Is there a maximum number of cookies which you can set on a single http response? If yes how many?
Because I'm trying to create 2 cookies in one response, for some reason only one is getting created. I'm using the code below.
Cookie cookie = new Cookie("wNote", "1530571761964");
cookie.setMaxAge(2592000);
cookie.setPath("/myWebsite/");
response.addCookie(cookie);
the other cookie is the JSESSIONID which is being created by the server automatically. In the response headers under Set-Cookie I can see only JSESSIONID.
Apache Tomcat 8.0.27
Google Chrome 67.0
If you are using Tomcat then, only one Cookie in HttpServletResponse.addCookie(javax.servlet.http.Cookie) But this method can call multiple times:
The servlet sends cookies to the browser by using the HttpServletResponse.addCookie(javax.servlet.http.Cookie) method, which adds fields to HTTP response headers to send cookies to the browser, one at a time.
This method can be called multiple times to set more than one cookie.
The browser is expected to support 20 cookies for each Web server, 300 cookies total, and may limit cookie size to 4 KB each.
Cookies Doc
Ok going more deeper about this cookies. I check the RFC 2109
Practical user agent implementations have limits on the number and
size of cookies that they can store. In general, user agents' cookie
support should have no fixed limits. They should strive to store as
many frequently-used cookies as possible. Furthermore, general-use
user agents should provide each of the following minimum capabilities
individually, although not necessarily simultaneously:
at least 300 cookies
at least 4096 bytes per cookie (as measured by the size of the
characters that comprise the cookie non-terminal in the syntax
description of the Set-Cookie header)
at least 20 cookies per unique host or domain name
Related
I am repeating the airbnb request by Java applicaiton using Apache HTTP Components while being outside of the US. In Chrome and Mozilla I am getting the price in dollars, in my Java application in the local currency. Also, I am getting the local currency price in Safari that was not used for airbnb before. So, the difference is in cookies, correct?
However, when I see the cookies in Chrome I do not see the cookie that is responsible for location. There is a list of 45 cookies, should I add to HTTP request all of them? Is there any other way to get prices in dollars?
There is no currency in this list of 45 cookies, still I tried to add the currency
BasicCookieStore cookieStore = new BasicCookieStore();
BasicClientCookie cookie = new BasicClientCookie("currency", "USD");
cookie.setDomain(".airbnb.com");
cookie.setPath("/");
cookieStore.addCookie(cookie);
HttpClient client = HttpClientBuilder.create().setDefaultCookieStore(cookieStore).build();
This did not help. Would it be possible to add cookies from the Chrome cookies directory?
You are right, it is Cookies. You are wrong it's not location. There is a currency header as can be seen:
This is also how it is set during a GET method:
Usually, the browser's language appears as accept-language in HTTP request headers. For my knowledge, there are no cookies indicating the origin country of the request or the currency in all browsers and in all HTTP request (I think Chrome has one, but it's unreliable).
If this header key is not there, alternatively, you can check http-accept-language in the request header (it depends on the parser you are using).
Consider I'm having >5KB size cookies, Which is a confidential data generating on client side which no one else can see that data.
So I'm trying to restrict that data to send with request. Is there any way to tell that do not send this cookies with request ??
As per cookies spec
When it sends a request to an origin server, the user agent includes a Cookie request header if it has stored cookies that are applicable to the request.
What is giving hope is in spec is stored cookies that are applicable to the request.
How to make it un- applicable to the request ??
So is this impossible ? Is there any way to configure web.xml in such a way like we set http-only?
<session-config>
<cookie-config>
<http-only>true</http-only>
</cookie-config>
</session-config>
The limit for cookies per domain is about 4KB, which you already exceed. Therefore, you ought to put all the confidential information into a session table instead of a cookie.
The HTTP specification states, that all cookie data need to be send with each request, because probably the server needs it. If you do not want that, then do not store data inside cookies, but use a different method of storing this sensitive information.
There is as well a good chance, that this sensitive information ends up in the access logs of the target server, another reason to not use cookies for that case.
I have a domain 'www.foo.com' and I want to create sub domain 'test.foo.com'.
In order to combine those 2 domains to share only one cookie I set the cookie to be like that:
Cookie cookie = new Cookie("myCookie", "myValue");
cookie.setMaxAge(60 * 60);
cookie.setDomain(".foo.com");
So from now on there will be only one cookie: 'foo.com' and the values will be save on the same cookie.
The problem is for old users, for them there will be two cookies ('www.foo.com' and 'foo.com'), how can i merge those two cookies to one??
One more thing, users from 'test.foo.com' eventually will visit 'www.foo.com' and vise versa.
Get the old cookie from the http servlet request, then set its max age to 0. That will trigger the client side to get rid of it (in its own time, normally right away). Also, see the Javadoc on Cookie.
setMaxAge
public void setMaxAge(int expiry)
Sets the maximum age in seconds for this Cookie.
A positive value indicates that the cookie will expire after that many seconds
have passed. Note that the value is the maximum age when the cookie will expire,
not the cookie's current age.
A negative value means that the cookie is not stored persistently and will be
deleted when the Web browser exits. A zero value causes the cookie to be deleted.
Parameters:
expiry - an integer specifying the maximum age of the cookie in seconds;
if negative, means the cookie is not stored; if zero, deletes the cookie
See Also:
getMaxAge()
You will need to parse through your cookies and search for the one you are trying to get rid of. Something like this:
final Cookie[] cookies = request.getCookies();
for(Cookie cookie: cookies) {
if("www.foo.com".equals(cookie.getDomain()) cookie.setMaxAge(0);
}
I am confused on the documentation of the javax.servlet.http.HttpSession.
It says:
Sessions are used to maintain state and user identity across multiple
page requests. A session can be maintained either by using cookies or
by URL rewriting.
Now both cookies and URL rewriting are handled by application code in server (i.e. our code).
Then it says relating to when a session is considered as new:
The server considers a session to be new until it has been joined by
the client. Until the client joins the session, the isNew method
returns true.A value of true can indicate one of these three cases:
1. the client does not yet know about the session
2. the session has not yet begun
3. the client chooses not to join the session. This case will occur if the client supports only cookies and chooses to reject any cookies
sent by the server. If the server supports URL rewriting, this case
will not commonly occur.
I am not clear on when it is considered/meant that the client has joined the session.
I mean if I don't use cookies from my web application (or URL rewriting) and I have the following:
POST from IP A to server
200 OK from server to A
POST from IP A to server
In step 3 will the session.isNew() return true or false? It is not clear to me from the doc.
Will it return false (i.e. the session is not new) and I will have to call session.invalidate() in order to create a new session?
The reason this confuses me more is because I am debugging a piece of code where the client is an HTTP application but not a web brower and I see that in step 3 the session.isNew() does not return true although there is no cookies or url rewriting in the server code.
So I can not figure out what is going out under the hood.
Any info that could help understand this?
Here is a nice example of Session Tracking
Client has joined the session means that client made subsequent request and included session id, which can be recognized by your webserver. If cookies are enabled - jsessionid will be passed with cookies, otherwise - it should be include in the URL itself - like this http://localhost:8080/bookstore1/cashier;jsessionid=c0o7fszeb1.
In JSP c:url from Core Tag Library will handle URL rewriting for you.
In case of B2B communication you have to obtain session id by yourself and include it in subsequent requests manually.
Example:
POST from IP A to server
200 OK from server to A
A obtains session id from the response
POST from IP A to server and includes obtained session id
UPDATE:
Consider reading a great article - "Web Based Session Management: Best practices in managing HTTP-based client sessions." It's a general overview of how HTTP sessions can be emulated and is not tied to Java.
I have found a strange behaviour (strange for me, a novice :D) in my project.
Basicly after an action I create or update a cookie (if it exists or not) and send it to the client. The strange thing is that in the jsp I can read the cookie ONLY when I update its value (and I get the updated value, not the old one) but not the first time, when I create it (I can see the cookie using a browser tool but seems that the jsp can't read it).
Is this a normal behaviour? If yes, what do you suggest to do in order to have the cookie information available also at the first time?
Thanks very much!
Roberto
If you create or update a cookie, it will be stored in the response header. If you request a cookie, it will be requested from the request header.
I think your problem is that you're forwarding the same request from servlet to JSP and that you expect that the new cookie is already available in the request header. This is not true. The new cookie is only available in the subsequent requests.
You have 2 options:
Redirect to JSP. A redirect will create a new request.
Store the data of interest as request attribute and let EL in JSP access it.
By the way, I saw in one of your comments that you're using plain Java code to read cookies in a JSP. I would only say that using scriptlets in JSP is a bad practice. You can access cookie values easily in EL as follows:
${cookie.cookiename.value}
[Edit] oh my, now I see that this is an old topic. Hopefully my effors weren't all for nothing :/
Cookies are stored on client, and so if the response doesn't gets to the client yet, its value is not updated, but it should be available on the next requests.
cookies are used to identify clients when they send you any requests. here's what you are doing when you set the cookie up. you are sending the cookie to the client along with response. And when that client send his next request the cookie that you set comes along with it. so, in the jsp page where you are setting up the cookie, you don't have a request from the client with cookie! so you can't read it. but what you can do like what jerjer has said above. (i.e use a temp and store cookie's value in it and don't try to retrieve cookie. just read the temp value). And i see you say you can read the cookie only when you update. You will be able to read cookie's value from future reqests after cookie is set even if you don't update it. Hope this helps.