A Cookie OverviewYou're probably pretty familiar with cookies, but in case you aren't, cookies are essentially pieces of data that are sent back and forth between your browser and a web server; usually in order to maintain session state. Originally implemented by Netscape, cookies were standardized by the Internet Engineering Task Force and adopted by all browsers.
But how do we handle cookie expiration? Simply by appending to the string a semicolon followed by "expires=" and the expiration time. If you don't specify an expiration time, by default your cookie is deleted when the user's browser is exited.
These are generally the three cookie properties you'll use most of the time-but they are not the only ones. We'll look at some other sections of the document.cookie string you can set in the next section.
Cookie SecurityThree other attributes that you can set are 'domain', 'path', and 'secure'. Cookies can only be read by the server that set them. Cookies also have a path, which by default is the path of where they are set. This is important to know since when you try to retrieve a cookie you can only read it if you belong to the cookie path. Lastly, 'secure' indicates whether the cookie is intended for encrypted communication (such as SSL). This isn't a name-value pair, but simply the word 'secure' appended on to the document.cookie string.
We'll create a setCookie function that handles all of these parameters.
function setCookie(Name, Value)
ArgumentValues = setCookie.arguments;
ArgumentCount = setCookie.arguments.length;
Expires = (ArgumentCount > 2) ? ArgumentValues : null;
Path = (ArgumentCount > 3) ? ArgumentValues : null;
Domain = (ArgumentCount > 4) ? ArgumentValues : null;
Secure = (ArgumentCount > 5) ? ArgumentValues : false;
document.cookie = Name + "=" + escape (Value) +
((Expires == null) ? "" : ("; expires=" + Expires.toGMTString())) +
((Path == null) ? "" : ("; path=" + Path)) +
((Domain == null) ? "" : ("; domain=" + Domain)) +
((Secure == true) ? "; secure" : "");
This function takes a minimum of two parameters, the Name and the Value of the cookie. This is the simplest of all cases. By using variable length arguments we can also handle the other parameters that we talked about above.
Retrieving CookiesWhat we really need to do in order to retrieve a cookie value is to loop through the document.cookie string and look for the string cookie name "=". Once we've found this, we can pull the value out and return it. Code that does this is listed below:
Argument = Name + "=";
ArgumentLength = Argument.length;
CookieLength = document.cookie.length;
i = 0;
while (i < CookieLength)
j = i + ArgumentLength;
if (document.cookie.substring(i, j) == Argument)
EndString = document.cookie.indexOf (";", j);
if (EndString == -1)
EndString = document.cookie.length;
return unescape(document.cookie.substring(j, EndString));
i = document.cookie.indexOf(" ", i) + 1;
if (i == 0)
Deleting CookiesDeleting cookies are easy. A straightforward way to do this would be to set the cookie's expiration time to before the current time; this should lead to your browser killing the cookie. The deleteCookie function uses both the getCookie and setCookie functions we listed above. See the code below.
ExpirationDate = new Date();
ExpirationDate.setTime (ExpirationDate.getTime() - 1);
/* Make Sure Cookie Exists First */
CookieValue = getCookie(Name);
if (CookieValue != null)
setCookie(Name, "", ExpirationDate, "/");
GotchasWhen using the above code, there are a few things you should be aware of. First, it is possible that a user can disable cookies in their web browser. Most modern browsers provide some kind of cookie management that allows them to turn off certain kinds of cookies or all cookies completely.
Secondly, most browsers will only allow you to set a maximum number of cookies and a maximum size of those cookies. Most browsers today allow you to set 50 cookies per domain, but you are likely to encounter browsers where this number is as low as 20. Also, Internet Explorer for example caps cookie content at 4K for all cookies from a specific domain.