Cookie Support


Cookie Support includes the following topics:

Introduction

Cookies are a way of storing data on the client side. They have been used extensively for personalization of portal sites, user preference tracking, and logging into web sites. For enterprise customers using cookies in their web sites, cookie support in Java Plug-in and Java Web Start facilitates deployment of client-side Java.

Cookie support allows a Java application to pass a cookie back to a web server if that cookie originated from the web server. This provides the server with information about the state of the client.

Cookie Support in Java Plug-in and Java Web Start

There are two main types of cookies: Session Cookies and Permanent Cookies.

Session Cookies

Session cookies are stored in memory during the applet or application session. Session cookies expire when the applet or application exits and are automatically deleted. These cookies usually store a session ID that is not personally identifiable to users, allowing the user to move from page to page without having to log-in repeatedly. They are widely used by commercial web sites (for example, to keep track of items that a consumer has added to a shopping cart.)

Permanent Cookies

Permanent cookies are stored in persistent storage and are not deleted when the application exits. They are deleted when they expire. They can retain user preferences for a particular web site, allowing those preferences to be used in future sessions. Permanent cookies can be used to identify individual users, so they may be used by web sites to analyze users' surfing behavior within the web site. These cookies can also be used to provide information about the numbers of visitors, the average time spent on a particular page, and the general performance of the web site. They are usually configured to keep track of users for a prolonged period of time, in some cases many years into the future.

Support

Java Plug-in and Java Web Start support handling of both types of cookie on all platforms.

Java Plug-in provides permanent cookie support using the underlying browser cookie store. When it runs in Internet Explorer, the cookie store in IE is used; when it runs in Mozilla, the cookie store in Mozilla is used. Because each browser has a different cookie policy, the cookie-handling behavior depends on the cookie control in the browser. For example, if the browser is configured to reject third-party cookies, the policy will apply to Java Plug-in when it runs in this browser.

Java Web Start provides permanent cookie support on Windows using the cookie store in Internet Explorer, and the cookie-handling behavior is determined by the cookie control in IE. On Linux/Solaris, Java Web Start provides permanent cookie support using its own cookie store implementation.

Programmatic Access to Cookies

There are several ways for an application to override the default cookie handling. Four are outlined below.

void URLConnection.setRequestProperty(String key, String value)

This approach allows the application to set a custom cookie header in URLConnection before making a connection.

URL url = new URL( "http://java.sun.com/" );
URLConnection conn = url.openConnection();
conn.setRequestProperty("Cookie", "foo=bar");
InputStream is = conn.getInputStream();
.....

When the connection is made, the custom cookie would be sent to the server in the HTTP/HTTPS request headers.

Map<String, List<String>> URLConnection.getHeaderFields()

After a connection is made, the server may return a cookie in the HTTP/HTTPS response headers. The approach outlined below allows the application to retrieve the cookie value through URLConnection.

URL url = new URL( "http://java.sun.com/" );
URLConnection conn = url.openConnection();
conn.connect();
.....
Map<String, List<String>> headers = conn.getHeaderFields();
List<String> values = headers.get("Set-Cookie");

String cookieValue = null;
for (Iterator iter = values.iterator(); iter.hasNext(); ) {
     String v = values.next();
     if (cookieValue == null)
         cookieValue = v;
     else
         cookieValue = cookieValue + ";" + v;
}

After the connection is made, the server may return the cookie in the HTTP/HTTPS response headers.

Map<String,List<String>> CookieHandler.get(URI uri, Map<String,List<String>> requestHeaders)

This approach allows the application to retrieve session/permanent cookies for a given URL:

String retrieveCookie(URL url)
{
     String cookieValue = null;

     CookieHandler handler = CookieHandler.getDefault();
     if (handler != null)    {
          Map<String, List<String>> headers = handler.get(url.toURI(), new Map<String,                                                           List<String>>());
          List<String> values = headers.get("Cookie");
          for (Iterator<String> iter=values.iterator(); iter.hasNext();) {
               String v = iter.next();

               if (cookieValue == null)
                    cookieValue = v;
               else
                    cookieValue = cookieValue + ";" + v;
          }
     }
     return cookieValue;
}

CookieHandler is an abstraction of the browser/system cookie storage, so additional security permission is required for execution; the above code will be executed successfully only if the application is trusted.

void CookieHandler.put(URI uri, Map<String,List<String>> responseHeaders)

This approach allows the application to set a session/permanent cookie for a given URL:

void setCookie(URL url, String value)
{
     CookieHandler handler = CookieHandler.getDefault();
     if (handler != null)    {
          Map<String, List<String>> headers= new Map<String, List<String>>();
          List<String> values = new List<String>();
          values.add(value);
          headers.put("Cookie", values);

          handler.put(url.toURI(), headers);
     }
}

CookieHandler is an abstraction of the browser/system cookie storage, so additional security permission is required for execution; the above code will be executed successfully only if the application is trusted.

More information