must only be sent over a secure protocol.To ensure that a cookie is only sent over a secure protocol such as HTTPS, you can use the method:

void setSecure (boolean bool)

To query a cookie to identify whether it is only to be sent over a secure protocol you can use the following:

boolean getSecure()

A more detailed discussion on Web security can be found in Chapter 16,“Security and JSP.”

Persistent Cookies

Cookies can be created to live beyond the lifetime of a browser session. Sites such as use these cookies. Sites that use these cookies remember users even after the browser has been shut down. To create a persistent cookie using JSP, you will need to set the maxAge property.This property is an int, specifying the number of seconds that this cookie should last.The following line of code could be added to Listing 8.1 at the point where our cookie is created.

cookie.setMaxAge(1800); If you add this line and load the page again, it should result in the same output.The difference will be when you restart the browser.When you restart, it should still display a page similar to Figure The cookie has survived. In fact, it will survive for 1,800 seconds! You might notice that the maxAge value shown in the Web page remains on –1. This is an issue with the implementation not returning the maxAge correctly. When cookies are persistent, they have to be saved somewhere as a text file. Internet Explorer 6 on Windows XP, for example, saves the cookie file as a text file with the name as follows:

<user name>@<domain specific identifier>.txt.

This file will be placed into the Cookies folder under your user folder within the Documents and Settings folder. So for this example, it would be as follows: C:Documents and SettingsNick ToddCookies ick The saved persistent cookie from my computer referred to previously looked like this:


Cookie Limitations

Cookies are not the only way to track user interactions. In fact, a significant number of Web users have cookies disabled within their browsers. Some large corporate organizations, for example, disable cookies in the browsers of all their staff. Depending on which surveys you believe, anywhere between 10% and 40% of browser users have cookies disabled. It is also worth noting that not all handheld devices support the use of cookies. The main reasons for people deliberately disabling cookies are concerns about privacy. Some companies use cookies to provide targeted banner advertising.

Practices such as these, combined with misinformation about what cookies actually are, have contributed to many individuals and organizations disabling cookies.There are reasons to be concerned though. Both Netscape and Internet Explorer have needed patches to be installed to prevent the malicious stealing of cookies from client machines.The following URLs from news sites contain articles about the vulnerabilities of both IE and Netscape:

The problem facing developers is this:What do I do if some of my clients have disabled cookies? There is an alternative mechanism, called URL rewriting, which can be used to track users in your site.

All rights reserved © 2020 Wisdom IT Services India Pvt. Ltd Protection Status

JSP Topics