Setting a Cookie

Setting cookies is partnership between a web server, who requests that a cookie be set, and a web browser which ultimately decides based on default settings or explicit instructions from the user whether or not to set the cookie. The actual Set-Cookie: header looks as follows:

Set-Cookie: zip=90210; domain=.theaterlistings.com; path=/showtimes; expires=Wed, 01 Aug 2012 14:43:34 GMT

This simple set of instructions is merely a request from the web server for the browser to store a reminder, a name value pair, specifically zip=90210.

It further asks for that reminder to only be sent back to the issuing server, domain=.theaterlistings.com

This limitation is further specified to only send that reminder back to certain areas of that site specifically those starting with path=/showtimes such as http://www.theaterlistings.com/showtimes/results.html

A final instruction (request) is asked of the browser. The expires=Wed, 01 Aug 2012 12:00:00 GMT code instructs the browser to keep returning the reminder only until Wednesday the 8th of August, 2012 at high noon GMT. Note it is not strictly necessary to specify an expiry. If no expiry is specified the cookie is referred to as a session cookie and the reminder will only be replayed for the life of the browser session. Alternatively if any expiry (even one limited to several hours) is given, then the cookie is referred to as a persistent cookie. Note that the term persistent doesn't really give any information about the cookie's duration and persistent cookies can be set for 10 minutes or 30 years and all unfortunately get the same moniker.

There is nothing in this code that forces anything onto a computer. The request is simply evaluated by the browser, usually taking into account if the request is coming from a 1st or 3rd party (discussed later), if the request is coming from a domain for which it has specific instructions (such as always accept or always deny) and if there is an accompanying P3P: privacy header which provides data on which to base a decision (again more on this elsewhere).

As a practical matter the Set-Cookie header looks like any other of the headers returned in the request for a page, which by way of a larger example may look as follows:

HTTP/1.0 301 Moved Permanently
MIME-Version: 1.0
Server: ArtBlast/3.5.5
Date: Wed, 04 Aug 2010 18:47:27 GMT
Expires: Wed, 04 Aug 2010 19:17:27 GMT
Content-Length: 91
Content-Type: text/html
Location: http://www.theaterlistings.com/home.php
Connection: keep-alive
Set-Cookie: zip=90210; domain=.theaterlistings.com; path=/showtimes; expires=Wed, 01 Aug 2012 14:43:34 GMT
P3P: CP=CAO DSP COR CURa ADMa DEVi TAIo PSAa PSDa IVDi CONi OTPi OUR OTRi BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA OTC

We needn't go into what all the other header information means, but is is sometimes valuable just to have the context of where and how such a request appears.