9.1. The Basics of the HTTP Cookie

Within an HTTP cookie, you can store a single custom name=value pair, such as sessionid=value. Other custom names within a cookie are as follows.

Domain

Normally set to the domain from where the cookie was issued. To work with multiple subdomains, the Domain should be set to a URL like Domain=example.net. This is also known as the cookie domain, as defined in the Configuration Reference chapter of the Reference document. A cookie domain set to example.net will work for subdomains such as app1.example.net and service1.example.net.

Path

The directory in the URL to which the cookie applies. If the Path =/openam, the cookie applies to the /openam subdirectory of the FQDN, and lower level directories, including openam/UI and openam/UI/Login.

Secure

If the Secure name is included, the cookie can be transferred only over HTTPS. When a request is made over HTTP, the cookie is not made available to the application.

HttpOnly

When the HttpOnly name is included, that cookie will not be accessible through JavaScript. According to RFC 6265, the noted flag "instructs the user agent to omit the cookie when providing access to cookies via 'non-HTTP' APIs (such as a web browser API that exposes cookies to scripts)."

Expires

The lifetime of a cookie can be limited, with an Expires name configured with a time, based on UTC (GMT).

[Note] Note

Be careful. Do not take a shortcut with a top-level domain. Web browser clients today are designed to ignore cookies set to top-level domains including com, net, and co.uk. In addition, a cookie with a value like Domain= app1.example.net will not work for similar subdomains such as app2.example.net.