No chocolate chips and sugar here! These cookies are made up of small pieces of information:
Name — Each cookie is represented by a unique name. This name can be made up of letters,
are considered to be the same. In reality, however, it’s always best to
treat the cookie names as case-sensitive because some server software may treat them as such.
Value — The string value stored in the cookie. This value must be encoded using
before being stored in order to avoid losing data or corrupting the
cookie. The total number of bytes stored in the name and value combined cannot exceed 4095
bytes, or roughly 4 KB.
Domain — For security purposes, Web sites cannot access cookies created by other domains.
When a cookie is created, the domain is stored as a part of the cookie. It is possible to override
this setting, however, to allow a different Web site to access the cookie, although that is typically
not the case.
Path — Another security feature of cookies, paths restrict access of a cookie to a particular
directory on a Web server. For example, you can specify that the cookie only accessible from
so pages at
can’t access it even though
the request comes from the same domain.
Expiration — When the cookie should be deleted. By default, all cookies are deleted when the
browser closes; however, it is possible to set another time for the deletion. This value is set as a
date in GMT format (using the
method of the
object) and specifies an
exact time when the cookie should be deleted. Because of this, a cookie can remain on a user ’s
machine even after the browser is closed. When you set an expiration time that has already
occurred, the cookie is deleted immediately.
Secure Flag — A true/false value indicating whether the cookie can be accessed only from
secure sites (those using SSL and the
protocol). Setting this value to
another layer of protection to ensure the cookie isn’t accessible by other Web sites.
Other security restrictions
To ensure that cookies aren’t used maliciously, browsers place certain restrictions on cookie usage:
Each domain can only store up to 20 cookies on a user ’s machine.
The total size of the cookie cannot exceed 4096 bytes.
The total number of cookies allowed on a user ’s machine is 300.
In addition, newer browsers place strict control on cookies, allowing the user to block all cookies, block
cookies from unknown sites, or be alerted every time a cookie is being created.
19_579088 ch16.qxd 3/28/05 11:42 AM Page 482