What is the best way to send and detect cookie in java application?

Question

When a user visits www.example.com for the first time, how can I detect if the client browser has cookies enabled and if so send the cookie to the client without resorting to sending redirect request(s) ( HTTP 302 request)? If redirect must be done then what is the best way to send cookie without doing multiple redirects or search engine bot unfriendly redirects? My java application needs to create cookie based account very quickly the very first time visitor goes to example.com. After that subsequent visits would recognize the user based on this cookie.

This solution should not be based on Javascript as it still needs to work if JavaScript is disabled.

Answer 1

First up - it's not possible to tell (definitively) if a client supports cookies or not until you've set one. And if you're doing this server-side, since cookies are sent as part of the HTTP request, you will have to issue some kind of redirect to make this check:

   client                  server
1a. GET index.html ---->
1b.            <------------ sets a cookie, redirect to index.html?foo=bar
2. GET index.html?foo=bar -->

Using Javascript does let you get around this, as you can at least query whether the cookie was set on the client side without requiring the client to make another request - but it's Javascript, as you say.

Note that this kind of check is not exactly robust; it doesn't really validate that the cookies will stay around in any useful way (for example, an anti-spyware program may be clearing cookies every 30 minutes). It doesn't even validate that you'll be able to set the next cookie (especially if it's on a different subdomain; or the user may have asked the UA to prompt for each cookie, so just because this cookie is accepted doesn't mean the next one will be). And the next time the user logs in it may be from a different browser (with different settings), or they changed their security settings on this one, etc.

Really, I'd think of this in the same way as client-side form validation - it's nice to be able to warn your visitors when they're trying something that just isn't going to work, but you can't really rely on it being correct. And in that context your last sentence is a little worrying - since you say it needs to work. What are the consequences if this test is wrong (i.e. you think you can set cookies but you actually can't)? I'm not saying that your site needs to work without cookies, just that you need to realise your checks may well give false positives, and you need to be aware of this.

So in that context I'd say it probably is better to do the check in Javascript; if someone has JS and cookies disabled, they aren't going to be able to interact with the majority of sites that have some kind of login. When you receive a request without cookies, you have to send back an "Ooops, it looks like you have cookies disabled page" anyway, so it's hardly game-breaking if the initial check was skipped.