CONTENTS

Secure Cookies: Creating a Cookie

1. Creating a Secure Cookie. The code mentioned throughout this tutorial can be downloaded here. There are five files that are used to create, use, encrypt, and decrypt a cookie. A user will fill out the form created from CopyForm, which will be sent to CopyServlet to create a cookie. The other files are utilities that will be used throughout the cookie's life.

Copyform.java creates a form that the client will fill out and submit, to register. The form has to perform two functions. The first is to check for a cookie from this domain and if present it will retrieve the data related to it. The second function is to allow a client to submit their data and receive a cookie.

Copyservlet.java will check the data that the client submitted to ensure that the form is not blank. If the data is valid it will be saved and used to create an ID for that client. The ID will be encrypted and placed into a cookie that is sent to the client.

2. Classes Folder. In your C:\Tomcat\Tomcat5\webapps\ROOT\WEB-INF folder create a folder called classes. You will put all your servlets into this folder. Then inside classes create a folder called securecookie. This folder will contain all the class used in this tutorial. You created the securecookie folder because all the java files are in the package called securecookie.

Unzip SecureCookies.zip and move all the java files into C:\Tomcat\Tomcat5\webapps\ROOT\WEB-INF\classes\securecookies. Next you need to compile all the java files using the command window. Open the command window and navigate to C:\Tomcat\Tomcat5\webapps\ROOT\WEB-INF\classes\securecookies. You can compile the entire directory by using the javac *.java command.

3. Test Servlet Form. To make it easier to find the cookie you will receive you can clear all cookies from your browser. To access the servlet open a browser and navigate to http://localhost/servlet/securecookie.copyform, fill out the form, and press Register to submit it.



You will receive a cookie and see a thank you screen, which echoes your data.




4. Viewing Cookies. To view the cookie you were sent click on Tools and select Options. Select the Privacy icon, which is represented by a lock and select the Cookies tab. Then click View Cookies to find the cookie you received from the servlet.



Under the Site heading find the Localhost folder, which is the site that the cookie belongs to and expand it. You will now see all the cookies that belong to that site along with their name. Click on the e-commerce cookie, which will show you the cookies’ contents.



5. Repeat Visitor. Go back to http://localhost/servlet/securecookie.copyform and you will be presented with a custom welcome screen and the form will be filled in for you.



This is a simple servlet that can only store the information from one person. It then returns that information if the browser has a cookie from localhost. To use a more complicated version of this servlet the ID would be entered into a database with the contents of the form. When a client returns the server would obtain their cookie and decrypt the ID to check it against those in the database. If a match is found then that information would be presented to the client. However, if a match is not found the client will be asked to register and then be sent a cookie.

Remember this example does not use a secure connection, which should be used in addition to encrypted to increase the security level of the cookie.