cookie : Java Glossary


A cookie is a technique a CGI (Common Gateway Interface) server/Servlet can use to store information in an HTTP (Hypertext Transfer Protocol) client for later retrieval to remind itself where it was in dealing with the client. You could think of a cookie as a laundry ticket that the client gives back to the server to remind it who the client is and what the client and server have done together in the past.

The cookie protocol, piggy-backed on HTTP is described in RFC 6265.

How Cookies Work Books
Confidentiality Learning More
Modern Links

How Cookies Work

You can see the cookies you have accumulated in your Firefox surfing in a file called: C:\Documents and Settings\user\Application\Data\Mozilla\firefox\Profiles\gibberish.default\cookies.txt. In more recent version of Firefox, it stores them less accessibly in an SQL (Standard Query Language) database: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\gibberish.default\cookies.sqlite Here is what a typical cookie looks like inside  That cookie allows to remember my preferences when I use their search engine. I track the information for them in the Firefox cookie file. The cookie is somewhat incomprehensible, but it contains encoded information about me that the Google server finds useful. A shopping cart website might encode the contents of my shopping cart as a series of cookies.

The HTTP format of cookies in the HTTP header the server sends to the client is somewhat more human-readable, e. g.

Set-Cookie: CUSTOMER=WILE_E_COYOTE; path=/; expires=Wednesday, 09-Nov-99 23:12:40 GMT (Greenwich Mean Time)
Cookies are passed in HTTP headers. Thus they must use a restricted set of characters, basically ASCII-7 less the characters that have special meaning in HTTP headers. One way do deal with the problem of awkward characters is to use URL-encoding. See url-encoding for how.


The browser records the cookies with the site they came from, an expiry date, the cookie name and its value. They are exchanged quietly between the browser and the server without displaying them on the screen. Every time your browser makes a request of a domain/path for which it has a cookie, it automatically piggybacks the cookie in the HTTP Cookie: request header line to the server. The host does not have to request it.

Cookies can be used to track logins. The client sends in an authentication cookie with each request to remind the server it is logged in and offers some proof it is, and a hint to who it is so the server can pick up the conversation where it left off.

Applets too can play with cookies, but only with the ones put there by the server from which they were loaded, or that were put there by Applets from that server. Applets can both read and write the cookies stored in the browser, just as the server can.

Cookies In Modern Browsers, Java Servers and Applets

To handle cookies on the server you use javax.servlet.http.Cookie. The servlet sends cookies to the browser by using the HttpServletResponse. addCookie method. You should keep cookies under 4K and limit them to 20 per webserver, 300 cookies total. The cookie protocol between client and server is described in RFC 6265 section 3.3.2. The server retrieves cookies sent it by the browser/Applet with HttpServletRequest. getCookies.

To handle cookies in a client Applet you use CookieHandler. You use the static method CookieHandler. getDefault to get you the CookieHandler registered to store and retrieve all cookies for the browser. You don’t have to write your own CookieHandler. Then you use the get method of the CookieHandler object to get a list of all the relevant fields. You write a system-wide cookie handler and register it with the HTTP transport mechanism.


  1. Why does the JVM (Java Virtual Machine) insist on me signing the Applet to call CookieHandler. getDefault? Surely unsigned Applets are allowed to know their cookies. Java in general often demands signing for what seems to me innocuous actions. Presumably there is some obscure way to use cookies to subvert security.
  2. Just what sort of thing does get want in the requestHeaders Map with CookieManager. get that lets you specify just the cookies from a single URI (Uniform Resource Indicator) ?. Read the code and docs for both CookieManager.get and CookieHandler.get. Also read:

Handling Cookies in Obsolete Browsers and Java Applets

Tom Hall provided the following code snippet to allow an Applet to write a new cookie or to read the cookies it is permitted to see, without any help from the server. To delete a cookie, rewrite it with an expiry date in the past. Surprisingly, even though this code makes use of the Netscape JSObject, it works fine in Internet Explorer as well — no need to include the JSObject class files as they are packaged with IE (Internet Explorer) ’s Virtual Machine. For it to work, your APPLET tag must include the MAYSCRIPT option.

For early Java, you will also have to put the file \Program Files\netscape\communicator\program\java\classes\java40.jar on the classpath when you are compiling. In Java version 1.4 JSObject comes bundled in jaws.jar. In  Java version 1.5 or later it comes bundled in plugins.jar. Last revised/verified: 2007-04-25 The IE browser will deal with finding the classes at run time. Unfortunately, the only browser I found that supports the official method [see code snippet below] is Internet Explorer 5.5/6.0.26. Not even Netscape 4.79 works!

I have only been able to get cookies to work the official way in IE 5.5, not Opera. Best to always use the field-at-a-time method [see code snippet above]. It works in IE, Firefox, Opera, Safari and Netscape and likely the most of the others. You could also try with JavaScript read/write cookie functions.

One piece of evidence for the Mickey Mouseness of cookies is they don’t have a standard timestamp format. Java works by trying to interpret them with three different formats and none of them are ISO (International Standards Organisation) !


book cover recommend book⇒Core Web Programming, second editionto book home
by Marty Hall and Gary Cornell 978-0-13-089793-0 paperback
publisher Prentice Hall 978-0-613-92274-6 hardcover
published 2001-06-03
1250 pages. Also has some simple RMI examples. This is a great doorstop of a book. It has a few chapters on client-server programming in Java and a section of that is on CGI. I have looked at hundreds of Java books and found nothing that deals in depth with client side Java talking to CGI, except Marty’s book. It is really very simple and he does an excellent job of explaining it. Marty has posted all the source code examples from the book for anyone to use. These contain updates and errata fixes you don’t get on the CD-ROM that comes with the book.
Australian flag abe books anz abe UK flag
German flag abe UK flag
German flag abe Canadian flag
Spanish flag Canadian flag
Spanish flag Chapters Indigo Canadian flag
French flag abe abe American flag
French flag American flag
Italian flag abe Barnes & Noble American flag
Italian flag Nook at Barnes & Noble American flag
India flag Kobo American flag
UN flag other stores Google play American flag
O’Reilly Safari American flag
Powells American flag
Greyed out stores probably do not have the item in stock. Try looking for it with a bookfinder.
explains cookies clearly and shows you how to write server code to read and write the cookies in your visitor’s browsers.

Learning More

Oracle’s Technote Guide on Cookies : available:
Oracle’s Javadoc on client CookieHandler : available:
Oracle’s Javadoc on CORBA CookieHolder : available:
Oracle’s Javadoc on CookieHandler class : available:
Oracle’s Javadoc on CookieManager class : available:
Oracle’s Javadoc on CookiePolicy class : available:
Oracle’s Javadoc on CookieStore class : available:
Oracle’s Javadoc on HttpCookie class : available:
HttpServlet docs : available:

This page is posted
on the web at:

Optional Replicator mirror
on local hard disk J:

Please the feedback from other visitors, or your own feedback about the site.
Contact Roedy. Please feel free to link to this page without explicit permission.

Your face IP:[]
You are visitor number