Now that you've mastered the basics, it's time to bring out thebig iron. This week, The JSP Files explores the various techniquesavailable to "maintain state" on a JSP-based Web site. Learn about theCookie and Session objects, find out how to build a cookie-based hitcounter, and read about a simple yet effective way of protecting sensitiveWeb pages with the Session object.
Since cookies are used to record information about your activities on aparticular site, they can only be read by the site that created them. Forexample, Yahoo and Deja.com store your username in a cookie on your harddrive and use this information to automatically fill in log-in forms thenext time you visit their Web sites. It's kinda like going to a chicrestaurant, and having the maitre'd call you by name (something whichhasn't happened to us of late!)
Before getting into the nitty-gritty of cookie technology, a few groundrules are in order:
1. A single domain cannot set more than twenty cookies. A single cookiecannot exceed 4 KB in size. The maximum number of cookies that may be setis 300.
2. The most common method of transmitting a cookie to a client is via the"Set-Cookie" HTTP header.
3. A cookie usually possesses five types of attributes.
The first of these is a NAME=VALUE pair, used to store information such asa username, email address or credit-card number. The NAME is a string usedto identify the cookie, while the VALUE is the data to be stored in thecookie. For example,
The EXPIRES attribute defines the date on which the cookie is automaticallyremoved from the system. The date must be in the format "weekday, dd-mon-yy hh:mm:ss GMT". For example,
expires="Sun, 31-Dec-2030 17:51:06 GMT"
Cookies without a specifically defined expiry date remain active for solong as the browser remains open, and are destroyed once the browser isclosed. You can delete an existing cookie be setting this attribute to adate in the past.
The PATH attribute is used to set the top-level directory on the Web serverfrom which cookies can be accessed. In most cases, this is set to
to ensure that the cookie can be accessed by each and every document on theserver.
The DOMAIN attribute is used to specify the domain which the cookie islinked to, and the SECURE attribute indicates that a cookie should only beset if there exists a secure protocol between the browser and the server.
4. Of all the five attributes, the first is the only one that is notoptional.
5. Every good browser offers users the option to disable cookies. If a userdecides to exercise his or her right to do so, your cookies will not bestored, and any attempt to access them will fail. Users who do this areusually career criminals or tax evaders.