working with cookies without sending to the browser and document headers

Question

I want to develop an idea using cookies on the server side but I am afraid that I should not rely on cookies behavior as the following references say that cookies are client-side and browser-based objects:

Microsoft:

HTTP cookies provide the server with a mechanism to store and retrieve state information on the client application's system.

Wikipedia:

An HTTP cookie (also called web cookie, Internet cookie, browser cookie, or simply cookie) is a small piece of data sent from a website and stored on the user's computer by the user's web browser while the user is browsing

W3schools:

A cookie is often used to identify a user. A cookie is a small file that the server embeds on the user's computer

Mozila.org:

An HTTP cookie (web cookie, browser cookie) is a small piece of data that a server sends to the user's web browser. The browser may store it and send it back with the next request to the same server.

However, On the server side, I tested that changing the value of cookies works fine without the role of the browser. I want to make sure that kind of using cookies is a standard way so I rely on it to generate some temporary data I asked in this question before.

<%
Response.Cookies("a")="test <br>"
response.write request.cookies("a")

Response.Cookies("a")="test1 <br>"
response.write request.cookies("a")

Response.Cookies("a")="test2 <br>"
response.write request.cookies("a")

Response.Cookies("a").Expires = DateAdd("d",-1,Now())
%>

result:

test
test1
test2

And there are no cookies with name "a" in headers of the page and no object is created on the visitor browser. It seems that the cookie was created and killed on the server and the browser knows nothing about it!

My question is that if the definitions of top mentioned references are wrong? Do they miss some details about the server side characteristics of cookies? What are the problems if I use cookies as temporary variables on the server side?

Answer 1

There's no such thing as "server-side cookie". Confusion is that the server asks for the browser to store cookies. This Stack Overflow thread gives a good example:

Browser request example:

GET /index.html HTTP/1.1 Host: www.example.com

Example answer from the server:

HTTP/1.1 200 OK Content-type: text/html Set-Cookie: foo=10 Set-Cookie: bar=20; Expires=Fri, 30 Sep 2011 11:48:00 GMT ... rest of the response

Here two cookies foo=10 and bar=20 are stored on the browser. The second one will expire on 30 September. In each subsequent request the browser will send the cookies back to the server.

GET /spec.html HTTP/1.1 Host: www.example.com Cookie: foo=10; bar=20 Accept: */*

What you may be looking for is a user session in the server-side (also referenced in that same thread). JEE implementation usually rely on the jsessionid cookie to identify user's data in the server side. Take a look at Oracle's documentation about user session:

The term user session refers to a series of user application interactions that are tracked by the server. Sessions are used for maintaining user specific state, including persistent objects (like handles to EJB components or database result sets) and authenticated user identities, among many interactions. For example, a session could be used to track a validated user login followed by a series of directed activities for a particular user.