tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <>
Subject Re: Detect Cookie Rejection
Date Tue, 04 Jun 2002 06:14:51 GMT

On Mon, 3 Jun 2002, Cavan Morris wrote:

> Date: Mon, 3 Jun 2002 21:42:01 -0700
> From: Cavan Morris <>
> Reply-To: Tomcat Users List <>
> To:
> Subject: Detect Cookie Rejection
> Does anyone know of a way to detect when cookies are not accepted by a
> browser.  My site uses session cookies and I'd like to be able to
> redirect people somewhere to tell them that the site requires cookies
> and what to do to activate them...
> I'm sure that someone else has already solved this problem.  Any ideas?

The only way to know for sure is to set a cookie on a response, and see if
it comes back on the following request.  You have absolutely no clue from
looking just at the current request.  Just as an example, I run Netscape
6, configured to warn me every time about accepting a cookie -- so you
can't even look at the User-Agent header and predict whether *I* am going
to accept your cookie or not.

This is exactly what the servlet container does for you for session IDs,
as long as you use URL rewriting (done with the response.encodeURL()
method) to create all of your hyperlinks.  The container will send the
initial session id both ways (encoded in the URLs, and as a cookie).  If
the session id comes back later as a cookie, the container recognizes this
and stops doing the rewriting -- otherwise it continues.  But the only
safe thing for your application to do is *always* call encodeURL() to
generate all of your hyperlink destinations that should be part of the
same session.

> Cavan Morris


To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message