Setting a Cookie Response Header (+ example)

17/09/09 Permalink

Info from

4.2.2  Set-Cookie Syntax

   The syntax for the Set-Cookie response header is

   set-cookie      =       "Set-Cookie:" cookies
   cookies         =       1#cookie
   cookie          =       NAME "=" VALUE *(";" cookie-av)
   NAME            =       attr
   VALUE           =       value
   cookie-av       =       "Comment" "=" value
                   |       "Domain" "=" value
                   |       "Max-Age" "=" value
                   |       "Path" "=" value
                   |       "Secure"
                   |       "Version" "=" 1*DIGIT

   Informally, the Set-Cookie response header comprises the token Set-
   Cookie:, followed by a comma-separated list of one or more cookies.
   Each cookie begins with a NAME=VALUE pair, followed by zero or more
   semi-colon-separated attribute-value pairs.  The syntax for
   attribute-value pairs was shown earlier.  The specific attributes and
   the semantics of their values follows.  The NAME=VALUE attribute-
   value pair must come first in each cookie.  The others, if present,
   can occur in any order.  If an attribute appears more than once in a
   cookie, the behavior is undefined.

      Required.  The name of the state information ("cookie") is NAME,
      and its value is VALUE.  NAMEs that begin with $ are reserved for
      other uses and must not be used by applications.

      The VALUE is opaque to the user agent and may be anything the
      origin server chooses to send, possibly in a server-selected
      printable ASCII encoding.  "Opaque" implies that the content is of
      interest and relevance only to the origin server.  The content
      may, in fact, be readable by anyone that examines the Set-Cookie

      Optional.  Because cookies can contain private information about a
      user, the Cookie attribute allows an origin server to document its
      intended use of a cookie.  The user can inspect the information to
      decide whether to initiate or continue a session with this cookie.

      Optional.  The Domain attribute specifies the domain for which the
      cookie is valid.  An explicitly specified domain must always start
      with a dot.

      Optional.  The Max-Age attribute defines the lifetime of the
      cookie, in seconds.  The delta-seconds value is a decimal non-
      negative integer.  After delta-seconds seconds elapse, the client
      should discard the cookie.  A value of zero means the cookie
      should be discarded immediately.

      Optional.  The Path attribute specifies the subset of URLs to
      which this cookie applies.

      Optional.  The Secure attribute (with no value) directs the user
      agent to use only (unspecified) secure means to contact the origin
      server whenever it sends back this cookie.

      The user agent (possibly under the user's control) may determine
      what level of security it considers appropriate for "secure"
      cookies.  The Secure attribute should be considered security
      advice from the server to the user agent, indicating that it is in
      the session's interest to protect the cookie contents.

      Required.  The Version attribute, a decimal integer, identifies to
      which version of the state management specification the cookie
      conforms.  For this specification, Version=1 applies.

An example would be something like this:

Set-Cookie: MyCookie=Mr5G5qzuyOyIBacnEzS58del1iuq005QmzX0B9ck; version=0; expires=Tue, 05-Oct-2077 20:31:32 BST; path=/

Share It: Digg | | Furl | reddit | Facebook | Yahoo! | Send to Phone | Feedback