1. Cookie is a small amount of information(key-value pair)which is created by the server and sends to the browser.
  2. Browser saves that cookie information in the local file system and sends back to the server at with every consecutive request.
  3. By accessing those cookies server can able to remember client information across multiple requests.
  4. Server sends cookies to the browser by using set-cookie: response header
  5. Browser re sends those cookies to the server by using cookie: request header.


This is exactly same as exchanging the session-id between the client and server

We can create a cookie object by using Cookie class constructor.

Cookie  c=new Cookie(String name,String value);

After creating Cookie object we have to add that cookie to the response by using addCookie() method.


At server side we can retrieve cookies by using getCookies() method

public Cookie[] getCookie();

If request doesn’t associated with any cookies then this method returns null.

Important methods of cookie

  1. public String getName()
    Returns the name of the cookie.
  2. public String getValue()
    Returns the value of the cookie.
  3. public int getMaxAge()
    Returns maximum age of cookie in seconds.
  4. public void setMaxAge(int seconds)
    Setting max age as -1,cookies will be disabled automatically when ever browser window closed.

Persistent and temporary cookies

  1. If we are setting max age to the cookie such type of cookies are called persistent cookies and these are available in the local file system of the client.
  2. If we are not setting max age to the cookie such type of cookies are called temporary or non persistent cookies.These cookies are stored in the browser’s cache and not visible in the local file system.The cookies will be expired automatically when ever we are closing the browser.

Advantages of cookies

  1. It is very easy to implement.
  2. Persist across client & server shut downs.

Limitations of Cookie

  1. Cookies can be enabled or disabled at client side to meet security constraints.
  2. If the cookies are disabled at client side then session management by using cookies is not possible.
  3. The size of cookie is fixed,hence we can’t store huge amount of information.
  4. The number of cookies are supported by every browser is also fixed.

Difference between Session API & Cookie

Session API Cookie
Session information will be maintained at server side. Session information will be maintained at client side.
Best approach if we want store huge amount of information. Best approach if we want store very less amount of information.
The session information can be any type need not be String type. The session information should be String type.
session information will be lost if server restarts. Cookies will be persist even after restart the server also.
Security is high. Security is less.


If the cookies are disabled at client side then the browser is unable to see set-cookie response header,hence browser is unable to get session id or cookies send by the server .Hence browser can’t send session-id or cookies back to the server and session management fails.We can overcome this problem by using URL-Rewriting.