Web Cookie

Netscape idea for caching a little bit of data (typically for Digital Identity) in the Web Browser Thin Client.


Mark Nottingham on a problem with the original spec as part of HTTP, and the partial support for later RFC-s.

Security issues: http://lcamtuf.blogspot.com/2010/10/http-cookies-or-how-not-to-design.html

Note a browser supports a limited number of cookies. I'm not sure how standard that it: the old Netscape standard says 20 cookies per host/domain.

  • Amazon has a patent on storing structured data within a cookie. Which is one approach to getting past the limited number of cookies.

One little implementation annoyance: if you're building apps for multiple hosts in the same domain, you'll want to set the cookie's scope to e.g. "*.domain.com". Unfortunately, while this will result in the browser returning that cookie for every request from a host with an explicit hostname within domain.com, it won't work for the direct "domain.com" hostname itself!

Note that Web Cookie-s are being increasingly blocked/deleted because of Spy Ware concerns. If defaults on these systems block all cookies you could find people having problems using your WebApp, and newbies would be unable to unblock them

  • or maybe this isn't happening as much as some people think

Another nastiness: some frameworks expect/demand that cookie values be html-encoded, and handle this transparently, so when you have different parts of your site handled by different frameworks with different rules, you can go bananas.

Edited:    |       |    Search Twitter for discussion