Cookies

(not the kind you eat)

R. Alexander Miłowski

milowski@ischool.berkeley.edu

School of Information, UC Berkeley

How does that site know?

There is no magic:

They often use HTTP Cookies (RFC 6256) to do this.

Anatomy of a Cookie

Process:

  1. Browser sends a request:

    GET /index.html HTTP/1.1
    Host: www.ischool.berkeley.edu
    
  2. Server replies with one-or-more cookie headers:

    HTTP/1.0 200 OK
    Content-type: text/html
    Set-Cookie: cat=leo
    Set-Cookie: dog=hudson; Expires=Wed, 03 Jun 2014 10:30:00 PST
    
  3. Browser sends cookies back with every request:

    GET /index.html HTTP/1.1
    Host: www.ischool.berkeley.edu
    Cookie: cat=leo
    Cookie: dog=hudson
    

[discussion] How does the browser decide which cookies to send?

Expiration

Controlling Paths

Only works for www.example.com/cats/:

Set-Cookie: cat=leo; Path=/cats            
         

[discussion] What domain is associated with the cookie?

Controlling Domains

Works with docs.example.com, www.example.com, example.com, etc. :

Set-Cookie: cat=leo; Domain=.example.com; Path=/           
         

[discussion] Why is the path necessary?