Long Term Cookies
So far, the cookies you've set on the browser have been temporary: as soon as the browser is closed, the cookie disappears. When you're using cookies to save values among multiple pages on a form—instead of hidden HTML values—using temporary cookies is entirely appropriate. When a new browser is started, you don't want the cookie returned to the server because the user wouldn't be filling out the form starting in the middle; he or she would be starting at the beginning.
In some cases, you might like the cookie to hang around much longer. Perhaps you want the cookie to persist for days, weeks, or months after the browser is closed and restarted. Creating these cookies is easy with Perl's CGI module.
To set an expiration date for a cookie, you can use the -expires option when you create the cookie. The -expires option must be followed by a date that you want the cookie to expire. You can specify this date in several formats, as shown in Table 24.1.
| Format | Sample | Meaning |
|---|---|---|
| Number of seconds | +30s | 30 seconds from now |
| Number of minutes | +15m | 15 minutes from now |
| Number of hours | +12h | 12 hours from now |
| Number of months | +6M | 6 months from now |
| Number of years | +1y | 1 year from now |
| now | Cookie expires immediately | |
| Any negative time | -10m | Cookie expires immediately |
| A specific time | Saturday, 28-Aug-1999 22:51:05 GMT |
When specifying an expiration time, you must follow the format listed in Table 24.1 exactly. All the other possible values are offsets from the current time, and the fully qualified time will be computed for you and sent to the browser.
This small program sets a cookie on the browser that expires in eight days:
#!/usr/bin/perl -w
use CGI qw(:all);
use strict;
my $cookie=cookie(-name => 'Favorite',
-value => 'soft oatmeal raisin cookies',
-expires => '+8d' );
# Transmit the cookie to the browser
print header(-cookie => $cookie);
Persistent cookies do not last indefinitely. That is, if you send a cookie to the browser and expect that the cookie will be around weeks, months, or years from now, you might be disappointed.
As you'll learn later in “Problems with Cookies,” browsers don't have to store cookies. In fact, they don't have to accept your cookies at all—and your CGI program is not informed that the cookies aren't kept.
Browsers can flush out their cookies at any time to make room for new cookies received from other sites—or for no reason at all. Some browsers can allow users to edit cookies or to add new ones.
Users can erase the cookies, either accidentally or on purpose. If the users install a new version of a browser or an operating system, the cookies can be wiped out or misplaced. Simply using a different browser can make the cookies seem to “disappear.” The cookies are usually stored in a file when the browser isn't active, and that file can be edited by users, erased, or corrupted.
By the Way
If you're curious, most browsers store the cookies in files when they're not active, and usually they're just text files that you can view with an editor. Netscape stores the cookies in a file called cookies.txt under the user's home directory (which varies from system to system). Internet Explorer stores cookies under WindowsCookies.
Storing critical information in an HTTP cookie, therefore, is really not a good idea. Any information that you want to store persistently in a cookie should be easily replaced—user preferences, a replaceable entry key for a restricted web page, last-visited information, and so on.