Introduction
This document describes what HTTP cookies are and what the difference is between session cookies and persistent cookies.
Background Information
Cookies are strings of data that a web server sends to the browser. When a browser requests an object from the same domain in the future, the browser will send the same string of data back to the origin server.
The data is sent from the web server in the form of an HTTP header called "Set-Cookie". The browser sends the cookie back to the server in an HTTP header called "Cookie".
Here is an example of what an HTTP cookie transaction might look like:
HTTP response from the web server:
[...]
Set-Cookie: first.lastname
HTTP GET from the client:
[...]
Cookie: first.lastname
In the sample transaction, the web server told the client to create the cookie "first.lastname". The next time the client requests an object from this domain it sends the cookie with the request. This illustrates how a web server might be able to recall certain information such as user logins.
Types of Cookies
There are two different types of cookies - session cookies and persistent cookies. If a cookie does not contain an expiration date, it is considered a session cookie. Session cookies are stored in memory and never written to disk. When the browser closes, the cookie is permanently lost from this point on. If the cookie contains an expiration date, it is considered a persistent cookie. On the date specified in the expiration, the cookie will be removed from the disk.
There are several different fields a cookie can contain, separated by semicolons. The definitions are:
expires
expires="Wdy, DD-Mon-YYYY HH:MM:SS GMT"
Determines when the cookie is to be deleted.
path
path=/
Determines what path to return the cookie on. In this example, the cookie will be sent when going to the root path in a domain.
domain
domain=whatever.domain.com
Specifies what domain the cookie is used for. If this does not match the domain currently being browsed to, it is considered to be a "3rd Party cookie" and will be rejected by the browser. This prevents one domain setting a cookie for a different domain.