Evaluating Internet Application Environments <-
IAD Lectures
<-
Sean Forman <-
You Are Here
Next: Cookies and Privacy /
Previous: Cookie on the browser
/
Up: Evaluating Internet Application Environments
- Set-Cookie: CUSTOMER=WILE_E_COYOTE; path=/; expires=Wednesday, 09-Nov-2003 23:12:40 GMT
This will cause the browser to send the name=value pair for any
document from this domain until November 9.
- Set-Cookie: SHIPPING=FEDEX; path=/foo; domain=.fedex.com
This will cause the browser to send this cookie for anything starting
with /foo on the fedex.com domain until the user shuts down their browser.
- Can all data be stored as a cookie? Sort of. A cookie can
contain up to 4KB and data and a single domain can set up to 20
cookies. However, sending 80KB of data back and forth from the
browser will be really slow. And if the user switches computers then
it won't be portable.
- Servers can remove cookies as well. If a script re-sends a
cookie with an expiration date in the past will remove the cookie from
the browser
- Usually you should just use the cookie to store the user's
identity and then store any of the user's information on the server
side.
- How could we do this? Storing a user's id and assuming that
they are valid based solely on their ID is probably not good enough.
- Set-Cookie: userID=sforman; domain=.amazon.com; expires=Monday, 17-Feb-03 23:12:40 GMT
- What is wrong with this? Spoofing this user would be very easy.
- A user cookie and a unique key cookie would remove this problem.
- Another possibility is to allow only session-length cookies to
require the user to sign in before giving them a cookie.
Next: Cookies and Privacy /
Previous: Cookie on the browser
Copyright© 2003, Saint Joseph's University and Sean Forman