2 Cookies for Servers🔗ℹ

The net/cookie/server library provides cookie support for servers, which need to create cookies and encode them for response headers.

> to_string(server.Cookie("rememberUser", "bob", ~path: "/main"))

"rememberUser=bob; Path=/main"

Both exp_date and max_age are for specifying a time at which the user agent should remove the cookie from its cookie store. The exp_date argument is for specifying this expiration time as a date, while max_age is for specifying it as a number of seconds in the future. If both exp_date and max_age are given as non-#false, an RFC 6265-compliant user agent will disregard the exp_date and use the max_age.

A non-#false domain argument indicates that the recipient should send the cookie back to the server only if the hostname in the request URI is either domain itself or a host within domain.

A non-#false path argument indicates that the recipient should send the cookie back to the server only if path is a prefix of the request URI’s path.

When is_secure is #true, a flag tells the recipient that the cookie may only be sent if the request URI’s scheme specifies a “secure” protocol (presumably HTTPS).

When is_http_only is #true, a flag tells the recipient that the cookie may be communicated only to a server and only via HTTP or HTTPS.

The flag is_http_only and is_secure flags are important for security. Browsers provide JavaScript access to cookies (for example, via document.cookie), and consequently, when cookies contain sensitive data such as user session info, malicious JavaScript can compromise that data. The HttpOnly cookie flag, set by is_http_only argument, instructs the browser not to make this cookie available to JavaScript code. If a cookie is intended to be confidential, both is_secure and is_http_only should be #true, and all connections should use HTTPS. Some older browsers do not support this flag; see the OWASP page on HttpOnly for more info.

> server.Cookie.clear_string("rememberUser", ~path: "/main")

"rememberUser=; Expires=Thu, 01 Jan 2015 00:00:00 GMT; Path=/main"

Given the value part of a Cookie header, produces a map of all cookie-name-to-value mappings in the header. If a decode function is given, it is applied to each key and each value before inserting a map. If a key in the header has no value, then #"", or decode(#"") is used as the value. Invalid cookies will not be present in the result.

> server.Cookie.header_to_map(#"SID=31d4d96e407aad42; lang=en-US")

{

Bytes.copy(#"SID"): Bytes.copy(#"31d4d96e407aad42"),

Bytes.copy(#"lang"): Bytes.copy(#"en-US")

}

> server.Cookie.header_to_map(#"SID=31d4d96e407aad42; lang=en-US",                               ~decode: Bytes.utf8_string)

{"SID": "31d4d96e407aad42", "lang": "en-US"}

> server.Cookie.header_to_map(     #"seenIntro=; logins=3",     ~decode: (fun (s): String.maybe_to_number(s) || s)                ∘ Bytes.utf8_string   )

{"logins": 3, "seenIntro": ""}