What are cookies? What are the differences between them (session vs. persistent)? (original) (raw)

Introduction

This document describes what HTTP cookies are and what the difference is between session cookies and persistent cookies.

Background Information

Cookies are strings of data that a web server sends to the browser. When a browser requests an object from the same domain in the future, the browser will send the same string of data back to the origin server.

The data is sent from the web server in the form of an HTTP header called "Set-Cookie". The browser sends the cookie back to the server in an HTTP header called "Cookie".

Here is an example of what an HTTP cookie transaction might look like:

HTTP response from the web server:

[...]
Set-Cookie: first.lastname

HTTP GET from the client:

[...]
Cookie: first.lastname

In the sample transaction, the web server told the client to create the cookie "first.lastname". The next time the client requests an object from this domain it sends the cookie with the request. This illustrates how a web server might be able to recall certain information such as user logins.

Types of Cookies

There are two different types of cookies - session cookies and persistent cookies. If a cookie does not contain an expiration date, it is considered a session cookie. Session cookies are stored in memory and never written to disk. When the browser closes, the cookie is permanently lost from this point on. If the cookie contains an expiration date, it is considered a persistent cookie. On the date specified in the expiration, the cookie will be removed from the disk.

There are several different fields a cookie can contain, separated by semicolons. The definitions are:

expires

expires="Wdy, DD-Mon-YYYY HH:MM:SS GMT"

Determines when the cookie is to be deleted.

path

path=/

Determines what path to return the cookie on. In this example, the cookie will be sent when going to the root path in a domain.

domain

domain=whatever.domain.com

Specifies what domain the cookie is used for. If this does not match the domain currently being browsed to, it is considered to be a "3rd Party cookie" and will be rejected by the browser. This prevents one domain setting a cookie for a different domain.