The HTTP_COOKIE element contains any HTTP cookie definitions for an
application.
The main goal of cookies is to keep a state, through session variables, between two runs of an
application by the same user. The number of cookies associated with an application should be
constant.
Syntax
<HTTP_COOKIE Id="cid" [Expires="endTime" | Domain="mydomain" |
Secure="TRUE|FALSE" | HttpOnly="TRUE|FALSE" | SameSite="STRICT|LAX|NONE]>
<VARIABLE Id="varId">val</VARIABLE> [...]
<CONSTANT Id="cstId">cst</CONSTANT> [...]
<HTTP_COOKIE> [...]
Syntax notes
The HTTP_COOKIE element takes a mandatory Id attribute and five
optional attributes: Expires, Domain,
Secure, HttpOnly, and
SameSite.
- cid is the cookie name.
- The Expires attribute specifies the cookie expiration date. endTime is
cookie expiration in "Wdy, DD-Mon-YYYY HH:MM:SS GMT" format. You can set a relative date with "+X"
or "X", where X represent a number of seconds. "X" will fix the cookie date only at the creation
time and "+X" will regenerate a new date for the cookie on each HTTP request. The
Expires attribute is optional.
- The Domain attribute restricts the cookie to a specified domain.
mydomain is the domain name the cookie is restricted to. The
Domain attribute is optional.
- When set to TRUE, the Secure attribute restricts the cookie to secured
connections (HTTPS) only. Valid values are TRUE or FALSE. The
Secure attribute is optional.
- When set to TRUE, the HttpOnly attribute disables the cookie access from
client-side scripting languages, such as JavaScript, running in a browser. Valid
values are TRUE or FALSE. The
HttpOnly attribute is optional.
- The SameSite attribute determines whether the cookie is
restricted to a same-site context. Valid values are:
- Strict: The cookie is sent only if the site for the
cookie matches the site currently shown in the browser. The cookie is
not sent if the user follows a link from another site.
- Lax: The cookie can be sent with top-level navigations
and with GET requests initiated by third-party websites.
- None: The cookie is sent in all contexts. The
Secure attribute must be set to
TRUE and the request must be in HTTPS format.
The SameSite attribute is optional. The default value
is Lax.
- varId is the variable name and val its value.
- cstId is the constant name and cst its value.
Child elements
The HTTP_COOKIE element may contain the following child elements, defined by a
mandatory identifier and an optional value.:
- Zero to many CONSTANT
elements
- Zero to many VARIABLE
elements
Example
<!-- secure persistent cookie with default variable value and constant value -->
<HTTP_COOKIES>
<HTTP_COOKIE Id="cookie3" Expires="Wdy, DD-Mon-YYYY HH:MM:SS GMT"
Domain="www.domain.com" Secure="TRUE" HttpOnly="TRUE">
<VARIABLE Id="var7" />
<VARIABLE Id="var8">Initial value</VARIABLE>
<CONSTANT Id="constant1">A value</CONSTANT>
</HTTP_COOKIE>
</HTTP_COOKIES>
For more information on HTTP cookies, see the Session Variables and Cookies page.
Parent elements
This element is a child of one of the following elements: