Persistent Data2:HTTP Cookies

[kino]

HTTP Cookies are a standard Web mechanism for state management that allows a server to communicate with a client for purposes of:

•Authentication

•Security

•End user identification

•Preserving application state





Cookies are a way for a server to send information to a client to store, and for the server to later retrieve its data from that client. Servers send cookies to clients by adding fields to HTTP response headers. Clients return cookies to the server by adding fields to HTTP request headers. The information is stored in text files on the client's machine.


In the previous Curl Cue, we discussed the power of storing data on the client machine using Curl's Client-side persistent data. So... Why Would a Curl Applet Need to Use HTTP Cookies? HTTP Cookies are mainly used for storing session information when a Curl applet interacts with a server-side application that requires a cookie. An HTTP cookie contains a session identifier as well as other relevant information about the user -- therefore cookies are necessary when a Curl applet interacts with servers that require a session. Each session has a beginning and an end, can be relatively short-lived, and can be terminated by either the client or the server


For example, if a user logs into a Curl application, you may need get session information from a server. A cookie is sent to the Curl applet upon start up. Once the Curl applet has the cookie data stored, the information is sent to the associated URI with each request.



Working with HTTP Cookies


HTTP Cookies can either be secure or insecure. If you have a secure connection, you can use the HTTPS protocol for communication with the server. For our examples, we will use insecure cookies.


In general, HTTP Cookies are:

•Stored on a client machine as text

•Grouped by URI

•Sent to the server when the specific URI is requested





This HttpCookie class holds all data associated with an HTTP cookie. The associated HttpCookie fields that store the HTTP cookie information are:


•comment: A comment about the cookie variable.

•domain: Domain that the hostname in the URL must match for the cookie to be sent along with requests for that URL.

•expires: When the cookie should expire.

•max-age: How long the cookie should last.

•name: Name of the cookie variable.

•path: Path that the URL must start with for the cookie to be sent along with requests for that URL.

•secure?: Indicates whether this HttpCookie should be sent across "secure" channels such as that provided by HTTPS.

•value: Value of the cookie variable.

•version: Version of the cookie protocol being used; currently 1 is the only known legal value.





Note that When the cookie should expire if expires is null, the cookie is kept only until the current host process exits. Once expires is in the past, the cookie may be deleted. If expires is in the future, the cookie is saved, possibly on disk, until the expiration date.


Setting and Getting HTTP Cookies
Use set-insecure-http-cookie to create the cookie on the local machine.

Code:

|| Let the cookie expire 1 year from now
let expire-date:DateTime = {new DateTime} + (1day *365)
|| Set the cookie
{set-insecure-http-cookie
{get-the-applet}.url,
{HttpCookie
session-id,
My session,
expires = expire-date
}
}

Once this information is set, then the cookie data is set with future HTTP requests to the given URI. Also note that get-the-applet returns the Url of the running applet.


Use get-http-cookies to retrieve cookie data.

Code:

let jar:{Array-of HttpCookie} = {get-http-cookies
{get-the-applet}.url
}

You can also use clear-insecure-http-cookie to clear any cookies. In most cases, you will use clear-insecure-http-cookie to remove cookies before the session ends (unless you want the information stored on the local machine for future use).


Putting it all together...

Ok, let's put everything together. In the following appley we will create a cookie that stores the value of My session that is set to expire 1 year from the creation date. Since cookies require the a browser, the applet must be run over HTTP. Therefore the code has been enclosed in a try expression so that we can catch any HttpExceptions.

Code:

{curl 6.0, 7.0 applet}
{curl-file-attributes
character-encoding = "utf8"
}
{value

|| Create a cookie value to set
let session-id:String = "My session"

|| Let the cookie expire 1 year from now
let expire-date:DateTime = {new DateTime} + (1day *365)
{try
|| Clear previous cookies
{clear-insecure-http-cookie
{get-the-applet}.url,
"session-id"
}

|| Set the cookie with the session-id value
{set-insecure-http-cookie
{get-the-applet}.url,
{HttpCookie
"session-id",
session-id ,
expires = expire-date
}
}

|| Get cookie information
let jar:{Array-of HttpCookie} =
{get-http-cookies
{get-the-applet}.url
}

|| Loop through the cookie data to find the session-id
{for cookie:HttpCookie in jar do
{if cookie.name == "sessionid" then
set session-id = cookie.value
else
|| Do nothing
}
}
catch e:HttpException do
set session-id = "You must run this applet over HTTP"

}



|| Create a graphic to hold the information
let display:VBox = {VBox
background = "yellow",
|| Dispaly the cookie value
session-id
}

|| Return the display
display
}

Cookies and Security The only cookies an unprivileged applet can set or clear are those that would be sent with the applet's URL or with the applet's URL's parent directory. Keep in mind that unless the cookie has secure?=true and is used with https URLs, it could be seen by third party applications (snooping) on the network. In addition, unless expires=null, the cookie may be stored on disk.