A cookie is created when a client visits a site or page for the first time. A CGI program looks for previous cookie information in the client request and, if it is not there, sends a response containing a Set-Cookie header. This header contains a name/value pair (the actual cookie) that comprises the special information you want the client to maintain. There are other optional fields you may include in the header.

name=value

Both name and value can be any strings that do not contain either a semi-colon, space, or tab. Encoding such as URL encoding may be used if these entities are required in the name or value, as long as your script is prepared to handle it.

expires=date

This attribute sets the date when a cookie becomes invalid. The date is formatted in a nonstandard way, like this:

Wednesday, 01-Sep-96 00:00:00 GMT

After this date, the cookie becomes invalid, and the browser no longer sends it. Only GMT (Greenwich Mean Time) is used. If no expires date is given, the cookie is used only for the current session.

path=pathname

The path attribute supplies a URL range for which the cookie is valid. If path is set to /pub, for example, the cookie is sent for URLs in /pub as well as lower levels such as/pub/docs and /pub/images. A pathname of "/" indicates that the cookie will be used for all URLs at the site from which the cookie originated. No path attribute means that the cookie is valid only for the originating URL.

domain=domain-name

This attribute specifies a domain name range for which the cookie is returned. The domain-name must contain at least two dots (.), e.g., .oreilly.com. This value covers both www.oreilly.com and software.oreilly.com, and any other server in the oreilly.com domain.

secure

The secure attribute tells the client to return the cookie only over a secure connection (via SHTTP and SSL). Leaving out this attribute means that the cookie is always returned, regardless of the connection.

Each time a browser goes to a web page, it checks its cookies file for any cookies stored for that URL. If there are any, the browser includes a Cookie header in the request containing the cookie's name=value pairs.

When the Cookie header is encountered, many servers pass the value of that header to CGI programs using the HTTP_COOKIE environment variable. See Chapter 12 for more information on CGI environment variables.

The preliminary cookies specification places some restrictions on the number and size of cookies:

• Clients should be able to support at least 300 total cookies. Servers should not expect a client to store more.

  The limit on the size of each cookie (name and value combined) should not exceed 4KB.

• A maximum of 20 cookies per server or domain is allowed. This limit applies to each specified server or domain, so www.oreilly.com is allowed 20, and software.oreilly.com is allowed 20, if they are each specified by their full names.

An issue arises with proxy servers in regard to the headers. Both the Set-Cookie and Cookie headers should be propagated through the proxy, even if a page is cached or has not been modified (according to the If-Modified-Since condition). The Set-Cookie header should also never be cached by the proxy.

Most web servers and clients still support the original cookie specification proposed by Netscape. Recently, the IETF has issued an Internet draft proposal for an updated cookie specification. This document describes new Set-Cookie2 and Cookie2 headers to eventually replace the original headers. They add additional attributes for comments and path specifiers.

Clients and servers that implement the new headers should be backwards-compatible with the original specification. The draft proposal can be found at the following URL: