Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Is calling HttpServletResponse.addCookie() with the same cookie name safe?

Tags:

java

servlets

Is calling 

HttpServletResponse.addCookie();

(from servlet-api-2.5) multiple times using a cookie with the same name safe?

Safe in the sense of that there is a deterministic behavior, e.g. the subsequent calls will be ignored (the first wins) or the subsequent calls will always replace the cookie or something like that?

Example: 

HttpServletResponse response = ...;
response.addCookie(new Cookie("foo", "bar"));
response.addCookie(new Cookie("foo", "42"));

Which value will be transferred to and stored by the browser?

like image 717
tbk Avatar asked Jul 07 '10 08:07

tbk

People also ask

How can a cookie be added to an HTTP response?

To add a new cookie, use HttpServletResponse. addCookie(Cookie). The Cookie is pretty much a key value pair taking a name and value as strings on construction.

Which method of HttpServletResponse interface add cookies to the HTTP response?

To add cookie in response, use addCookie(Cookie) method of HttpServletResponse interface. To fetch the cookie, getCookies() method of Request Interface is used.

How do you destroy cookies in Java?

If you want to delete a cookie you have to create a cookie that have the same name with the cookie that you want to delete and set the value to an empty string. You also need to set the max age of the cookie to 0 . And then add this cookie to the servlet's response object.

2 Answers

Updated answer - as the comments from @skaffman and @Stephen C show this is not ideal practice.

The RFC Spec at http://www.ietf.org/rfc/rfc2109.txt states

The NAME=VALUE attribute-value pair must come first in each cookie. If an attribute appears more than once in a cookie, the behavior is undefined.

On Tomcat server, the behaviour is the actual headers sent to the browser:

Set-Cookie: foo=bar
Set-Cookie: foo=42

Here foo gets overwritten. Reading the cookie later gives you 42.

like image 77
JoseK Avatar answered Oct 27 '22 01:10

JoseK

Additional comment - note that setting different sub-domains on cookies with the same name in the same response changes the behavior. I just tested saving cookies with the same name but different sub-domains on latest versions of java 1.6/firefox/safari/chrome on my mac, and it behaved as expected, saving both cookies. I understand this behavior is not guaranteed by the spec, but just sayin' it may be helpful to be aware of it.

like image 37
johnkaplantech Avatar answered Oct 26 '22 23:10

johnkaplantech
Sign in to Comment

Related questions

Java and haarcascade face and mouth detection - mouth as the nose
Athena create table from parquet schema
How to see org.codehaus.jackson log messages - using logging.properties
JSON parse error: Already had POJO for id
Error in NamedStoredProcedureQuery in Spring JPA - "Found named stored procedure parameter associated with positional parameters"
Exception on new WebView on Lollipop 5.1 devices [duplicate]
Can't change the keystore format
PowerMockito verify private method called x times
Java 9 Cleaner Correct Usage
Setup Wifi proxy credentials programmatically
How to refer to a class when both simple and fully-qualified names clash
Unpacking index for Central Repository on Netbeans
AWS TransferManager uploadFileList truncating file name in S3
`ThreadPoolTaskExecutor` Threads are not killed after execution in Spring
How to replace param "t" to "className"?
Is there a good field validation available in java 8+ which could replace guava PreConditions?
Java byte array of 1 MB or more takes up twice the RAM
Spring Boot 2.3.0 buildpack builds image with creation date 40 years ago
RoundingMode.UP with DecimalFormat does not work as expected
JBoss: WAR file in EAR can't find JAR library on classpath

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!