Cookies
In the preceding two sections, we discussed two ways in which information may be passed between programs (or executions of the same program) through a browser. This section concentrates on storing state information on the client computer with cookies. Cookies are essentially small text files that a Web server sends to your browser, which then saves the cookies on your computer. Many Web sites use cookies to track users' progress through their site (as in a shopping-cart application) or to help customize the site for an individual user.
Cookies cannot break into your computer, nor can they erase your hard drive. However, they can be used to identify users and keep track of how often users visit a site or what users buy at a site. For this reason, cookies are considered to be a security and privacy concern. Popular Web browsers provide support for cookies. These browsers also allow users who are concerned about their privacy and security to disable this support. Most major Web sites use cookies. As a programmer, you should be aware of the possibility that cookies might be disabled by your clients. Figures 19.1519.17 use cookies to store and manipulate information about a user.
Figure 19.15. XHTML document containing a form to post data to the server
(This item is displayed on pages 943 - 944 in the print version)
"http://www.w3.org/1999/xhtml"> 9 10
Figure 19.15 is an XHTML page that contains a form in which values are to be input. The form posts its information to writecookie.cgi (Fig. 19.16). This CGI script retrieves the data contained in the CONTENT_LENGTH environment variable. Line 24 of Fig. 19.16 declares and initializes string expires to store the expiration date of the cookie, which determines how long the cookie resides on the client's machine. This value can be a string, like the one in this example, or it can be a relative value. For instance, "+30d" sets the cookie to expire after 30 days. For the purposes of this chapter the expiration date is deliberately set to expire in the year 2010 to ensure that the program will run properly well into the future. You may set the expiration date of this example to any future date as needed. The browser deletes cookies when they expire.
Figure 19.16. Writing a cookie.
(This item is displayed on pages 944 - 946 in the print version)
|
1 // Fig. 19.16: writecookie.cpp 2 // Program to write a cookie to a client's machine. 3 #include 4 using std::cin; 5 using std::cout; 6 7 #include 8 using std::string; 9 10 #include 11 using std::getenv; 12 using std::atoi; 13 14 int main() 15 { 16 char query[ 1024 ] = ""; 17 string dataString = ""; 18 string nameString = ""; 19 string ageString = ""; 20 string colorString = ""; 21 int contentLength = 0; 22 23 // expiration date of cookie 24 string expires = "Friday, 14-MAY-10 16:00:00 GMT"; 25 26 // data was entered 27 if ( getenv( "CONTENT_LENGTH" ) ) 28 { 29 contentLength = atoi( getenv( "CONTENT_LENGTH" ) ); 30 cin.read( query, contentLength ); // read data from standard input 31 dataString = query; 32 33 // search string for data and store locations 34 int nameLocation = dataString.find( "name=" ) + 5; 35 int endName = dataString.find( "&" ); 36 int ageLocation = dataString.find( "age=" ) + 4; 37 int endAge = dataString.find( "&color" ); 38 int colorLocation = dataString.find( "color=" ) + 6; 39 int endColor = dataString.find( "&button" ); 40 41 // get value for user's name 42 nameString = dataString.substr( 43 nameLocation, endName - nameLocation ); 44 45 if ( ageLocation > 0 ) // get value for user's age 46 ageString = dataString.substr( 47 ageLocation, endAge - ageLocation ); 48 49 if ( colorLocation > 0 ) // get value for user's favorite color 50 colorString = dataString.substr( 51 colorLocation, endColor - colorLocation ); 52 53 // set cookie 54 cout << "Set-Cookie: Name=" << nameString << "age:" 55 << ageString << "color:" << colorString 56 << "; expires=" << expires << "; path= "; 57 } // end if 58 59 cout << "Content-Type: text/html "; // output HTTP header 60 61 // output XML declaration and DOCTYPE 62 cout << "" 63 << " 64 << ""http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">"; 65 66 // output html element and some of its contents 67 cout << "" 68 << "Cookie Saved"; 69 70 // output user's information 71 cout << " A cookie has been set with the following" 72 << " data: Name: " << nameString << " " 73 << "Age: " << ageString << " " 74 << "Color: " << colorString << " " 75 << "Click <a href="">" 76 << "here</a> to read saved cookie data. "; 77 return 0; 78 } // end main |
After obtaining the data from the form, the program creates a cookie (lines 5456). In this example, we create a cookie that stores a line of text containing the name-value pairs of the posted data, delimited by a colon character (:). The line must be output before the header is written to the client. The line of text begins with the Set-Cookie: header, indicating that the browser should store the incoming data in a cookie. We set three attributes for the cookie: a name-value pair containing the data to be stored, a name-value pair containing the expiration date and a name-value pair containing the URL of the server domain (e.g., www.deitel.com) for which the cookie is valid. For this example, path is not set to any value, making the cookie readable from any server in the domain of the server that originally wrote the cookie. Note that these name-value pairs are separated by semicolons (;). We use only colon characters within our cookie data so as not to conflict with the format of the Set-Cookie: header. When we enter the same data as displayed in Fig. 19.15, lines 5456 store the data "Name=Zoeage:24color:Red" to the cookie. Lines 5976 send a Web page indicating that the cookie has been written to the client.
Portability Tip 19.1
|
Web browsers store the cookie information in a vendor-specific manner. For example, Microsoft's Internet Explorer stores cookies as text files in the Temporary Internet Files directory on the client's machine. Netscape stores its cookies in a single file named cookies.txt |
Figure 19.17 reads the cookie written in Fig. 19.16 and displays the stored information. When a client sends a request to a server, the client Web browser locates any cookies previously written by that server. These cookies are sent by the browser back to the server as part of the request. On the server, the environment variable HTTP_COOKIE stores the client's cookies. Line 20 calls function getenv with the HTTP_COOKIE environment variable as the parameter and stores the returned value in dataString. The name-value pairs are decoded and stored in strings (lines 2334) according to the encoding scheme used in Fig. 19.16. Lines 3655 output the contents of the cookie as a Web page.
Figure 19.17. Program to read cookies sent from the client's computer.
(This item is displayed on pages 947 - 948 in the print version)
Software Engineering Observation 19.2
|
Cookies present a security risk. If unauthorized users gain access to a computer, they can examine the local disk and view files, which include cookies. For this reason, sensitive data, such as passwords, social security numbers and credit card numbers, should never be stored in cookies. |