07 cookies

19
© 2010 Marty Hall H dli C ki Handling Cookies Originals of Slides and Source Code for Examples: http://courses.coreservlets.com/Course-Materials/csajsp2.html Customized Java EE Training: http://courses.coreservlets.com/ Servlets, JSP, JSF 2.0, Struts, Ajax, GWT 2.0, Spring, Hibernate, SOAP & RESTful Web Services, Java 6. Developed and taught by well-known author and developer. At public venues or onsite at your location. 2 © 2010 Marty Hall For live Java EE training, please see training courses at http://courses.coreservlets.com/. at http://courses.coreservlets.com/. Servlets, JSP, Struts, JSF 1.x, JSF 2.0, Ajax (with jQuery, Dojo, Prototype, Ext-JS, Google Closure, etc.), GWT 2.0 (with GXT), Java 5, Java 6, SOAP-based and RESTful Web Services, Spring, Hibernate/JPA, and customized combinations of topics. Taught by the author of Core Servlets and JSP, More Servlets and JSP and this tutorial Available at public Customized Java EE Training: http://courses.coreservlets.com/ Servlets, JSP, JSF 2.0, Struts, Ajax, GWT 2.0, Spring, Hibernate, SOAP & RESTful Web Services, Java 6. Developed and taught by well-known author and developer. At public venues or onsite at your location. Servlets and JSP, and this tutorial. Available at public venues, or customized versions can be held on-site at your organization. Contact [email protected] for details.

Upload: snopteck

Post on 08-May-2015

1.531 views

Category:

Technology


1 download

TRANSCRIPT

Page 1: 07 cookies

© 2010 Marty Hall

H dli C kiHandling CookiesOriginals of Slides and Source Code for Examples:

http://courses.coreservlets.com/Course-Materials/csajsp2.html

Customized Java EE Training: http://courses.coreservlets.com/Servlets, JSP, JSF 2.0, Struts, Ajax, GWT 2.0, Spring, Hibernate, SOAP & RESTful Web Services, Java 6.

Developed and taught by well-known author and developer. At public venues or onsite at your location.2

© 2010 Marty Hall

For live Java EE training, please see training courses at http://courses.coreservlets.com/. at http://courses.coreservlets.com/.

Servlets, JSP, Struts, JSF 1.x, JSF 2.0, Ajax (with jQuery, Dojo, Prototype, Ext-JS, Google Closure, etc.), GWT 2.0 (with GXT),

Java 5, Java 6, SOAP-based and RESTful Web Services, Spring, gHibernate/JPA, and customized combinations of topics.

Taught by the author of Core Servlets and JSP, More Servlets and JSP and this tutorial Available at public

Customized Java EE Training: http://courses.coreservlets.com/Servlets, JSP, JSF 2.0, Struts, Ajax, GWT 2.0, Spring, Hibernate, SOAP & RESTful Web Services, Java 6.

Developed and taught by well-known author and developer. At public venues or onsite at your location.

Servlets and JSP, and this tutorial. Available at public venues, or customized versions can be held on-site at your

organization. Contact [email protected] for details.

Page 2: 07 cookies

Agenda

• Understanding the benefits and drawbacks f kiof cookies

• Sending outgoing cookiesR i i i i ki• Receiving incoming cookies

• Tracking repeat visitorsS if i ki tt ib t• Specifying cookie attributes

• Differentiating between session cookies and persistent cookiespersistent cookies

• Simplifying cookie usage with utility classes• Modifying cookie values• Modifying cookie values• Remembering user preferences

4

The Potential of Cookies

• Idea– Servlet sends a simple name and value to client.– Client returns same name and value when it connects to

same site (or same domain depending on cookiesame site (or same domain, depending on cookie settings).

• Typical Uses of Cookiesyp– Identifying a user during an e-commerce session

• Servlets have a higher-level API for this task

Avoiding username and password– Avoiding username and password– Customizing a site– Focusing advertisingg g

5

Page 3: 07 cookies

Cookies and Focused AdvertisingAdvertising

6

Cookies and Privacy

FoxTrot © 1998 Bill Amend Reprinted with permission ofFoxTrot © 1998 Bill Amend. Reprinted with permission of Universal Press Syndicate. All rights reserved.

7

Page 4: 07 cookies

Some Problems with Cookies

• The problem is privacy, not security.– Servers can remember your previous actions – If you give out personal information, servers can link that

information to your previous actionsinformation to your previous actions– Servers can share cookie information through use of a

cooperating third party like doubleclick.net– Poorly designed sites store sensitive information like credit

card numbers directly in cookie– JavaScript bugs let hostile sites steal cookies (old browsers)– JavaScript bugs let hostile sites steal cookies (old browsers)

• Moral for servlet authors– If cookies are not critical to your task, avoid servlets that coo es a e ot c t ca to you tas , avo d se v ets t at

totally fail when cookies are disabled– Don’t put sensitive info in cookies

8

Manually Deleting Cookies (To Simplify Testing)(To Simplify Testing)

9

Page 5: 07 cookies

Sending Cookies to the Client

• Create a Cookie object. – Call the Cookie constructor with a cookie name and a

cookie value, both of which are strings.Cookie c = new Cookie("userID" "a1234");Cookie c = new Cookie( userID , a1234 );

• Set the maximum age. – To tell browser to store cookie on disk instead of just in– To tell browser to store cookie on disk instead of just in

memory, use setMaxAge (argument is in seconds)c.setMaxAge(60*60*24*7); // One week

• Place the Cookie into the HTTP response – Use response.addCookie. – If you forget this step, no cookie is sent to the browser!

response.addCookie(c);10

Reading Cookies from the Client

• Call request.getCookies This yields an array of Cookie objects– This yields an array of Cookie objects.

• Loop down the array, calling getName on each entry until you find the cookie of interest

U th l ( tV l ) i li ti ifi– Use the value (getValue) in application-specific way.

String cookieName = "userID";Cookie[] cookies = request.getCookies();if (cookies != null) {

for(Cookie cookie: cookies) {o (Coo e coo e: coo es) {if (cookieName.equals(cookie.getName())) {

doSomethingWith(cookie.getValue());}}

}}

11

Page 6: 07 cookies

Using Cookies to Detect First-Time VisitorsFirst-Time Visitorspublic class RepeatVisitor extends HttpServlet {

public void doGet(HttpServletRequest requestpublic void doGet(HttpServletRequest request,HttpServletResponse response)

throws ServletException, IOException {boolean newbie = true;boolean newbie = true;Cookie[] cookies = request.getCookies();if (cookies != null) {

f (C ki ki ) {for(Cookie c: cookies) {if ((c.getName().equals("repeatVisitor")) &&

(c.getValue().equals("yes"))) {newbie = false;break;

}}

}

12

Using Cookies to Detect First-Time Visitors (Continued)First-Time Visitors (Continued)

String title;if (newbie) {if (newbie) {

Cookie returnVisitorCookie =new Cookie("repeatVisitor", "yes");

returnVisitorCookie setMaxAge(60*60*24*365);returnVisitorCookie.setMaxAge(60*60*24*365); response.addCookie(returnVisitorCookie);title = "Welcome Aboard";

} l {} else {title = "Welcome Back";

}( / )response.setContentType("text/html");

PrintWriter out = response.getWriter();… // (Output page with above title)

13

Page 7: 07 cookies

Using Cookies to Detect First-Time Visitors (Results)First-Time Visitors (Results)

14

Using Cookie Attributes

• getDomain/setDomain– Lets you specify domain to which cookie applies. Current

host must be part of domain specified.

• getMaxAge/setMaxAge• getMaxAge/setMaxAge– Gets/sets the cookie expiration time (in seconds). If you

fail to set this, cookie applies to current browsing session l S L Li dC ki h l l i lionly. See LongLivedCookie helper class given earlier.

• getNameGets the cookie name There is no setName method; you– Gets the cookie name. There is no setName method; you supply name to constructor. For incoming cookie array, you use getName to find the cookie of interest.

15

Page 8: 07 cookies

Using Cookie Attributes

• getPath/setPath– Gets/sets the path to which cookie applies. If unspecified,

cookie applies to URLs that are within or below directory containing current page.g p g

• getSecure/setSecure– Gets/sets flag indicating whether cookie should apply

l t SSL ti t ll tionly to SSL connections or to all connections.

• getValue/setValueGets/sets value associated with cookie For new cookies– Gets/sets value associated with cookie. For new cookies, you supply value to constructor, not to setValue. For incoming cookie array, you use getName to find the cookie of interest then call getValue on the result If youcookie of interest, then call getValue on the result. If you set the value of an incoming cookie, you still have to send it back out with response.addCookie.

16

Differentiating Session Cookies from Persistent Cookiesfrom Persistent Cookiespublic class CookieTest extends HttpServlet {

public void doGet(HttpServletRequest requestpublic void doGet(HttpServletRequest request,HttpServletResponse response)

throws ServletException, IOException {for(int i=0; i<3; i++) {for(int i=0; i<3; i++) {

Cookie cookie = new Cookie("Session-Cookie-" + i,

"C ki V l S" + i)"Cookie-Value-S" + i);// No maxAge (ie maxAge = -1)response.addCookie(cookie);

(cookie = new Cookie("Persistent-Cookie-" + i,"Cookie-Value-P" + i);

cookie.setMaxAge(3600);response.addCookie(cookie);

}

17

Page 9: 07 cookies

Differentiating Session Cookies from Persistent Cookies (Cont)from Persistent Cookies (Cont)

… // Start an HTML tableCookie[] cookies = request getCookies();Cookie[] cookies = request.getCookies();if (cookies == null) {

out.println("<TR><TH COLSPAN=2>No cookies");} else {} else {

for(Cookie cookie: cookies) {out.println

("<TR>\ " +("<TR>\n" +" <TD>" + cookie.getName() + "\n" +" <TD>" + cookie.getValue());

}}out.println("</TABLE></BODY></HTML>");

}}

18

Differentiating Session Cookies from Persistent Cookiesfrom Persistent Cookies

• Result of initial visit to CookieTest servlet– Same result as when visiting the servlet, quitting the

browser, waiting an hour, and revisiting the servlet.

19

Page 10: 07 cookies

Differentiating Session Cookies from Persistent Cookiesfrom Persistent Cookies

• Result of revisiting CookieTest within an hour f i i l i it ( b i )of original visit (same browser session)

– I.e., browser stayed open between the original visit and the visit shown herethe visit shown here

20

Differentiating Session Cookies from Persistent Cookiesfrom Persistent Cookies

• Result of revisiting CookieTest within an hour f i i l i it (diff t b i )of original visit (different browser session)

– I.e., browser was restarted between the original visit and the visit shown herethe visit shown here.

21

Page 11: 07 cookies

Utility: Finding Cookies with Specified NamesSpecified Names

public class CookieUtilities {public static String getCookieValuepublic static String getCookieValue

(HttpServletRequest request,String cookieName,String defaultValue) {g ) {

Cookie[] cookies = request.getCookies();if (cookies != null) {for(Cookie cookie: cookies) {if (cookieName.equals(cookie.getName())) {return(cookie.getValue());

}}}

}return(defaultValue);

}}…

}22

Utility: Creating Long-Lived CookiesCookies

public class LongLivedCookie extends Cookie {public class LongLivedCookie extends Cookie {public static final int SECONDS_PER_YEAR =

60*60*24*365;

public LongLivedCookie(String name, String value) {super(name, value);setMaxAge(SECONDS PER YEAR);setMaxAge(SECONDS_PER_YEAR);

}}

23

Page 12: 07 cookies

Applying Utilities: RepeatVisitor2RepeatVisitor2

public class RepeatVisitor2 extends HttpServlet {public void doGet(HttpServletRequest request,p p q q

HttpServletResponse response)throws ServletException, IOException {

boolean newbie = true;String value =String value CookieUtilities.getCookieValue(request,

"repeatVisitor2","no");

if (value equals("yes")) {if (value.equals("yes")) {newbie = false;

}String title;if ( bi ) {if (newbie) {LongLivedCookie returnVisitorCookie =new LongLivedCookie("repeatVisitor2", "yes");

response.addCookie(returnVisitorCookie);title = "Welcome Aboard";

} else {title = "Welcome Back";

}24

Modifying Cookie Values

• Replacing a cookie value– Send the same cookie name with a different cookie value.– Reusing incoming Cookie objects.

• Need to call response addCookie; merely calling setValue• Need to call response.addCookie; merely calling setValue is not sufficient.

• Also need to reapply any relevant cookie attributes by calling setMaxAge setPath etc —cookie attributes are notcalling setMaxAge, setPath, etc.—cookie attributes are not specified for incoming cookies.

• Usually not worth the bother, so new Cookie object used

Instructing the browser to delete a cookie• Instructing the browser to delete a cookie – Use setMaxAge to assign a maximum age of 0.

25

Page 13: 07 cookies

Tracking User Access Counts

public class ClientAccessCounts extends HttpServlet {public void doGet(HttpServletRequest requestpublic void doGet(HttpServletRequest request,

HttpServletResponse response)throws ServletException, IOException {

String countString =String countString =CookieUtilities.getCookieValue(request,

"accessCount","1");1 );

int count = 1;try {

count = Integer.parseInt(countString);cou t tege .pa se t(cou tSt g);} catch(NumberFormatException nfe) { }LongLivedCookie c =

new LongLivedCookie("accessCount",g ( ,String.valueOf(count+1));

response.addCookie(c);26

Tracking User Access Counts (Continued)(Continued)

…out println(docType +out.println(docType +

"<HTML>\n" +"<HEAD><TITLE>" + title + "</TITLE></HEAD>\n" +"</TITLE></HEAD>\n" +"<BODY BGCOLOR=\"#FDF5E6\">\n" +"<CENTER>\n" +"<H1>" + titl + "</H1>\ " +"<H1>" + title + "</H1>\n" +"<H2>This is visit number " +count + " by this browser.</H2>\n"+

/ / / )"</CENTER></BODY></HTML>");}

}

27

Page 14: 07 cookies

Tracking User Access Counts (Results)(Results)

28

Using Cookies to Remember User PreferencesUser Preferences

• RegistrationForm servlet– Uses cookie values to prepopulate form field values– Uses default values if no cookies are found

Will be redone in JSP later in class– Will be redone in JSP later in class

• Registration servletRegistration servlet– Creates cookies based on request parameters received– Displays values if all parameters are present– Redirects to form if any parameter is missing

29

Page 15: 07 cookies

RegistrationForm Servlet

public class RegistrationForm extends HttpServlet {public void doGet(HttpServletRequest request,p ( p q q ,

HttpServletResponse response)throws ServletException, IOException {

response.setContentType("text/html");PrintWriter out = response getWriter();PrintWriter out = response.getWriter();String actionURL =

"coreservlets.RegistrationServlet";String firstName =

CookieUtilities.getCookieValue(request, "firstName", "");

String lastName =CookieUtilities getCookieValue(requestCookieUtilities.getCookieValue(request,

"lastName", "");String emailAddress =

CookieUtilities.getCookieValue(request, "emailAddress","");

30

RegistrationForm Servlet (Continued)(Continued)

out.println(docType +"<HTML>\n" +"<HEAD><TITLE>" + title + "</TITLE></HEAD>\n" +"<BODY BGCOLOR=\"#FDF5E6\">\n" +"<CENTER>\n" +"<H1>" + title + "</H1>\n" +"<FORM ACTION=\"" + actionURL + "\">\n" +"First Name:\n" +" <INPUT TYPE=\"TEXT\" NAME=\"firstName\" " +

"VALUE=\"" + firstName + "\"><BR>\n" +"Last Name:\n" +" <INPUT TYPE=\"TEXT\" NAME=\"lastName\" " +

"VALUE=\"" + lastName + "\"><BR>\n"+"Email Address: \n" +" <INPUT TYPE=\"TEXT\" NAME=\"emailAddress\" " +

"VALUE=\"" + emailAddress + "\"><P>\n" +"<INPUT TYPE=\"SUBMIT\" VALUE=\"Register\">\n" +g"</FORM></CENTER></BODY></HTML>");

}}

31

Page 16: 07 cookies

Registration Servlet

public class RegistrationServlet extends HttpServlet {public void doGet(HttpServletRequest request,p ( p q q ,

HttpServletResponse response)throws ServletException, IOException {

response.setContentType("text/html");boolean isMissingValue = false;boolean isMissingValue = false;String firstName =

request.getParameter("firstName");if (isMissing(firstName)) {

firstName = "Missing first name";isMissingValue = true;

}String lastName =String lastName =

request.getParameter("lastName");if (isMissing(lastName)) {

lastName = "Missing last name";isMissingValue = true;

}…

32

Registration Servlet (Continued)

Cookie c1 = new LongLivedCookie("firstName" firstName);new LongLivedCookie( firstName , firstName);

response.addCookie(c1);Cookie c2 =

new LongLivedCookie("lastName" lastName);new LongLivedCookie("lastName", lastName);response.addCookie(c2);Cookie c3 = new LongLivedCookie("emailAddress",

ilAdd )emailAddress);response.addCookie(c3);String formAddress ="coreservlets.RegistrationForm";

if (isMissingValue) {response.sendRedirect(formAddress);

} else { … }

33

Page 17: 07 cookies

RegistrationForm (Initial Result)

34

RegistrationForm (Submitting Incomplete Form)Incomplete Form)

35

Page 18: 07 cookies

RegistrationForm (Submitting Complete Form)Complete Form)

36

RegistrationForm (Initial Result on Later Visit)(Initial Result on Later Visit)

37

Page 19: 07 cookies

Summary

• Basic functionalityC ki i l / l i t f t– Cookies involve name/value pairs sent from server to browser and automatically returned when the same page, site, or domain is visited later

• Let you• Let you– Track sessions (use higher-level session-tracking API)– Permit users to avoid logging in at low-security sitesgg g y– Customize sites for different users– Focus content or advertising

• Setting cookies• Setting cookies– Call Cookie constructor, set age, call response.addCookie

• Reading cookiesg– Call request.getCookies, check for null, look through

array for matching name, use associated value38

© 2010 Marty Hall

Questions?

Customized Java EE Training: http://courses.coreservlets.com/Servlets, JSP, JSF 2.0, Struts, Ajax, GWT 2.0, Spring, Hibernate, SOAP & RESTful Web Services, Java 6.

Developed and taught by well-known author and developer. At public venues or onsite at your location.39