browser cookie issue

views:

answers:

+1 Q:

browser cookie issue

Hello everyone,

In my previous understanding, for a web site, only login user of a web site (no matter what login/authentication approach is used) could have cookie as persistent identifier, so that if the user close the browser, open browser again to go to the same web site, the web site could remember the user.

But I learned recently that it seems for non-login user, there could still be a cookie associated with the user (after the user close browser, and then open the browser again to go to the same web site, the web site could remember the user), and it is called browser cookie? Is that true?

If it is true, who is responsible to set the browser cookie? i.e. need some coding/config at web server side, client browser configuration (without coding from server side), or both? How could web server access such cookie? Appreciate if any code samples.

thanks in advance, George

+2 A:

Whether you actually "log in" or not is irrelevant to what cookies are stored.

If the browser requests a page, and the server includes a Set-Cookie response header, then the browser will store the value of that cookie in a local cache and every time it requests a page from the same server, it sends the value of the cookie back as well (in the Cookie request header).

It just so happens that when you "log in" to a website, the website will usually use the Set-Cookie header to tell the browser to store a value that indicates that you're already logged in (and your user-id and some other security-related stuff). But there's nothing stopping the web server from using Set-Cookie at any other time.

Dean Harding 2010-06-02 05:03:18

"back as well" -- you mean request from client browser to web server?

George2 2010-06-02 05:35:58

And how to determine whether a cookie is persistent? Persistent I mean after browser is closed, the cookie is still stored at client side so that next time when browser is opened to go to the same web site, the cookie value is still there?

George2 2010-06-02 05:37:41

@George2: re "back as well", that's correct. The `Cookie` is a header value that's sent along with with request (in a similar way to how the User-Agent is passed to the server, for example).

Dean Harding 2010-06-02 05:53:54

@George2: By default, cookies expire when the browser closes. If the server includes an "expiration" parameter in the `Set-Cookie` header (see the linked Wikipedia article) then the browser will keep the cookie "on disk" until that date.

Dean Harding 2010-06-02 05:54:50

1. And browser could have option to reject such cookie? 2. I think if server wants to identify (non-login) user by using cookie, it could work in this way. Set cookie in client browser using a specific cookie name (e.g. "usertestcookie") with a specific cookie value (e.g. "cookieforjohn"), then ask client browser for a long expire time for cookie, and finally each time server could use cookie name "usercookiefortest" to retrive the user identifier "cookieforjohn". Is that understanding correct?

George2 2010-06-02 08:55:17

@George2: I think your confusion may stem from an idea that "log in" cookies are somehow "special": they're not, all cookies are the same. It's just that server uses some cookies to remember that you're logged into the site and other cookies for other purposes. The browser has no way to tell the difference. Therefore, your question #2 is correct.

Dean Harding 2010-06-02 12:52:24

Thanks, question answered!

George2 2010-06-02 13:47:58

ansaurus

tags:

views:

answers:

browser cookie issue

related questions