How to implement private cookies?

Question

The java.net default "system wide" CookieHandler makes me nervous, as it implies cookies registered by one application are accessible by another. If these cookies are authorization tokens, this is almost the same as broadcasting application (and user!) specific passwords "system-wide".

Do I have this right? If I make an HttpURLConnection that results in a cookie, can another java application simply use CookieHandler.getDefault.get(...) to get that cookie? Various docs (e.g.) refer to creating a customized CookieHandler and setting the default "system wide" but are ambiguous or non-committal about the consequences -- so while I can create my own CookieHandler or CookieManager, it seems this inevitably gets caught up in the "system wide default" which may be accessible by other processes. The Oracle "Accessing Cookies" tutorial (linked above) discusses this in the context of facilitating "applets on various web pages", when it might be a feature. However, if I have an HTTPS session on "the system", this seems like a monstrous security hole if other processes can grab my (now decrypted) auth tokens.

To summarize:

1. Are cookies instantiated via an Http(s)UrlConnection then available system wide?

2. If #1 is true (I realize I could test this myself and have not), then how do I implement private, per application cookies?

Answer 1

Are cookies instantiated via an Http(s)UrlConnection then available system wide?

No. They are as wide as one running instance of JVM. And the most common model is that each application runs in its own JVM so they don't share the cookies this way.