What is the difference between server side cookie and client side cookie

Question

What is the difference between creating cookies on the server and on the client  Are these called server side cookies and client side cookies  Is there a way to create cookies that can only be read on the server or on the client

User · Answer

What is the difference between creating cookies on the server and on the client?

What you are referring to are the 2 ways in which cookies can be directed to be set on the client, which are:

By server
By client ( browser in most cases )

By server: The Set-cookie response header from the server directs the client to set a cookie on that particular domain. The implementation to actually create and store the cookie lies in the browser. For subsequent requests to the same domain, the browser automatically sets the Cookie request header for each request, thereby letting the server have some state to an otherwise stateless HTTP protocol. The Domain and Path cookie attributes are used by the browser to determine which cookies are to be sent to a server. The server only receives name=value pairs, and nothing more.

By Client: One can create a cookie on the browser using document.cookie = cookiename=cookievalue. However, if the server does not intend to respond to any random cookie a user creates, then such a cookie serves no purpose.

Are these called server side cookies and client side cookies?

Cookies always belong to the client. There is no such thing as server side cookie.

Is there a way to create cookies that can only be read on the server or on the client?

Since reading cookie values are upto the server and client, it depends if either one needs to read the cookie at all. On the client side, by setting the HttpOnly attribute of the cookie, it is possible to prevent scripts ( mostly Javscript ) from reading your cookies , thereby acting as a defence mechanism against Cookie theft through XSS, but sends the cookie to the intended server only.

Therefore, in most of the cases since cookies are used to bring 'state' ( memory of past user events ), creating cookies on client side does not add much value, unless one is aware of the cookies the server uses / responds to.

References: Wikipedia

User · Answer

All cookies are client and server  There is no difference  A regular cookie can be set server side or client side  The  classic  cookie will be sent back with each request  A cookie that is set by the server  will be sent to the client in a response  The server only sends the cookie when it is explicitly set or changed  while the client sends the cookie on each request    But essentially it s the same cookie   But  behavior can change  A cookie is basically a name value pair  but after the value can be a bunch of semi-colon separated attributes that affect the behavior of the cookie if it is so implemented by the client  or server    Those attributes can be about lifetime  context and various security settings    HTTP-only  is not server-only   One of those attributes can be set by a server to indicate that it s an HTTP-only cookie  This means that the cookie is still sent back and forth  but it won t be available in JavaScript  Do note  though  that the cookie is still there  It s only a built in protection in the browser  but if somebody would use a ridiculously old browser like IE5  or some custom client  they can actually read the cookie   So it seems like there are  server cookies   but there are actually not  Those cookies are still sent to the client  On the client there is no way to prevent a cookie from being sent to the server    Alternatives to achieve  only-ness   If you want to store a value only on the server  or only on the client  then you d need some other kind of storage  like a file or database on the server  or Local Storage on the client

User · Answer

HTTP COOKIES  Cookies are key value pairs used by websites to store state information on the browser  Say you have a website  example com   when the browser requests a webpage the website can send cookies to store information on the browser   Browser request example   GET  index html HTTP 1 1 Host  www example com   Example answer from the server   HTTP 1 1 200 OK Content-type  text html Set-Cookie  foo 10 Set-Cookie  bar 20  Expires Fri  30 Sep 2011 11 48 00 GMT     rest  of the response   Here two cookies foo 10 and bar 20 are stored on the browser  The second one will expire on 30 September   In each subsequent request the browser will send the cookies back to the server   GET  spec html HTTP 1 1 Host  www example com Cookie  foo 10  bar 20 Accept        SESSIONS  Server side cookies  Server side cookies are known as  sessions   The website in this case stores a single cookie on the browser containing a unique Session Identifier  Status information  foo 10 and bar 20 above  are stored on the server and the Session Identifier is used to match the request with the data stored on the server   Examples of usage  You can use both sessions and cookies to store  authentication data  user preferences  the content of a chart in an e-commerce website  etc     Pros and Cons  Below pros and cons of the solutions  These are the first that comes to my mind  there are surely others   Cookie Pros    scalability  all the data is stored in the browser so each request can go through a load balancer to different webservers and you have all the information needed to fullfill the request  they can be accessed via javascript on the browser  not being on the server they will survive server restarts  RESTful  requests don t depend on server state   Cookie Cons     storage is limited to 80 KB  20 cookies  4 KB each  secure cookies are not easy to implement  take a look at the paper A secure cookie protocol   Session Pros    generally easier to use  in PHP there s probably not much difference  unlimited storage   Session Cons     more difficult to scale on web server restarts you can lose all sessions or not depending on the implementation not RESTful

User · Answer

Yes you can create cookies that can only be read on the server-side  These are called  HTTP Only  -cookies  as explained in other answers already No  there is no way  I know of  to create  cookies  that can be read only on the client-side  Cookies are meant to facilitate client-server communication   BUT  if you want something LIKE  client-only-cookies  there is a simple answer  Use  Local Storage      Local Storage is actually syntactically simpler to use than cookies  A good simple summary of cookies vs  local storage can be found at   https   courses cs washington edu courses cse154 12au lectures slides lecture21-client-storage shtml slide8    A point   You might use cookies created in JavaScript to store GUI-related things you only need on the client-side  BUT the cookie is sent to the server for EVERY request made  it becomes part of the http-request headers thus making the request contain more data and thus slower to send     If your page has 50 resources like images and css-files and scripts then the cookie is  typically  sent with each request  More on this in Does every web request send the browser cookies    Local storage does not have those data-transfer related disadvantages  it sends no data  It is great

User · Answer

You probably mean the difference between Http Only cookies and their counter part   Http Only cookies cannot be accessed  read from or written to  in client side JavaScript  only server side  If the Http Only flag is not set  or the cookie is created in  client side  JavaScript  the cookie can be read from and written to in  client side  JavaScript as well as server side

[http] What is the difference between server side cookie and client side cookie?

Examples related to http

Examples related to cookies

Examples related to session-cookies