• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

cookie explanation

 
Ranch Hand
Posts: 352
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hey,

In what practical scenarios we are using cookies with out session management. we can create cookie objects and add them to response right like following.



Also it says using that setMaxAge method we can keep the cookie even after the browser closed right? means even session invalidate. But then when again a new session conversation start how can browser send (find) the previously used cookie for the request as session info?

Thank You.
 
Ranch Hand
Posts: 437
Oracle Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Harshana.

In what practical scenarios we are using cookies with out session management. we can create cookie objects and add them to response right like following.


By using cookies we dont need to provide 'username' every time we made request to the server.

Also it says using that setMaxAge method we can keep the cookie even after the browser closed right? means even session invalidate. But then when again a new session conversation start how can browser send (find) the previously used cookie for the request as session info?


if session is invalidated at server side, its unique id is lost. If user communicates with the older JSESSIONID cookie through browser, the container sees the session id from the client, and checks is there any valid session object is present associated with this id or not? If presents communicates with that id, if not creates new session object and sends to the client through cookie.
 
Ranch Hand
Posts: 1183
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
This topic is cross posted. I have replied to the other post!
 
Harshana Dias
Ranch Hand
Posts: 352
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Sebastian Janisch wrote:This topic is cross posted. I have replied to the other post!



well sebastian it was a mistake and i have said for the admin to delete it. now its not there and i didnt see your post. so can you please write it here if you mind
 
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I was going through this post and was unclear on how cookies could be read after session has been invalidated (Provided that maxAge of cookie exceeds session invalidation time).

Does it mean that I'll be able to read the cookie information without the JSESSION ID?

 
Ranch Hand
Posts: 361
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,

To make things clear, imagine that a cookie is like a bean (with name and value attributes) that the server sends to the client through the HTTP Response. Consider the below simple scenario.

Browser to http://www.AnanyaKaur com. Let's suppose that the web server sends a cookie with [Name="Exam", Value="SCWCD"].

Here is a series of steps explaining this scenario.

  • The web browser sends a GET HTTP Request to the server.



  • The web server receives the request. (In case of the Java programming language) the code that will be responsible for serving this request is a Servlet or a JSP.
    A code snippet like this is used to send the cookie back to the client :

    Cookie rv = new Cookie("Exam","SCWCD");
    response.addCookie(rv);




  • The browser now receives the HTTP Response from the server. It sees that, there are cookies in the response. The browser stores those cookies.
    The browser now has the below entry :

    www.AnanyaKaur.com --> (Has the following cookies) ["Exam","SCWCD"]



  • Later, any request that is sent to the same website (www.AnanyaKaur.com), the browser sends the cookies with every request.


  • Cookies are exhachned between the client and server in HTTP Request/Response as HTTP Headers.

    Now here comes the question : What does all this has to do with session ??

    When the web server creates a session object, it sends a cookie to the browser (For example,
    sessionID, or ClientId or call it whaterver you want that identifies the currently created session. The name of the this cookie depends on the web container. You don't have
    to care for it.

    When you send another request to the server, the sessionID(or cookie that is used to identify the session) is sent with every request to the server.
    Automatically Servlet container will associate this sessionID with the Session Object on the server, and you as a developer simply call
    the request.getSession() to get a session object, while the container has done
    everything for you.

    That's why when you clear the cookies on your browser, you have to re-login again to whatever site you are logged in. Because you have deleted the cookie
    or set of cookies that store your session ID.

    One more thing, when you call the session.invalidate(), you delete the session object from the server, but the corresponding cookies still exist on the client.
    But they will not be of any user, since they have no corresponding session on the server.

    I strongly advice to read [HTTP The Definitive Guide] which explains HTTP in detail and in a very simple and easy way.

    Also take a look at the following thread to see how you remove cookies

    http://forums.devshed.com/java-help-9/question-on-how-to-deleting-cookies-in-a-servlet-126544.html

    Hope this helps ;)
     
    Ranch Hand
    Posts: 317
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator
    Hi,

    actually a cookie is just a piece of data. Nothing to do with sessions or browser shut down. Only cookies with

    expire if the session quits. You can call them session cookies.
    But cookies with a positive MaxAge have nothing to do with sessions anymore. They stay alive until they expire, independent of any session (or browser ).

    Cheers
    Bob
     
    Ananya Kaur
    Greenhorn
    Posts: 3
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator
    Thank you so much for your explanation - Khaled and Bob
     
    reply
      Bookmark Topic Watch Topic
    • New Topic