Solaris Java Plug-in User's Guide

Chapter 7 Cookie Support

This section covers the following topics:

Introduction

Cookies are a way of storing data on the client side. They have been used extensively for personalization of portal sites, user preference tracking, and logging into web sites. For enterprise customers using cookies in their web sites, cookie support in Java Plug-in is essential for making deployment of Java applets or JavaBeans^TM components easier.

Cookie support allows an applet or JavaBeans component to pass a cookie back to a web server if that cookie originated from the web server. This provides the server with information about the state of the client. Beginning with version 1.4, Java Plug-in provides bidirectional cookie support. This document specifies how cookie works in different browser environments.

How Java Plug-in Supports Cookies

Java Plug-in supports both Internet Explorer and Netscape Navigator browsers on various Win32 platforms and the Solaris operating environment, and it supports Netscape Navigator browsers on Linux platforms. Java Plug-in provides cookie support through the browser API. Because browsers on various platforms implement the browser's API differently, cookie support in Java Plug-in varies according to platform. You need to know how each browser supports cookies and how Java Plug-in accesses and updates cookie information.

When a browser makes an HTTP/HTTPS request through a URL connection, it normally checks the cookie cache and policy to determine if a cookie should be sent along with the HTTP/HTTPS request header. If so, the browser will read the cookie from the cache and append the cookie as part of the HTTP/HTTPS request header.

When a browser processes the HTTP/HTTPS respond header through a URL connection, it will check the header to see if any cookies should be set. The browser also checks the cookie policy to determine if the action is allowed. If so, it will extract the cookie from the HTTP/HTTPS respond header and write it into the cookie cache.

When an HTTP/HTTPS request is made using Java Plug-in, Java Plug-in consults the browser to determine if a cookie should be sent along. If so, the HTTP/HTTPS request will contain the cookie as part of the header. Otherwise, the HTTP/HTTPS request will be sent with no cookie attached.

When a cookie needs to be set from the HTTP/HTTPS respond header, Java Plug-in uses the browser API to do so, with the exception of Netscape Navigator 4 browsers. For the Netscape Navigator 4 browser, there is no API allowing Java Plug-in to do so.

There is another limitation for Netscape Navigator 4 browsers. When using Java Plug-in in a Netscape Navigator 4 browser, cookie support works only if the codebase is the same or a subdirectory of the document base. See examples in the table below:

Document Base	Codebase	Will It Work?
http://host.com/my/	http://host.com/my/	Yes
http://host.com/my/	http://host.com/my/page	Yes
http://host.com/my/page	http://host.com/my/	No

Document Base

Codebase

Will It Work?

http://host.com/my/

Yes

http://host.com/my/

http://host.com/my/page

Yes

http://host.com/my/page

http://host.com/my/

Currently, cookie support in Java Plug-in is triggered automatically when an HTTP/HTTPS connection needs to be made.

To ensure that cookie support in Java Plug-in always works as expected, the following is recommended:

Use Internet Explorer or Netscape 6 browser
In the case that you must use the Netscape 4 browser, avoid having your web server set cookies in an HTTP/HTTPS connection with an applet.

(The above recommendations apply to an intranet environment, where deployment of browsers and web servers is controllable.)

For more general information about how cookies work, consult the user guide for your browser.

Cookie Policy Support in Java Plug-in

Java Plug-in supports all cookie policies that are supported in both Internet Explorer and Netscape Navigator browsers. Cookie policy can be configured in both browsers (see your browser guide for details). There are various options, including the following:

Always accept cookies
Disable all cookie use
Prompt/Warn before accepting a cookie
Only accept cookies from a server if they get sent back to that server

When cookie policy is changed in the browser, it will take effect the next time an HTTP/HTTPS connection is made via Java Plug-in.

Java Plug-in does not provide cookie-caching support. Instead, it consults the browser every time an HTTP/HTTPS connection is made. Thus the browser is the only place where cookies are stored. Any change to a cookie in the browser is reflected immediately in Java Plug-in when a new HTTP/HTTPS connection is made.

Cookies and Disk Caching

Java Plug-in provides disk-caching support through the browser's API. It is triggered whenever a .jar or .class file is downloaded via an HTTP/HTTPS connection. When disk-caching support is triggered, the file is downloaded entirely by the browser, and a cookie will be handled automatically by the browser.

Cookies and Security

Although cookies are sent when an HTTP/HTTPS connection is made in Java Plug-in, applets and beans have no access to this information-even if the code is trusted. Moreover, a cookie is only sent back to the host and domain from which it came.