CODEWITHSUNDEEP
javainternet-explorerservletscookies
Matt McMinn
Matt McMinn

Reputation: 16291

Persistent cookies from a servlet in IE

I have a cookie which is generated from a servlet and that I would like to be persistent - that is, set the cookie, close down IE, start it back up, and still be able to read the cookie. The code that I'm using is the following:

HttpServletResponse response = 
    (HttpServletResponse) FacesContext.getCurrentInstance()
    .getExternalContext().getResponse();

Cookie cookie = new Cookie("someKey", "someValue");
cookie.setMaxAge(7 * 24 * 60 * 60);
response.addCookie(cookie);

This works great in firefox, but in IE 6/7, the cookie is not saved between browser restarts. I've checked everything that I can think of in my settings, but can't figure out what would be causing the cookie to be deleted. As far as I know, calling setMaxAge with a positive number makes the cookie persistent. Any ideas why this would be going wrong?

Edit

I have verified, using the more info trick suggested by Olaf, that the cookie is attempting to be set as a session cookie, not a persistent cookie; the max age is set to "end of session". So it doesn't seem like the max age is being set for IE - I have verified that in Firefox, the max age is set correctly. I still have no idea what's going on.

Upvotes: 6

Views: 10147

Answers (6)

sdfasdf
sdfasdf

Reputation: 1

 try{
        encodedString = URLEncoder.encode(s, "UTF-8");
    } catch (UnsupportedEncodingException e) {}

    return encodedString;`a`
}
public static String decodeString(String s) {
    String decodedString = s;

    try{
        decodedString = URLDecoder.decode(s, "UTF-8");
    } catch (UnsupportedEncodingException e) {}

    return decodedString;
}

Upvotes: 0

Briguy37
Briguy37

Reputation: 8402

I had a similar issue with IE8 as well, except that the cookie was persisting when using http but not when using https. Intellectual Tortoise's solution worked for me, as I had '=' and other chars in there that were screwing it up. Before I encoded the https cookie, it showed as expiring at "End of session". After encoding the value, it expired with the maxAge I passed in. Here's the methods I used to encode/decode the cookie value before setting and after retrieving it: 

public static String encodeString(String s) {
    String encodedString = s;

    try{
        encodedString = URLEncoder.encode(s, "UTF-8");
    } catch (UnsupportedEncodingException e) {}

    return encodedString;
}
public static String decodeString(String s) {
    String decodedString = s;

    try{
        decodedString = URLDecoder.decode(s, "UTF-8");
    } catch (UnsupportedEncodingException e) {}

    return decodedString;
}

Upvotes: 0

Jacob Zwiers
Jacob Zwiers

Reputation: 1102

This http://www.mail-archive.com/[email protected]/msg52249.html has the answer, but doesn't really explain why.

That is, by encoding @ (which is an unacceptable character in version 0 cookies), the cookie sent in the response has it's version set to 0 (acceptable to IE) rather than 1 (a different format and therefore unacceptable IE).

My issue was the sort of the same. We were Base64 encoding our cookie value and sending it down. However, Base64 includes characters like '=' ... which is again illegal in version 0 and thereby unacceptable to IE.

The mystery that remains for me is: some part of the stack is 'smart' enough to recognize that the cookie value is invalid as a version 0 cookie and decides to send the response as a version 1 cookie (which includes explicit version number, the "unacceptable" characters, max-age rather than expires field, etc.) I don't know if it's Tomcat, Faces, Spring or javax.servlet which makes the decision to flip the version.

Bottom line: URI encoding on the value of the cookie will ensure the cookie set to the browser is version 0 and therefore persisted by IE.

Upvotes: 1

Tom Evans
Tom Evans

Reputation: 76

I know nothing of Java or servlets, but IE will only persist a cookie if it has an Expires date, setting max-age is not sufficient, IE will continue to treat it as a session cookie.

Upvotes: 6

Olaf Kock
Olaf Kock

Reputation: 48057

As I don't use windows this is some fainted memory: If you set your IE cookie settings to "ask for permission" each time a cookie is set - doesn't it show how long the cookie is supposed to be valid? Also, you might want to add the site to another security zone (local or whatever that was called) in order to get completely different settings and try again then.

Hope this helps...

Upvotes: 0

Igal Serban
Igal Serban

Reputation: 10684

Few suggestions.

  1. Are you using fqdn to access the site?
  2. use fiddler to check how does the cookie looks in the http response.
  3. Check if other sites on the internet are storing cookies successfully.

Upvotes: 1

Related Questions