001 /* 002 * Copyright 2004 The Apache Software Foundation 003 * 004 * Licensed under the Apache License, Version 2.0 (the "License"); 005 * you may not use this file except in compliance with the License. 006 * You may obtain a copy of the License at 007 * 008 * http://www.apache.org/licenses/LICENSE-2.0 009 * 010 * Unless required by applicable law or agreed to in writing, software 011 * distributed under the License is distributed on an "AS IS" BASIS, 012 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 013 * See the License for the specific language governing permissions and 014 * limitations under the License. 015 */ 016 package javax.servlet.http; 017 018 import java.text.MessageFormat; 019 import java.util.ResourceBundle; 020 021 /** 022 * 023 * Creates a cookie, a small amount of information sent by a servlet to 024 * a Web browser, saved by the browser, and later sent back to the server. 025 * A cookie's value can uniquely 026 * identify a client, so cookies are commonly used for session management. 027 * 028 * <p>A cookie has a name, a single value, and optional attributes 029 * such as a comment, path and domain qualifiers, a maximum age, and a 030 * version number. Some Web browsers have bugs in how they handle the 031 * optional attributes, so use them sparingly to improve the interoperability 032 * of your servlets. 033 * 034 * <p>The servlet sends cookies to the browser by using the 035 * {@link HttpServletResponse#addCookie} method, which adds 036 * fields to HTTP response headers to send cookies to the 037 * browser, one at a time. The browser is expected to 038 * support 20 cookies for each Web server, 300 cookies total, and 039 * may limit cookie size to 4 KB each. 040 * 041 * <p>The browser returns cookies to the servlet by adding 042 * fields to HTTP request headers. Cookies can be retrieved 043 * from a request by using the {@link HttpServletRequest#getCookies} method. 044 * Several cookies might have the same name but different path attributes. 045 * 046 * <p>Cookies affect the caching of the Web pages that use them. 047 * HTTP 1.0 does not cache pages that use cookies created with 048 * this class. This class does not support the cache control 049 * defined with HTTP 1.1. 050 * 051 * <p>This class supports both the Version 0 (by Netscape) and Version 1 052 * (by RFC 2109) cookie specifications. By default, cookies are 053 * created using Version 0 to ensure the best interoperability. 054 * 055 * 056 * @author Various 057 * @version $Version$ 058 * 059 */ 060 061 // XXX would implement java.io.Serializable too, but can't do that 062 // so long as sun.servlet.* must run on older JDK 1.02 JVMs which 063 // don't include that support. 064 065 public class Cookie implements Cloneable { 066 067 private static final String LSTRING_FILE = 068 "javax.servlet.http.LocalStrings"; 069 private static ResourceBundle lStrings = 070 ResourceBundle.getBundle(LSTRING_FILE); 071 072 // 073 // The value of the cookie itself. 074 // 075 076 private String name; // NAME= ... "$Name" style is reserved 077 private String value; // value of NAME 078 079 // 080 // Attributes encoded in the header's cookie fields. 081 // 082 083 private String comment; // ;Comment=VALUE ... describes cookie's use 084 // ;Discard ... implied by maxAge < 0 085 private String domain; // ;Domain=VALUE ... domain that sees cookie 086 private int maxAge = -1; // ;Max-Age=VALUE ... cookies auto-expire 087 private String path; // ;Path=VALUE ... URLs that see the cookie 088 private boolean secure; // ;Secure ... e.g. use SSL 089 private int version = 0; // ;Version=1 ... means RFC 2109++ style 090 091 092 093 /** 094 * Constructs a cookie with a specified name and value. 095 * 096 * <p>The name must conform to RFC 2109. That means it can contain 097 * only ASCII alphanumeric characters and cannot contain commas, 098 * semicolons, or white space or begin with a $ character. The cookie's 099 * name cannot be changed after creation. 100 * 101 * <p>The value can be anything the server chooses to send. Its 102 * value is probably of interest only to the server. The cookie's 103 * value can be changed after creation with the 104 * <code>setValue</code> method. 105 * 106 * <p>By default, cookies are created according to the Netscape 107 * cookie specification. The version can be changed with the 108 * <code>setVersion</code> method. 109 * 110 * 111 * @param name a <code>String</code> specifying the name of the cookie 112 * 113 * @param value a <code>String</code> specifying the value of the cookie 114 * 115 * @throws IllegalArgumentException if the cookie name contains illegal characters 116 * (for example, a comma, space, or semicolon) 117 * or it is one of the tokens reserved for use 118 * by the cookie protocol 119 * @see #setValue 120 * @see #setVersion 121 * 122 */ 123 124 public Cookie(String name, String value) { 125 if (!isToken(name) 126 || name.equalsIgnoreCase("Comment") // rfc2019 127 || name.equalsIgnoreCase("Discard") // 2019++ 128 || name.equalsIgnoreCase("Domain") 129 || name.equalsIgnoreCase("Expires") // (old cookies) 130 || name.equalsIgnoreCase("Max-Age") // rfc2019 131 || name.equalsIgnoreCase("Path") 132 || name.equalsIgnoreCase("Secure") 133 || name.equalsIgnoreCase("Version") 134 || name.startsWith("$") 135 ) { 136 String errMsg = lStrings.getString("err.cookie_name_is_token"); 137 Object[] errArgs = new Object[1]; 138 errArgs[0] = name; 139 errMsg = MessageFormat.format(errMsg, errArgs); 140 throw new IllegalArgumentException(errMsg); 141 } 142 143 this.name = name; 144 this.value = value; 145 } 146 147 148 149 150 151 /** 152 * 153 * Specifies a comment that describes a cookie's purpose. 154 * The comment is useful if the browser presents the cookie 155 * to the user. Comments 156 * are not supported by Netscape Version 0 cookies. 157 * 158 * @param purpose a <code>String</code> specifying the comment 159 * to display to the user 160 * 161 * @see #getComment 162 * 163 */ 164 165 public void setComment(String purpose) { 166 comment = purpose; 167 } 168 169 170 171 172 /** 173 * Returns the comment describing the purpose of this cookie, or 174 * <code>null</code> if the cookie has no comment. 175 * 176 * @return a <code>String</code> containing the comment, 177 * or <code>null</code> if none 178 * 179 * @see #setComment 180 * 181 */ 182 183 public String getComment() { 184 return comment; 185 } 186 187 188 189 190 191 /** 192 * 193 * Specifies the domain within which this cookie should be presented. 194 * 195 * <p>The form of the domain name is specified by RFC 2109. A domain 196 * name begins with a dot (<code>.foo.com</code>) and means that 197 * the cookie is visible to servers in a specified Domain Name System 198 * (DNS) zone (for example, <code>www.foo.com</code>, but not 199 * <code>a.b.foo.com</code>). By default, cookies are only returned 200 * to the server that sent them. 201 * 202 * 203 * @param pattern a <code>String</code> containing the domain name 204 * within which this cookie is visible; 205 * form is according to RFC 2109 206 * 207 * @see #getDomain 208 * 209 */ 210 211 public void setDomain(String pattern) { 212 domain = pattern.toLowerCase(); // IE allegedly needs this 213 } 214 215 216 217 218 219 /** 220 * Returns the domain name set for this cookie. The form of 221 * the domain name is set by RFC 2109. 222 * 223 * @return a <code>String</code> containing the domain name 224 * 225 * @see #setDomain 226 * 227 */ 228 229 public String getDomain() { 230 return domain; 231 } 232 233 234 235 236 /** 237 * Sets the maximum age of the cookie in seconds. 238 * 239 * <p>A positive value indicates that the cookie will expire 240 * after that many seconds have passed. Note that the value is 241 * the <i>maximum</i> age when the cookie will expire, not the cookie's 242 * current age. 243 * 244 * <p>A negative value means 245 * that the cookie is not stored persistently and will be deleted 246 * when the Web browser exits. A zero value causes the cookie 247 * to be deleted. 248 * 249 * @param expiry an integer specifying the maximum age of the 250 * cookie in seconds; if negative, means 251 * the cookie is not stored; if zero, deletes 252 * the cookie 253 * 254 * 255 * @see #getMaxAge 256 * 257 */ 258 259 public void setMaxAge(int expiry) { 260 maxAge = expiry; 261 } 262 263 264 265 266 /** 267 * Returns the maximum age of the cookie, specified in seconds, 268 * By default, <code>-1</code> indicating the cookie will persist 269 * until browser shutdown. 270 * 271 * 272 * @return an integer specifying the maximum age of the 273 * cookie in seconds; if negative, means 274 * the cookie persists until browser shutdown 275 * 276 * 277 * @see #setMaxAge 278 * 279 */ 280 281 public int getMaxAge() { 282 return maxAge; 283 } 284 285 286 287 288 /** 289 * Specifies a path for the cookie 290 * to which the client should return the cookie. 291 * 292 * <p>The cookie is visible to all the pages in the directory 293 * you specify, and all the pages in that directory's subdirectories. 294 * A cookie's path must include the servlet that set the cookie, 295 * for example, <i>/catalog</i>, which makes the cookie 296 * visible to all directories on the server under <i>/catalog</i>. 297 * 298 * <p>Consult RFC 2109 (available on the Internet) for more 299 * information on setting path names for cookies. 300 * 301 * 302 * @param uri a <code>String</code> specifying a path 303 * 304 * 305 * @see #getPath 306 * 307 */ 308 309 public void setPath(String uri) { 310 path = uri; 311 } 312 313 314 315 316 /** 317 * Returns the path on the server 318 * to which the browser returns this cookie. The 319 * cookie is visible to all subpaths on the server. 320 * 321 * 322 * @return a <code>String</code> specifying a path that contains 323 * a servlet name, for example, <i>/catalog</i> 324 * 325 * @see #setPath 326 * 327 */ 328 329 public String getPath() { 330 return path; 331 } 332 333 334 335 336 337 /** 338 * Indicates to the browser whether the cookie should only be sent 339 * using a secure protocol, such as HTTPS or SSL. 340 * 341 * <p>The default value is <code>false</code>. 342 * 343 * @param flag if <code>true</code>, sends the cookie from the browser 344 * to the server only when using a secure protocol; 345 * if <code>false</code>, sent on any protocol 346 * 347 * @see #getSecure 348 * 349 */ 350 351 public void setSecure(boolean flag) { 352 secure = flag; 353 } 354 355 356 357 358 /** 359 * Returns <code>true</code> if the browser is sending cookies 360 * only over a secure protocol, or <code>false</code> if the 361 * browser can send cookies using any protocol. 362 * 363 * @return <code>true</code> if the browser uses a secure protocol; 364 * otherwise, <code>true</code> 365 * 366 * @see #setSecure 367 * 368 */ 369 370 public boolean getSecure() { 371 return secure; 372 } 373 374 375 376 377 378 /** 379 * Returns the name of the cookie. The name cannot be changed after 380 * creation. 381 * 382 * @return a <code>String</code> specifying the cookie's name 383 * 384 */ 385 386 public String getName() { 387 return name; 388 } 389 390 391 392 393 394 /** 395 * 396 * Assigns a new value to a cookie after the cookie is created. 397 * If you use a binary value, you may want to use BASE64 encoding. 398 * 399 * <p>With Version 0 cookies, values should not contain white 400 * space, brackets, parentheses, equals signs, commas, 401 * double quotes, slashes, question marks, at signs, colons, 402 * and semicolons. Empty values may not behave the same way 403 * on all browsers. 404 * 405 * @param newValue a <code>String</code> specifying the new value 406 * 407 * 408 * @see #getValue 409 * @see Cookie 410 * 411 */ 412 413 public void setValue(String newValue) { 414 value = newValue; 415 } 416 417 418 419 420 /** 421 * Returns the value of the cookie. 422 * 423 * @return a <code>String</code> containing the cookie's 424 * present value 425 * 426 * @see #setValue 427 * @see Cookie 428 * 429 */ 430 431 public String getValue() { 432 return value; 433 } 434 435 436 437 438 /** 439 * Returns the version of the protocol this cookie complies 440 * with. Version 1 complies with RFC 2109, 441 * and version 0 complies with the original 442 * cookie specification drafted by Netscape. Cookies provided 443 * by a browser use and identify the browser's cookie version. 444 * 445 * 446 * @return 0 if the cookie complies with the 447 * original Netscape specification; 1 448 * if the cookie complies with RFC 2109 449 * 450 * @see #setVersion 451 * 452 */ 453 454 public int getVersion() { 455 return version; 456 } 457 458 459 460 461 /** 462 * Sets the version of the cookie protocol this cookie complies 463 * with. Version 0 complies with the original Netscape cookie 464 * specification. Version 1 complies with RFC 2109. 465 * 466 * <p>Since RFC 2109 is still somewhat new, consider 467 * version 1 as experimental; do not use it yet on production sites. 468 * 469 * 470 * @param v 0 if the cookie should comply with 471 * the original Netscape specification; 472 * 1 if the cookie should comply with RFC 2109 473 * 474 * @see #getVersion 475 * 476 */ 477 478 public void setVersion(int v) { 479 version = v; 480 } 481 482 // Note -- disabled for now to allow full Netscape compatibility 483 // from RFC 2068, token special case characters 484 // 485 // private static final String tspecials = "()<>@,;:\\\"/[]?={} \t"; 486 487 private static final String tspecials = ",; "; 488 489 490 491 492 /* 493 * Tests a string and returns true if the string counts as a 494 * reserved token in the Java language. 495 * 496 * @param value the <code>String</code> to be tested 497 * 498 * @return <code>true</code> if the <code>String</code> is 499 * a reserved token; <code>false</code> 500 * if it is not 501 */ 502 503 private boolean isToken(String value) { 504 int len = value.length(); 505 506 for (int i = 0; i < len; i++) { 507 char c = value.charAt(i); 508 509 if (c < 0x20 || c >= 0x7f || tspecials.indexOf(c) != -1) 510 return false; 511 } 512 return true; 513 } 514 515 516 517 518 519 520 /** 521 * 522 * Overrides the standard <code>java.lang.Object.clone</code> 523 * method to return a copy of this cookie. 524 * 525 * 526 */ 527 528 public Object clone() { 529 try { 530 return super.clone(); 531 } catch (CloneNotSupportedException e) { 532 throw new RuntimeException(e.getMessage()); 533 } 534 } 535 } 536