HTTP State Management with Cookies - Cookie structure
(Page 2 of 5 )
A cookie is structured as a simple text file. The syntax and structure of the cookie header is set out in RFC 2965 which covers the HTTP State Management Mechanism. This specifies that the cookie is to start with a name=value pair, which contains the main content. For example, the name might be "user_ID" and the value "12345678." A numerical value such as this would most probably be paired with a "friendly" user ID in a database entry on the web server.
The name entry is followed by specific attributes. Most of these are in the form of pairs with a value, but some stand alone. All the attributes are optional except the version, which is required.
Valid attributes are:
Comment=value The comment attribute is usually used to describe the cookie's purpose.
CommentURL=value This attribute contains a URL that links to additional information about the cookie.
Discard This attribute takes no value. It is an instruction to the user agent to unconditionally remove the cookie on termination.
Domain=value The domain attribute specifies the domain for which the cookie is valid.
Path=value The path attribute can be used to limit the application of the cookie to a subset of URLs.
Max-age=value This attribute determines the lifetime of the cookie in seconds. A value of 0 specifies that the cookie should be discarded immediately.
Port[="portlist"] The purpose of the port attribute is to limit the ports to which the cookie may be returned. The portlist value must be in quotes even if it only contains a single port number.
Secure The secure attribute take no value. Its purpose is to specify that the user agent should only return the cookie over a secure connection, typically https. However, it is up to the user agent to determine what constitutes an appropriate level of security.
Version: This required attribute's value takes the form of a decimal integer. It defines to which version of the state management specification the cookie conforms.
All this is best illustrated with an example. Let's say you want to define a cookie for the root path of the domain cookies4ever.com to contain a user ID. The cookie should endure for up to 1000 seconds, should not require a secure connection, and should conform to version 1 of the specification. To meet these requirements the cookie header issued by the web server would look something like this:
