Java Servlet: Cookies

HTTP is stateless. This means that every HTTP request is different from others. Sometimes, it is necessary to keep track of a sequence of related requests sent by a client to perform some designated task. This is called session tracking.

Cookies are one of the solutions to session tracking. A cookie is [key, value] pair created by the server and is installed in the client’s browser when the client makes a request for the first time. Browsers also maintain a list of cookies installed in them and send them to the server as a part of subsequent HTTP requests. The server can then easily identify that this request is a part of a sequence of related requests. This way, cookies provide an elegant solution to session tracking.

The servlet API supports cookies. A cookie is represented using the javax.serviet.http.Cookie class and is created using the following constructor:

Cookie(String key, String value)

A cookie is added by the addCookie() method of the HttpServletResponse class. Similarly, the server can get all cookies sent by the web browser using the getCookies() method ofthe HttpServletRequest class.


import javax.servlet.*;

import javax.servlet.http.*;

public class CookieDemo extends HttpServlet {

public void doGet(HttpServletRequest request, HttpServletResponse response) throws

IOException, ServletException {

PrintWriter out = response.getWriter();

Cookie[] cookies = request.getCookies();

boolean found = false; if(cookies != null)

for(int i=0;i<cookies.length;i++)

if(cookies[i].getName().equals(”session_started”)) {

found = true;

out.println(”You started this session on : ” );



if(!found) {

String dt = (new java.util.Date()).toString();

response.addCookie(new Cookie(”session_started”, dt));

out.println(”Welcome to out site…”);




When a client makes the call for the first time, the web browser does not send any cookie. The servlet looks for the cookie with the name “session_started”. Naturally, it cannot find the cookie. It creates, installs, and sends a cookie with the name “session_started” using the following code.

response.addCookie(new Cookie(“session_started”, dt));

For subsequent calls, web browsers send this cookie with a request. Our servlet finds it, and retrieves the start time of this session and finally sends this value. So, when you access this servlet for the first time, you will see an output as shown in Figure 20.11: (i). Any subsequent request generates the output shown in Figure 20.11: (ii).

1. Limitations of Cookies

Cookies work correctly, provided that the web browsers have enabled cookie support. In addition to the security concerns, there are some technical limitations:

  • Cookies can carry small pieces of information and are not a standard way of communication.
  • Some web browsers limit the number of cookies (typically 20 per web server) that can be installed. To avoid this problem, more than one block of information may be sent per cookie.
  • The value of a cookie should never exceed 4 KB. If the value of a cookie is larger than 4 KB, it should be trimmed to fit.
  • Cookies cannot identify a particular user. A user can be identified by a combination of user account, browser, and computer. So, users who have multiple accounts and use multiple computers/browsers have multiple sets of cookies. Consequently, cookies cannot differentiate between multiple browsers running in a single computer.
  • Intruders can snoop, steal cookies, and attack sessions. This is called session hijacking.

Source: Uttam Kumar Roy (2015), Advanced Java programming, Oxford University Press.

Leave a Reply

Your email address will not be published. Required fields are marked *