Takes 6 parameters, Name, Value, Path, Domain, Expires, Other


An HTTP Cookie will be set in the client's web browser, referenced by Name and set to Value. The client's web browser will on subsequent visits return this value to the server in the HTTP Header, where it will be parsed automatically and appear in the Request Query with the prefix of Cookie. in front of the Field name. Any Attributes (Path, Domain, Expires, Others) will be placed into Fields named the same but with a trailing # symbol followed by the Attribute name.

HTTP Cookies should not be trusted, any more than any other data that arrives from a client. A secure way to store information about a user that cannot be modified by that user is to use the built-in Session tools instead: the Session Command, the Session$ Text Function, and/or the Session Function of the Text Command.

It is typical for web systems to set the Value to a parseable string of many named value pairs in a single Cookie. This is preferable to having many separate Cookies stored on the user's computer. For example, you can use URLEncode on each value and then separate each name/value pair with the & sign. Note that Value may not include any ; characters.

If Path is set, then all URLs that equal that path, or are a sub-element of that path, will have this Cookie returned. In order to have a Cookie always be returned, anywhere in the system, set the Path to "/". If the Path is blank or is not specified, then the Client's web browser will set the Path for the Cookie to the current URL.

If Domain is set, then the Cookie will only be returned for URLs on that Domain, or a sub-Domain thereof. Note that most web-browsers, by default, will not accept Cookies with the Domain set to anything other than the domain of the current server. Therefore, this parameter will typically be left blank or not specified, in which case the Client's web browser will set the Domain for the Cookie to the current server's domain.

If Expires is set, the Cookie will not be deleted when the user's web browser is closed. The format of this value must be in the form of "Wdy, DD-Mon-YYYY HH:MM:SS GMT". If a Cookie with a future Expiry date is to be recalled/cancelled, simply set the same Cookie again with an Expiry date well in the past.

Any other Attributes may be specified in the Other parameter. Each Other Attribute must be in the form of Name=Value and be separated by a ;

Any Cookies that are set while the client is connecting via HTTPS will automatically have the "secure" flag applied to the cookie, such that it will only be returned to the server over a secure connection.

When Moxie creates Session Cookies (Cnw-Session), it will add the "HttpOnly" flag to the cookie as well. This prevents access to this cookie from JavaScript on the client side and improves security. If there is need for JavaScript to authenticate, it should use an alternate key for such purposes.

If there is other cookie data that a web application should prevent JavaScript from seeing, a developer may specify ; HttpOnly in the Other Parameter for the HttpCookie command.


Rem 'Setting Cookie
[New] User = $SessionUser
HttpCookie "ActAsUser", User, "", "", "", ""

Rem 'Getting Cookie
[Pull] Cookie.ActAsUser
HtmlAlert Cookie.ActAsUser 'Displays session user's alias